Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Affected
FreeBSD includes the externally maintained KTH Kerberos software as an optional component of the FreeBSD base system. Therefore, systems which have installed the Kerberos 4 components are vulnerable to these problems as described in the CERT advisory. Patches have been committed to the FreeBSD source tree and an advisory will be released shortly detailing the precise impact on vulnerable FreeBSD systems.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: January 11, 2001
Not Affected
Fujitsu's UXP/V operating system is not vulnerable to the bugs in VU#602625, VU#759265, and VU#426273, because UXP/V does not support Kerberos.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Our AIX operating system does not include KTH Kerberos IV, so it is not vulnerable to the security exploits described here.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Not Affected
Windows 2000 does not support Kerb IV. W2K has completely different implementation of the protocol and is not vulnerable to the specific buffer overflow condition using memcpy identified by VU#759265. (Note that buffer overrun as a general implementation problem is one we are continuously on guard against through our buffer overrun examination tools, internal code reviews, and in the case of kerberos implementation, an external security code review)
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: January 11, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD has produced an advisory on this issue. It is available from: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-017.txt.asc They appear to be vulnerable to this issue.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: December 11, 2000 Updated: December 14, 2000
Unknown
WU-FTPD 2.6.1 supports Kerberos in one of two ways: Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers. Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication. For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.