[6723] in Kerberos
Re: Kerberos Weakness (COAST Findings)
daemon@ATHENA.MIT.EDU (Josh Daymont)
Wed Feb 21 15:59:31 1996
To: kerberos@MIT.EDU
Date: 21 Feb 1996 09:35:37 GMT
From: choo@wam.umd.edu (Josh Daymont)
Michael Sierchio (kudzu@dnai.com) wrote:
: Steve Lodin wrote:
: >
: > There is information available on the Kerberos vulnerability incident at:
: I am not sure, but I believe that this is nothing new. Steve Bellovin at
: AT&T had a paper a number of years ago on weaknesses in the Kerberos
: Authentication Suite.
I learned about this over a year ago when I saw the fix for it included
in my kerberosIV distribution. Also there was an rfc published about
this (rfc1750). Perhaps I am showing my ignorance, but considering that
the vulnerability was fairly well known (there were comments in the new
random key generator to the effect that the old one was insecure), and
the fix was already available, why was the release of the patch
information delayed? I can see delaying the release of an exploit script
as others do, but what was the logic behind delaying the patch?
Josh
