pam_krb5-2.4.4-6.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10521 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z pam_krb5-2.4.4-6.7 on GA media These are all security issues fixed in the pam_krb5-2.4.4-6.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10521 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10521 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-3825/ SUSE CVE CVE-2008-3825 page https://www.suse.com/security/cve/CVE-2009-1384/ SUSE CVE CVE-2009-1384 page openSUSE Tumbleweed pam_krb5-2.4.4-6.7 pam_krb5-32bit-2.4.4-6.7 pam_krb5-2.4.4-6.7 as a component of openSUSE Tumbleweed pam_krb5-32bit-2.4.4-6.7 as a component of openSUSE Tumbleweed pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance. CVE-2008-3825 openSUSE Tumbleweed:pam_krb5-2.4.4-6.7 openSUSE Tumbleweed:pam_krb5-32bit-2.4.4-6.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3825.html CVE-2008-3825 https://bugzilla.suse.com/425861 SUSE Bug 425861 pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. CVE-2009-1384 openSUSE Tumbleweed:pam_krb5-2.4.4-6.7 openSUSE Tumbleweed:pam_krb5-32bit-2.4.4-6.7 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1384.html CVE-2009-1384 https://bugzilla.suse.com/507729 SUSE Bug 507729