Debian release 2.6-1etch1
Format: 1.7
Date: Thu, 29 Jan 2009 12:42:13 -0800
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 2.6-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
libpam-krb5 - PAM module for MIT Kerberos
Changes:
libpam-krb5 (2.6-1etch1) stable-security; urgency=high
.
* SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore user
environment variables that specify the local keytab and Kerberos
configuration. Protects against a privilege escalation vulnerability.
* SECURITY (CVE-2009-0361): Protect against applications calling
pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid context.
This API call is designed to reinitialize an existing Kerberos ticket
cache and therefore trusts the KRB5CCNAME environment variable, but in
a setuid context, this may allow overwriting arbitrary files.
Files:
e24d2e134c78f26f571ae691a4dd3209 670 net optional libpam-krb5_2.6-1etch1.dsc
5742d0fb75ac148b7748387bc295f472 119752 net optional libpam-krb5_2.6.orig.tar.gz
93ab13d570cbb2938e703fef2f06581e 11016 net optional libpam-krb5_2.6-1etch1.diff.gz
9d3eb6c5e1954393cde41f73b3824190 56726 net optional libpam-krb5_2.6-1etch1_i386.deb