Summary
The remote host is missing an update to pam_krb5
announced via advisory FEDORA-2009-6279.
Solution
Apply the appropriate updates.
This update can be installed with the yum update program. Use su -c 'yum update pam_krb5' at the command line.
For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/.
https://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-6279
Insight
Update Information:
This updates the pam_krb5 package from version 2.3.2 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC.
It also fixes a bug which prevented password change attempts from working if the KDC denied requests for password-changing credentials with settings which would be used for login credentials, and makes the -n option for the afs5log command work as advertised.
ChangeLog:
* Tue May 26 2009 Nalin Dahyabhai - 2.3.5-1
- catch the case where we pass a NULL initial password into libkrb5 and it uses our callback to ask us for the password for the user using a principal name, and reject that (#502602)
- always prompt for a password unless we were told not to (#502602, CVE-2009-1384)
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2008-3825, CVE-2009-1384 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities