Apple Not Affected

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDI Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Caldera Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Not Affected

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Not Affected

Vendor Statement

Not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Affected

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Affected

Vendor Statement

FreeBSD includes the externally maintained KTH Kerberos software as an optional component of the FreeBSD base system. Therefore, systems which have installed the Kerberos 4 components are vulnerable to these problems as described in the CERT advisory. Patches have been committed to the FreeBSD source tree and an advisory will be released shortly detailing the precise impact on vulnerable FreeBSD systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Not Affected

Notified:  December 11, 2000 Updated: January 11, 2001

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V operating system is not vulnerable to the bugs in VU#602625, VU#759265, and VU#426273, because UXP/V does not support Kerberos.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett Packard Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Not Affected

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Not Affected

Vendor Statement

Our AIX operating system does not include KTH Kerberos IV, so it is not vulnerable to the security exploits described here.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

KTH Kerberos Unknown

Updated:  December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Not Affected

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Not Affected

Vendor Statement

Windows 2000 does not support Kerb IV. W2K has completely different implementation of the protocol and is not vulnerable to the specific buffer overflow condition using memcpy identified by VU#759265. (Note that buffer overrun as a general implementation problem is one we are continuously on guard against through our buffer overrun examination tools, internal code reviews, and in the case of kerberos implementation, an external security code review)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Unknown

Notified:  December 11, 2000 Updated: January 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NetBSD has produced an advisory on this issue. It is available from: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-017.txt.asc They appear to be vulnerable to this issue.

OpenBSD Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RedHat Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Washington University Unknown

Notified:  December 11, 2000 Updated: December 14, 2000

Status

Unknown

Vendor Statement

WU-FTPD 2.6.1 supports Kerberos in one of two ways: Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers. Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication. For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 19 vendors View less vendors