===========================================================
Ubuntu Security Notice USN-1030-1 December 09, 2010
krb5 vulnerabilities
CVE-2010-1323, CVE-2010-1324, CVE-2010-4020, CVE-2010-4021
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libkrb53 1.4.3-5ubuntu0.12

Ubuntu 8.04 LTS:
libkrb53 1.6.dfsg.3~beta1-2ubuntu1.6

Ubuntu 9.10:
libkrb5-3 1.7dfsg~beta3-1ubuntu0.7

Ubuntu 10.04 LTS:
libkrb5-3 1.8.1+dfsg-2ubuntu0.4

Ubuntu 10.10:
libkrb5-3 1.8.1+dfsg-5ubuntu0.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Kerberos did not properly determine the
acceptability of certain checksums. A remote attacker could use certain
checksums to alter the prompt message, modify a response to a Key
Distribution Center (KDC) or forge a KRB-SAFE message. (CVE-2010-1323)

It was discovered that Kerberos did not properly determine the
acceptability of certain checksums. A remote attacker could use certain
checksums to forge GSS tokens or gain privileges. This issue only affected
Ubuntu 9.10, 10.04 LTS and 10.10. (CVE-2010-1324)

It was discovered that Kerberos did not reject RC4 key-derivation
checksums. An authenticated remote user could use this issue to forge
AD-SIGNEDPATH or AD-KDC-ISSUED signatures and possibly gain privileges.
This issue only affected Ubuntu 10.04 LTS and 10.10. (CVE-2010-4020)

It was discovered that Kerberos did not properly restrict the use of TGT
credentials for armoring TGS requests. A remote authenticated user could
use this flaw to impersonate a client. This issue only affected Ubuntu
9.10. (CVE-2010-4021)