CVE-2009-0361
Published: 13 February 2009
Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libpam-heimdal Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| gutsy |
Ignored
(end of life, was needs-triage)
|
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Not vulnerable
(3.10-2.1ubuntu1)
|
|
| karmic |
Not vulnerable
(3.10-2.1ubuntu1)
|
|
| lucid |
Not vulnerable
(3.15-2ubuntu1)
|
|
| maverick |
Not vulnerable
(3.15-2ubuntu1)
|
|
| natty |
Not vulnerable
(3.15-2ubuntu1)
|
|
| oneiric |
Does not exist
(pulled 2010-07-27)
|
|
| upstream |
Released
(3.10-2.1)
|
|
|
libpam-krb5 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Released
(3.10-1ubuntu0.8.04.1)
|
|
| intrepid |
Released
(3.10-1ubuntu0.8.10.1)
|
|
| jaunty |
Released
(3.11-4ubuntu1)
|
|
| karmic |
Released
(3.11-4ubuntu1)
|
|
| lucid |
Released
(3.11-4ubuntu1)
|
|
| maverick |
Released
(3.11-4ubuntu1)
|
|
| natty |
Released
(3.11-4ubuntu1)
|
|
| oneiric |
Released
(3.11-4ubuntu1)
|
|
| upstream |
Released
(3.11-4)
|