Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Apple has conducted an investigation and determined that Mac OS X Public Beta does not use KTH Kerberos version 4 and is not susceptible to this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Affected
FreeBSD includes the externally maintained KTH Kerberos software as an optional component of the FreeBSD base system. Therefore, systems which have installed the Kerberos 4 components are vulnerable to these problems as described in the CERT advisory. Patches have been committed to the FreeBSD source tree and an advisory will be released shortly detailing the precise impact on vulnerable FreeBSD systems.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: January 11, 2001
Not Affected
Fujitsu's UXP/V operating system is not vulnerable to the bugs in VU#602625, VU#759265, and VU#426273, because UXP/V does not support Kerberos.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Our AIX operating system does not include KTH Kerberos IV, so it is not vulnerable to the security exploits described here.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Windows 2000 does not support Kerb IV. W2K does not provide a kerberized telnetd, nor a Krb4 proxy server - therefore we're not vulnerable to VU#602625.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 08, 2000 Updated: January 11, 2001
Not Affected
I do not believe it is a problem. The krb4 code within the MIT krb5 distributions does not contain any setuid application code that calls the krb4 library. Certainly our telnetd does not permit those variables to be set.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: January 11, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD has produced an advisory on this issue. It is available from: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-017.txt.asc They appear to be vulnerable to this issue.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: November 21, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
WU-FTPD 2.6.1 supports Kerberos in one of two ways: Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers. Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication. For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.