Environment
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Situation
As per the disclosed facts in MITKRB5-SA-2009-004 [CVE-2009-4212] the following services in OES2 are vulnerable if enabled:
* Novell KDC (NKDC)
* Kerberos functionality in Domain Services for Windows (DSfW)
* SASL-GSSAPI LDAP login method
The vulnerability has been addressed in the following package versions:
OES2 SP0 (which uses ix86 rpms for both ix86 and x86_64 OES):
novell-kerberos-admin-server-1.5-32.6.i586.rpm
novell-kerberos-authentication-1.5-32.6.i586.rpm
novell-kerberos-base-1.5-32.6.i586.rpm
novell-kerberos-kdc-1.5-32.6.i586.rpm
novell-kerberos-ldap-extensions-1.5-32.6.i586.rpm
novell-kerberos-password-agent-1.5-32.6.i586.rpm
novell-kerberos-password-server-1.5-32.6.i586.rpm
novell-kerberos-server-base-1.5-32.6.i586.rpm
novell-kerberos-utilities-1.5-32.6.i586.rpm
OES2 SP1 (ix86):
novell-kerberos-base-1.5-39.i586.rpm
novell-kerberos-ldap-extensions-1.5-39.i586.rpm
novell-xad-krb5-1.6.5286-0.4.1.i586.rpm
OES2 SP1 (x86_64):
novell-kerberos-base-1.5-39.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-39.x86_64.rpm
novell-xad-krb5-1.6.5286-0.4.1.x86_64.rpm
novell-xad-krb5-32bit-1.6.5286-0.4.1.x86_64.rpm
OES2 SP2 (ix86):
novell-kerberos-base-1.5-42.i586.rpm
novell-kerberos-ldap-extensions-1.5-42.i586.rpm
novell-xad-krb5-1.7.5285-0.5.i586.rpm
OES2 SP2 (x86_64):
novell-kerberos-base-1.5-42.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-42.x86_64.rpm
novell-xad-krb5-1.7.5285-0.5.x86_64.rpm
novell-xad-krb5-32bit-1.7.5285-0.5.x86_64.rpm
Additional information:
- NKDC was discontinued as of OES2 SP1
- Domain Services for Windows (DSfW) is available in OES2 SP1 and later
* Novell KDC (NKDC)
* Kerberos functionality in Domain Services for Windows (DSfW)
* SASL-GSSAPI LDAP login method
The vulnerability has been addressed in the following package versions:
OES2 SP0 (which uses ix86 rpms for both ix86 and x86_64 OES):
novell-kerberos-admin-server-1.5-32.6.i586.rpm
novell-kerberos-authentication-1.5-32.6.i586.rpm
novell-kerberos-base-1.5-32.6.i586.rpm
novell-kerberos-kdc-1.5-32.6.i586.rpm
novell-kerberos-ldap-extensions-1.5-32.6.i586.rpm
novell-kerberos-password-agent-1.5-32.6.i586.rpm
novell-kerberos-password-server-1.5-32.6.i586.rpm
novell-kerberos-server-base-1.5-32.6.i586.rpm
novell-kerberos-utilities-1.5-32.6.i586.rpm
OES2 SP1 (ix86):
novell-kerberos-base-1.5-39.i586.rpm
novell-kerberos-ldap-extensions-1.5-39.i586.rpm
novell-xad-krb5-1.6.5286-0.4.1.i586.rpm
OES2 SP1 (x86_64):
novell-kerberos-base-1.5-39.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-39.x86_64.rpm
novell-xad-krb5-1.6.5286-0.4.1.x86_64.rpm
novell-xad-krb5-32bit-1.6.5286-0.4.1.x86_64.rpm
OES2 SP2 (ix86):
novell-kerberos-base-1.5-42.i586.rpm
novell-kerberos-ldap-extensions-1.5-42.i586.rpm
novell-xad-krb5-1.7.5285-0.5.i586.rpm
OES2 SP2 (x86_64):
novell-kerberos-base-1.5-42.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-42.x86_64.rpm
novell-xad-krb5-1.7.5285-0.5.x86_64.rpm
novell-xad-krb5-32bit-1.7.5285-0.5.x86_64.rpm
Additional information:
- NKDC was discontinued as of OES2 SP1
- Domain Services for Windows (DSfW) is available in OES2 SP1 and later
Resolution
Check current rpm versions if any of these services are enabled.
Update to current packages in channel if required.
Update to current packages in channel if required.
Status
Security AlertAdditional Information
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt
CVE: CVE-2009-4212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt
CVE: CVE-2009-4212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212