Support / Security / Advisories / Mandriva Linux 2008.1 / MDVSA-2008:209

Package name: pam_krb5
Date: 2008-10-03
Advisory ID: MDVSA-2008:209
Affected versions: 2008.0 i586 , 2007.1 i586 , 2008.0 x86_64 , 2008.1 x86_64 , 2008.1 i586 , 2007.1 x86_64

Problem description

StÃ©phane Bertin discovered a flaw in the pam_krb5 existing_ticket
configuration option where, if enabled and using an existing credential
cache, it was possible for a local user to gain elevated privileges
by using a different, local user's credential cache (CVE-2008-3825).

The updated packages have been patched to prevent this issue.

Updated packages

2008.0 i586

 d5d6796b990f19316ee7a53d87745d63  2008.0/i586/pam_krb5-2.2.11-2.1mdv2008.0.i586.rpm 
 8b2d51b298306d43dfde2fe6f9cb0860  2008.0/SRPMS/pam_krb5-2.2.11-2.1mdv2008.0.src.rpm

2007.1 i586

 92901a92d669d10831a2357da8ac3ff8  2007.1/i586/pam_krb5-2.2.11-2.1mdv2007.1.i586.rpm 
 e8ba90e174669b8b43bf0bbf9c61831f  2007.1/SRPMS/pam_krb5-2.2.11-2.1mdv2007.1.src.rpm

2008.0 x86_64

 5cb8c3f5768cdc475bfa81e14244856b  2008.0/x86_64/pam_krb5-2.2.11-2.1mdv2008.0.x86_64.rpm 
 8b2d51b298306d43dfde2fe6f9cb0860  2008.0/SRPMS/pam_krb5-2.2.11-2.1mdv2008.0.src.rpm

2008.1 x86_64

 d07f560edf337af6279a888fd695aa49  2008.1/x86_64/pam_krb5-2.2.11-2.1mdv2008.1.x86_64.rpm 
 2d1f96e821e05ddba6ffe3d1cee2247b  2008.1/SRPMS/pam_krb5-2.2.11-2.1mdv2008.1.src.rpm

2008.1 i586

 2d30041830c5c3db19a23e096a968426  2008.1/i586/pam_krb5-2.2.11-2.1mdv2008.1.i586.rpm 
 2d1f96e821e05ddba6ffe3d1cee2247b  2008.1/SRPMS/pam_krb5-2.2.11-2.1mdv2008.1.src.rpm

2007.1 x86_64

 63e366f352ed36d5e6b7b87a84d25d33  2007.1/x86_64/pam_krb5-2.2.11-2.1mdv2007.1.x86_64.rpm 
 e8ba90e174669b8b43bf0bbf9c61831f  2007.1/SRPMS/pam_krb5-2.2.11-2.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825