Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. While these have been replaced by tools such as OpenSSH in most environments, they remain in use in others.
Security Fix
- CVE-2011-1526
It was found that gssftp, a Kerberos-aware FTP server, did not properly drop privileges. A remote FTP user could use this flaw to gain unauthorized read or write access to files that are owned by the root group.
Red Hat would like to thank the MIT Kerberos project for reporting this issue. Upstream acknowledges Tim Zingelman as the original reporter.
All krb5-appl users should upgrade to these updated packages, which contain a backported patch to correct this issue.
Updated krb5-appl packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The krb5-appl packages contain Kerberos-aware versions of clients and servers for the telnet, FTP, rsh, and rlogin protocols.
Bug Fixes
- BZ#713459
Prior to this update, the default PAM configuration for the FTP server incorrectly attempted to use the pam_selinux.so module. As a result, users failed to log in. This update corrects the supplied configuration. Now, the FTP server works as expected.
- BZ#713521
Prior to this update, the FTP server did not correctly parse lines in the /etc/ftpusers file which specified user names in combination with the "restrict" keyword. This update modifies the code so that the server parses the "restrict" keyword correctly.
Enhancement
- BZ#665834, BZ#736364
Prior to this update, the command-line FTP client in the krb5-appl-clients package did not accept command lines longer than 500 characters. This update removes this limitation.
All users of krb5-appl are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.
