Security update for Novell Kerberos KDC

  • 3277932
  • 30-Aug-2006
  • 16-May-2013

Environment

Novell Kerberos KDC

Situation

In the ksu application program packaged in the Novell Kerberos KDC distribution, calls to setuid() and seteuid() were not always checked for success. It is believed that the primary risk is to Linux systems, due to the behavior of their implementation of the setuid() and seteuid() system calls. A local user could potentially exploit one of these vulnerabilities to result in privilege escalation.  No exploit code is known to exist at this time. 

Resolution

Install version 1.0.1 of the Novell Kerberos KDC which contains a new ksu utility without the vulnerability. The new release is available at the Novell download site.

Status

Security Alert

Additional Information

CVE: CVE-2006-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083

CVE: CVE-2006-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084

Feedback service temporarily unavailable. For content questions or problems, please contact Support.