Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Affected
The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later. We encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 24, 2002
Not Affected
No version of BSD/OS is vulnerable to this problem.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 06, 2002
Affected
Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable kadmind4 daemon, but it is not used by default nor is it installed as a service. Updated packages are being uploaded to our ftp server and should be available in a few hours at: ftp://atualizacoes.conectiva.com.br/8/ The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched kadmind4 daemon. An announcement will be sent to our security mailing list a few hours after the upload is complete.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Conectiva Linux Announcement CLSA-2002:534 (English).
Notified: October 24, 2002 Updated: November 08, 2002
Not Affected
Cray, Inc. is not vulnerable as the Kerberos administration daemon is not included in any of our operating systems.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 08, 2002
Affected
Please reference Debian Security Advisories DSA-183 (krb5), DSA-184 (krb4), and DSA-185 (Heimdal).
The vendor has not provided us with any further information regarding this vulnerability.
In the initial (2002-10-25) version of CERT Advisory CA-2002-29, we mistakenly included a reference to Debian Security Advisory DSA-178. This was an error, DSA-178 does not address the vulnerability described in CA-2002-29 and VU#875073. Debian Security Advisory DSA-185 includes the Heimdal fixes in DSA-178 in addition to the fix for the vulnerability described in CA-2002-29 and VU#875073.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 13, 2002
Affected
Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons were vulnerable and have been corrected as of 23 October 2002. In addition, the heimdal and krb5 ports contained the same vulnerability and have been corrected as of 24 October 2002. A Security Advisory is in progress.
The vendor has not provided us with any further information regarding this vulnerability.
Please see FreeBSD-SA-02:40.kadmind.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: November 08, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GENTOO LINUX SECURITY ANNOUNCEMENT 200210-011 PACKAGE : krb5 SUMMARY?: buffer overflow DATE ?? : 2002-10-28 14:10 UTC EXPLOIT : remote A stack buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) in the MIT krb5 distribution can be exploited to gain unauthorized root access to a KDC host. The attacker does not need to authenticate to the daemon to successfully perform this attack. At least one exploit is known to exist in the wild, and at least one attacker is reasonably competent at cleaning up traces of intrusion. Read the full advisory at http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt SOLUTION It is recommended that all Gentoo Linux users who are running app-crypt/krb5 and earlier update their systems as follows: emerge rsync emerge krb5 emerge clean aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9vUr1fT7nyhUpoZMRAhvRAJ9zxSpTuroJ57RA9lVFegHfCODgkgCbBGRb 4qBVkt0y6Ndn9pVFt0zrplo= =SacS -----END PGP SIGNATURE-----
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: February 14, 2003
Affected
Source: Hewlett-Packard Company Software Security Response Team RE: CERT VU#875073 CA-2002-29 cross reference id: SSRT2396 HP's implementation for the following Operating Systems Software are not affected by this potential buffer overflow vulnerability in the kadmind4 daemon. HP-UX HP-MPE/ix HP Tru64 UNIX HP OpenVMS HP NonStop Servers To report potential security vulnerabilities in HP software, send an E-mail message to: security-alert@hp.com
The vendor has not provided us with any further information regarding this vulnerability.
HP Secure OS Software for Linux is affected (HPSBTL0211-077).
Notified: October 24, 2002 Updated: February 14, 2003
Affected
The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see: http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html Click on the Service Flash for "Potential Kerberos V4 security vulnerability." This link also contains APAR numbers and solution information. The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.
The vendor has not provided us with any further information regarding this vulnerability.
It is possible that PSSP and other IBM and third-party applications using DCE/Kerberos 5 may be vulnerable if they support Kerberos 4 administration.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
KTH has released updated versions of eBones (Kerberos 4) and Heimdal (Kerberos 5).
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 08, 2002
Affected
Please reference MandrakeSoft Security Advisory MDKSA-2002:073.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Not Affected
Microsoft's implementation of Kerberos is not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Affected
MIT has released MIT krb5 Security Advisory 2002-002.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Affected
Please see NetBSD-SA2002-026.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 08, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please reference Security Fix 001 for OpenBSD 3.2, Security Fix 016 for OpenBSD 3.1, and Security Fix 033 for OpenBSD 3.0.
Notified: October 24, 2002 Updated: October 30, 2002
Not Affected
Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: November 07, 2002
Affected
Releases of Red Hat Linux version 6.2 and higher include versions of MIT Kerberos that are vulnerable to this issue; however the vulnerable administration server, kadmind4, has never been enabled by default. We are currently working on producing errata packages. When complete these will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2002-242.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: February 14, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 24, 2002 Updated: November 08, 2002
Not Affected
The Sun Enterprise Authentication Mechanism (SEAM), Sun's implementation of the Kerberos v5 protocols, is not affected by this issue. SEAM does not include support for the Kerberos v4 protocols and kadmind4 does not exist. Additional information regarding SEAM is available from: http://wwws.sun.com/software/security/kerberos/
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Not Affected
SuSE Linux 7.2 and later are shipped with Heimdal Kerberos included, but Kerberos 4 support is disabled in all releases. Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by this bug.
The vendor has not provided us with any further information regarding this vulnerability.
In the initial (emailed) version CERT Advisory CA-2002-29, we mistakenly included a reference to SuSE Security Announcement (SuSE-SA:2002:034). This was an error, SuSE-SA:2002:034 does not address the vulnerability described in CA-2002-29 and VU#875073.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: October 30, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2002 Updated: February 25, 2003
Not Affected
A response to this advisory is available from our web site: http://www.xerox.com/security.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.