[17992] in bugtraq
Re: Vulnerabilities in KTH Kerberos IV
daemon@ATHENA.MIT.EDU (Robert Watson)
Sun Dec 10 17:58:10 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.NEB.3.96L.1001210143017.24257E-100000@fledge.watson.org>
Date: Sun, 10 Dec 2000 15:52:39 -0500
Reply-To: Robert Watson <rwatson@FREEBSD.ORG>
From: Robert Watson <rwatson@FREEBSD.ORG>
X-To: Jouko Pynnonen <jouko@SOLUTIONS.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10012081713520.8061-100000@shell.solutions.fi>
On Fri, 8 Dec 2000, Jouko Pynnonen wrote:
> There are at least two common free Kerberos implementations:
> MIT and KTH (Royal Institute of Techology, Sweden). The latter is
> included in OpenBSD and FreeBSD.
...
> OS vendors were notified 11/28 via a mailing list, and KTH Kerberos
> team 12/01.
Despite being explicitly mentioned in the advisory as an affected
operating system and the statement of notification above, the FreeBSD
Project was not notified in advance of the release of this advisory. We
are currently evaluating the affect of the vulnerability on our code base,
and will no doubt be releasing a security advisory shortly.
In the future, we would appreciate it if those aware of vulnerabilities in
our code base made some minimal effort to contact us before releasing an
advisory; we have widely published the availability of our
security-officer@FreeBSD.org address and service, as well as PGP keys to
protect communications as necessary. In addition, both CERT and
SecurityFocus can provide assistance in identifying vulnerable software,
and in contacting vendors affected. I'm sure other vendors have also been
caught off-guard by this vulnerability, and would similarly appreciate
advance notice.
Thanks,
Robert N M Watson FreeBSD Core Team, TrustedBSD
Project robert@fledge.watson.org NAI Labs, Safeport Network Services
