DSA-1721-1 libpam-krb5 -- severalID: oval:org.secpod.oval:def:600457 | Date: (C)2011-05-13 (M)2022-10-10 |
Class: PATCH | Family: unix |
Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from enviromnent variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control. CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation. For the stable distribution , these problems have been fixed in version 2.6-1etch1. For the upcoming stable distribution , these problems have been fixed in version 3.11-4. For the unstable distribution , these problems will be fixed soon. We recommend that you upgrade your libpam-krb5 package.