[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE assignment notification (pam_krb5 CVE-2009-1384)
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2009-05-27 9:55:13
Message-ID: 1243418113.3637.38.camel () localhost ! localdomain
[Download RAW message or body]

Hello Steve,

  a security flaw similar to recent pam_ssh's CVE-2009-1273
one:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273

was found in the pam_krb5 module. From particular Red Hat
bugzilla entry:

    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384

<cite>
A security flaw was found in PAM pam_krb5 module, providing user
authentication based on Kerberos principals. A remote attacker could
use this flaw to recognize, if some username/login belongs to set of
user accounts, existing on the system, and subsequently perform
dictionary based password guess attack.  
</cite>

VERSIONS INFORMATION (Red Hat pam_krb5 version numbering is used):
=====================

a, Not vulnerable - the vulnerability is not present in versions of
                    pam_krb5 prior and including pam_krb5-2.1.17
b, Vulnerable     - presence of the flaw is confirmed in versions of
                    pam_krb5 starting from pam_krb5-2.2.14 and newer


CVE:  CVE identifier of CVE-2009-1384 has been already assigned to 
====  this flaw.


Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




[prev in list] [next in list] [prev in thread] [next in thread]