Scientific Linux Security Update : pam_krb5/krb5 on SL5.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

pam_krb5 address the following security issue :

A flaw was found in the pam_krb5 'existing_ticket' configuration
option. If a system is configured to use an existing credential cache
via the 'existing_ticket' option, it may be possible for a local user
to gain elevated privileges by using a different, local user's
credential cache. (CVE-2008-3825)

krb5 address the following bug :

- In cases where a server application began to
sequentially iterate through the contents of a keytab
file, if it paused to call certain functions such as
krb5_rd_req() which encountered errors, a subsequent
call to the krb5_kt_next_entry() function could cause
the calling application to crash. The issue has been
rectified and updated within these packages so that a
call to the krb5_kt_next_entry() function will not crash
the calling application.

See also :

http://www.nessus.org/u?e60c67dd

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60481 ()

Bugtraq ID:

CVE ID: CVE-2008-3825