SynopsisThe remote Debian host is missing a security-related update.
DescriptionSeveral local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems :
- CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from environment variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control.
- CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation.
SolutionUpgrade the libpam-krb5 package.
For the stable distribution (etch), these problems have been fixed in version 2.6-1etch1.
For the upcoming stable distribution (lenny), these problems have been fixed in version 3.11-4.