Summary
The remote host is missing updates announced in
advisory SUSE-SA:2009:019.
Solution
Update your system with the packages as indicated in the referenced security advisory.
https://secure1.securityspace.com/smysecure/catid.html?in=SUSE-SA:2009:019
Insight
The Kerberos implementation from MIT is vulnerable to four different security issues that range from a remote crash to to possible, but very unlikely, remote code execution.
- CVE-2009-0844: The SPNEGO GSS-API implementation can read beyond the end of a buffer (network input) which leads to a crash.
- CVE-2009-0845: A NULL pointer dereference in the SPNEGO code can lead to a crash which affects programs using the GSS-API.
- CVE-2009-0846: The ASN.1 decoder can free an uninitialized NULL pointer which leads to a crash and can possibly lead to remote code execution. This bug can be exploited before any authen- tication happened,
- CVE-2009-0847: The ASN.1 decoder incorrectly validates a length parameter which leads to malloc() errors any possibly to a crash.
Severity
Classification
-
CVE CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities