Forgot your password?
typodupeerror
Bug Open Source Security Ubuntu News IT

Remote Bug Found In Ubuntu Kerberos 93

Posted by timothy
from the owning-up-to-it dept.
Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."
This discussion has been archived. No new comments can be posted.

Remote Bug Found In Ubuntu Kerberos

Comments Filter:
  • Dear MS trolls: (Score:3, Insightful)

    by Anonymous Coward on Tuesday February 15, 2011 @08:55PM (#35216702)

    Notice how this has already been patched before most of the world knew about it?

    This is the difference in the GNU/Linux world and your world.

    Love,

    An ex-MS person that will never go back

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

      • All I know is, I installed the updates and never use Kerberos anyway so wasn't at risk to start with.
      • This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

        This is not the first time I've heard something like it, and I still don't understand it. How can all hackers and malware programmers "generally love" Linux so much that they don't attack Linux sites? Can this really be true? I don't see how, but for the sake of argument, assuming that statement is true, WHY would hackers and malware programmer loooovvvvvvvee Linux so much and not Microsoft that they protect Linux and attack Microsoft? Why?

        • by bsDaemon (87307)

          Maybe because its easier to feel like Robbin Hood from their mom's basement while they're doing battle against the great Satan, Microsoft. They want their pet OS to have every advantage in making them feel superior to all the infidels who haven't been enlightened. But, do note, there's a difference between those who are capable of discovering and exploiting a memory corruption vulnerability by sifting through decompiled binaries, and dumb-ass kids who copy and paste SQL injections until one works with the

        • Because they use Linux and hide behind it. To expose its flaws would be to expose flaws in their defenses. At least, that's one way I've envisioned it.

          Windows is still the largest install base as well. For whatever reason OSX goes down quicker at Pwn2Own.
          • That doesn't make sense, just because they don't look at the flaws (even for themselves) doesn't mean they don't exist. (I'd imagine windows malware writers use windows for the most part)
            • It's not that they might not be looking for the flaws, just that they don't want others to know about them. Smart malware writers work on a different system, communicating and testing on their target platform. This ensures the malware does not infect the development platform.

              Which reminds me of someone who wrote a virus and accidentally infected themselves.
        • It's a big load of crap. It's exactly like saying armed robbers would report flaws in bank security because they love banks while knocking over gas stations, because they hate gas stations.

    • by black3d (1648913) on Tuesday February 15, 2011 @09:37PM (#35217008)

      It was discovered in (actually, discovered much earlier but acknowledged in) October 2010, thus the difference between the two worlds is that folks who discover Linux bugs tend not to share them with anyone but the vendor, and the folks who discover Windows bugs tells everyone and their dog, before even notifying Microsoft. Interestingly, often the same folks in both cases.

      Thus, there's nothing wrong with our world. There's something wrong with the mindset of the white-hats.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.

      • by SmallFurryCreature (593017) on Tuesday February 15, 2011 @11:30PM (#35217616) Journal

        Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

        But I guess a MS fanboy truly believes ignorance is bliss.

        • FOSS projects have the same mentality sometimes. I sometimes come across bugs that are marked WNF by the project maintainers.
    • by smash (1351)
      Notice how the bug is not present in FreeBSD?
  • Isn't the krb5 package supplied from upstream? Could this affect other distributions?
  • ftfa (Score:5, Informative)

    by Lehk228 (705449) on Tuesday February 15, 2011 @09:06PM (#35216778) Journal
    Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

    Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

    certainly not a good thing, but this isn't a remote hole
    • by ehntoo (1692256)
      The title may be a wee bit misleading, but I don't see anything other than your post mentioning anything about a "hole".
      • by Lehk228 (705449)
        more to clarify for anyone skimming the thread without RTFA that, as of yet anyways, there is no means to compromise a machine with this.
  • by seifried (12921) on Tuesday February 15, 2011 @09:55PM (#35217098) Homepage

    This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

    http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt [mit.edu]

    http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt [mit.edu]

  • That was my first thought, anyway. Silly letter-versions.

  • Just installed the patches. Nicely, nicely quickstuff.

    • by drinkypoo (153816)

      I installed the patches before the article came out. Ubuntu has many failings, but time to first patch ain't one of them. Yes, I'm looking at you, Microsoft.

  • This is news? (Score:3, Informative)

    by mr_lizard13 (882373) on Wednesday February 16, 2011 @04:44AM (#35218868)
    Bug in software. Update fixes bug.

    Doesn't this happen all the time?
  • The update was pushed to Automatic Updates and I installed it yesterday. Did a Windows fan-boy got just a bit too excited to see a Linux Vulnerability?

2.4 statute miles of surgical tubing at Yale U. = 1 I.V.League

Working...