[28997] in Kerberos
Re: How to determine the version (UNCLASSIFIED)
daemon@ATHENA.MIT.EDU (Roberto =?iso-8859-1?Q?C=2E_S=E1nc)
Wed Jan 9 16:09:48 2008
Date: Wed, 9 Jan 2008 16:09:09 -0500
From: Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= <roberto@connexer.com>
To: kerberos@mit.edu
Message-ID: <20080109210909.GB16929@connexer.com>
Mail-Followup-To: kerberos@mit.edu
MIME-Version: 1.0
In-Reply-To: <5B93875C42278C43A32F0BEB91CEABBB0239CB25@laccadive.disanet.disa-u.mil>
Content-Type: multipart/mixed; boundary="===============1958457308=="
Errors-To: kerberos-bounces@mit.edu
--===============1958457308==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="NDin8bjvE/0mNLFQ"
Content-Disposition: inline
--NDin8bjvE/0mNLFQ
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jan 09, 2008 at 10:53:11AM -0500, Mackanick, Jason W CTR DISA GIG-O=
P wrote:
> Classification: UNCLASSIFIED=20
> Caveats: NONE
> =20
> Various vendors for unix package kerberos with the operating system. Is
> there a method to determine the version number for compliance purposes
> with items such as advisories that are propagated to a CVE?
>=20
Jason,
Assuming that the vendor ships the kerberos development packages,
something like this might be what you want:
krb5-config --version
Kerberos 5 release 1.4.4
A cursory look would tell you that I am vulnerable to a heap of CVEs
related to Kerberos.
However, in my case I am running Debian Etch. Debian has a policy of
not introducing new upstream versions just to patch security fixes, so
they always do targeted security fixes. So, the version installed on my
machine is something like this:
apt-cache policy libkrb5-dev |grep Installed
Installed: 1.4.4-7etch4
Looking at the package changelog, there are several entries (4, in fact)
like this:
krb5 (1.4.4-7etch4) stable-security; urgency=3Demergency
* Fix bug in fix for CVE-2007-3999: the previous patch could allow an
overflow of up to 32 bytes. Depending on how locals are layed out on
the stack, this may or may not be a problem.
-- Sam Hartman <hartmans@debian.org> Tue, 04 Sep 2007 19:51:49 -0400
The total number of CVEs noted in the changelog for the current release
is six. So, while a look at the raw version number as reported by
Kerberos looks bad, further infestigation shows that I am OK in that
department (assuming there have only been six CVEs total since the
release of 1.4.4; I have not checked).
So, I guess it depends in part on your Unix vendor's security policy.
Since you are .mil, you are most probably using Solaris. I know that
Sun deploys packages (you can access information about them using
pkginfo), but that about exhausts my knowledge of Solaris-specific
sysadmin knowledge. So, if sun ships detailed changelogs with their
packages (like Debian does), you might be able to glean the necessary
information from there.
Regards,
-Roberto
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--NDin8bjvE/0mNLFQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHhTf15SXWIKfIlGQRAlxkAJ9pTMRIwQzicYf4x7gn0AqSkwSRlgCgwxYN
NA/iUXCl++Ol2tmIOvlqV7o=
=bIDi
-----END PGP SIGNATURE-----
--NDin8bjvE/0mNLFQ--
--===============1958457308==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1958457308==--
