[2259] in Release_7.7_team
IMPORTANT: Kerberos vulnerability in Athena workstations
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 16 14:38:46 2000
Date: Tue, 16 May 2000 14:38:38 -0400 (EDT)
Message-Id: <200005161838.OAA23004@small-gods.mit.edu>
From: Greg Hudson <ghudson@MIT.EDU>
To: release-announce@MIT.EDU
It has recently been discovered that there are buffer overrun
vulnerabilities in the MIT Kerberos implementation used in the Athena
environment. This vulnerability has not been widely known until right
about now. The impact of the vulnerability is a remote root exploit
of any Athena workstation running any Kerberized daemon. Kerberized
login programs are also vulnerable, although the exploit is much
more difficult.
We have prepared fixed binaries and placed them on the system packs.
If you administer a private Athena 8.3 workstation, you should update
the Kerberos Athena software on the machine as soon as possible by
running (as root):
add release
fixkrb
If you have a private Athena workstation running a release earlier
than 8.3, fixing the vulnerability isn't quite as simple. Updating
the machine to 8.3 will work, of course (it is not necessary to run
fixkrb after updating). If that is not an option, you can copy the
fixed binaries off the 8.3 system packs, at least on Solaris. Contact
ops@mit.edu if you need help in this area.
If you are running other Kerberized daemons than the ones in the
Athena release, please contact ops@mit.edu for assistance.
