oss-sec mailing list archives
CVE assignment notification (pam_krb5 CVE-2009-1384)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 27 May 2009 11:55:13 +0200
Hello Steve,
a security flaw similar to recent pam_ssh's CVE-2009-1273
one:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273
was found in the pam_krb5 module. From particular Red Hat
bugzilla entry:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384
<cite>
A security flaw was found in PAM pam_krb5 module, providing user
authentication based on Kerberos principals. A remote attacker could
use this flaw to recognize, if some username/login belongs to set of
user accounts, existing on the system, and subsequently perform
dictionary based password guess attack.
</cite>
VERSIONS INFORMATION (Red Hat pam_krb5 version numbering is used):
=====================
a, Not vulnerable - the vulnerability is not present in versions of
pam_krb5 prior and including pam_krb5-2.1.17
b, Vulnerable - presence of the flaw is confirmed in versions of
pam_krb5 starting from pam_krb5-2.2.14 and newer
CVE: CVE identifier of CVE-2009-1384 has been already assigned to
==== this flaw.
Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE assignment notification (pam_krb5 CVE-2009-1384) Jan Lieskovsky (May 27)
