[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE assignment notification (pam_krb5 CVE-2009-1384)
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2009-05-27 9:55:13
Message-ID: 1243418113.3637.38.camel () localhost ! localdomain
[Download RAW message or body]
Hello Steve,
a security flaw similar to recent pam_ssh's CVE-2009-1273
one:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273
was found in the pam_krb5 module. From particular Red Hat
bugzilla entry:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384
<cite>
A security flaw was found in PAM pam_krb5 module, providing user
authentication based on Kerberos principals. A remote attacker could
use this flaw to recognize, if some username/login belongs to set of
user accounts, existing on the system, and subsequently perform
dictionary based password guess attack.
</cite>
VERSIONS INFORMATION (Red Hat pam_krb5 version numbering is used):
=====================
a, Not vulnerable - the vulnerability is not present in versions of
pam_krb5 prior and including pam_krb5-2.1.17
b, Vulnerable - presence of the flaw is confirmed in versions of
pam_krb5 starting from pam_krb5-2.2.14 and newer
CVE: CVE identifier of CVE-2009-1384 has been already assigned to
==== this flaw.
Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic