CVE-2011-0282
published 2011-02-10CVE-2011-0282: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of…
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
3.48%
87.6th percentile
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.8.3+dfsg-5 (bookworm) | krb5 1.8.3+dfsg-5 (bookworm) |
| mit | kerberos | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.8.3+dfsg-5 | 1.8.3+dfsg-5 |
| mit | krb5 | >= 0 < 1.8.3+dfsg-5 | 1.8.3+dfsg-5 |
| mit | krb5 | >= 0 < 1.8.3+dfsg-5 | 1.8.3+dfsg-5 |
| mit | krb5 | >= 0 < 1.8.3+dfsg-5 | 1.8.3+dfsg-5 |
| vmware | vmware_esxi | — | — |
| vmware | vmware_workstation | — | — |
| vmware | vsphere | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware ESX third party updates for Service Console packages glibc and dhcp
vendor_vmware·2011-10-12·CVSS 4.7
CVE-2010-0296 [MEDIUM] VMware ESX third party updates for Service Console packages glibc and dhcp
VMSA-2011-0012: VMware ESX third party updates for Service Console packages glibc and dhcp
a. ESX third party update for Service Console kernel This update takes the console OS kernel package to kernel-2.6.18-238.9.1 which resolves multiple security issues. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CV
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2011-02-15·CVSS 5.0
CVE-2010-4022 [MEDIUM] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Keiichi Mori discovered that the MIT krb5 KDC database propagation
daemon (kpropd) is vulnerable to a denial of service attack due
to improper logic when a worker child process exited because
of invalid network input. This could only occur when kpropd is
running in standalone mode; kpropd was not affected when running in
incremental propagation mode ("iprop") or as an inetd server. This
issue only affects Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu
10.10. (CVE-2010-4022)
Kevin Longfellow and others discovered that the MIT krb5 Key
Distribution Center (KDC) daemon is vulnerable to denial of service
attacks when using an LDAP back end due to improper handling of
network input. (CVE-2011-0281, CVE-2011-0282)
Instructions: In general, a standard system update w
Red Hat
krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
vendor_redhat·2011-02-08·CVSS 5.0
CVE-2011-0282 [MEDIUM] krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
Statement: This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3 or 4 as they did not include support for the LDAP backend.
Package: krb5 (Red Hat Enterprise Linux 4) - Not affected
Debian
CVE-2011-0282: krb5 - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9...
vendor_debian·2011·CVSS 5.0
CVE-2011-0282 [MEDIUM] CVE-2011-0282: krb5 - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9...
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
Scope: local
bookworm: resolved (fixed in 1.8.3+dfsg-5)
bullseye: resolved (fixed in 1.8.3+dfsg-5)
forky: resolved (fixed in 1.8.3+dfsg-5)
sid: resolved (fixed in 1.8.3+dfsg-5)
trixie: resolved (fixed in 1.8.3+dfsg-5)
GHSA
GHSA-9889-rr58-7c63: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
ghsa_unreviewed·2022-05-13
CVE-2011-0282 [MEDIUM] GHSA-9889-rr58-7c63: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
OSV
CVE-2011-0282: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
osv·2011-02-10·CVSS 5.0
CVE-2011-0282 [MEDIUM] CVE-2011-0282: The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-4451 JDK unspecified vulnerability in Install component
bugzilla·2011-02-16·CVSS 7.6
CVE-2010-4451 [HIGH] CVE-2010-4451 JDK unspecified vulnerability in Install component
CVE-2010-4451 JDK unspecified vulnerability in Install component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Install component (CVE-2010-4451). The CVSSv2 scored upstream is
cvss2=7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
Bugzilla
CVE-2010-4447 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 4.3
CVE-2010-4447 [MEDIUM] CVE-2010-4447 JDK unspecified vulnerability in Deployment component
CVE-2010-4447 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4447). The CVSSv2 scored upstream is
cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4422 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 7.6
CVE-2010-4422 [HIGH] CVE-2010-4422 JDK unspecified vulnerability in Deployment component
CVE-2010-4422 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4422). The CVSSv2 scored upstream is
cvss2=7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4462 JDK unspecified vulnerability in Sound component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4462 [CRITICAL] CVE-2010-4462 JDK unspecified vulnerability in Sound component
CVE-2010-4462 JDK unspecified vulnerability in Sound component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Sound component (CVE-2010-4462). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.com/errata
Bugzilla
CVE-2010-4452 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4452 [CRITICAL] CVE-2010-4452 JDK unspecified vulnerability in Deployment component
CVE-2010-4452 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4452). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4454 JDK unspecified vulnerability in Sound component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4454 [CRITICAL] CVE-2010-4454 JDK unspecified vulnerability in Sound component
CVE-2010-4454 JDK unspecified vulnerability in Sound component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Sound component (CVE-2010-4454). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.com/errata
Bugzilla
CVE-2010-4463 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4463 [CRITICAL] CVE-2010-4463 JDK unspecified vulnerability in Deployment component
CVE-2010-4463 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4463). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4466 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 5.0
CVE-2010-4466 [MEDIUM] CVE-2010-4466 JDK unspecified vulnerability in Deployment component
CVE-2010-4466 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4466). The CVSSv2 scored upstream is
cvss2=5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4475 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 4.3
CVE-2010-4475 [MEDIUM] CVE-2010-4475 JDK unspecified vulnerability in Deployment component
CVE-2010-4475 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4475). The CVSSv2 scored upstream is
cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4473 JDK unspecified vulnerability in Sound component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4473 [CRITICAL] CVE-2010-4473 JDK unspecified vulnerability in Sound component
CVE-2010-4473 JDK unspecified vulnerability in Sound component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Sound component (CVE-2010-4473). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.com/errata
Bugzilla
CVE-2010-4468 JDK unspecified vulnerability in JDBC component
bugzilla·2011-02-16·CVSS 4.0
CVE-2010-4468 [MEDIUM] CVE-2010-4468 JDK unspecified vulnerability in JDBC component
CVE-2010-4468 JDK unspecified vulnerability in JDBC component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
JDBC component (CVE-2010-4468). The CVSSv2 scored upstream is
cvss2=4.0/AV:N/AC:H/Au:N/C:P/I:P/A:N
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.com/errata/R
Bugzilla
CVE-2010-4467 JDK unspecified vulnerability in Deployment component
bugzilla·2011-02-16·CVSS 10.0
CVE-2010-4467 [CRITICAL] CVE-2010-4467 JDK unspecified vulnerability in Deployment component
CVE-2010-4467 JDK unspecified vulnerability in Deployment component
Update 24 of Oracle/Sun Java fixes an unspecified vulnerability in the
Deployment component (CVE-2010-4467). The CVSSv2 scored upstream is
cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P
Reference:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Extras for RHEL 4
Via RHSA-2011:0357 https://rhn.redhat.
Bugzilla
CVE-2010-4022 CVE-2011-0281 CVE-2011-0282 krb5 various flaws [fedora-all]
bugzilla·2011-02-08·CVSS 5.0
CVE-2010-4022 [MEDIUM] CVE-2010-4022 CVE-2011-0281 CVE-2011-0282 krb5 various flaws [fedora-all]
CVE-2010-4022 CVE-2011-0281 CVE-2011-0282 krb5 various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=664009
Please note: this issue affects multiple
Bugzilla
CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453)
bugzilla·2011-02-08·CVSS 5.0
CVE-2010-4471 [MEDIUM] CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453)
CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453)
A vulnerability was discovered in the 2D subcomponent. Exceptions thrown when processing broken CFF fonts could leak system property values.
This issue (CVE-2010-4471) is not exploitable when using OpenJDK on Red Hat
Enterprise Linux 5 and 6; however, the fix was added as a defense in depth.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
-
Bugzilla
CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662)
bugzilla·2011-02-08·CVSS 10.0
CVE-2010-4465 [CRITICAL] CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662)
CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662)
A flaw was found in the Swing library. Forged TimerEvents could be used to
bypass SecurityManager checks, allowing access to otherwise blocked files and
directories.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Ha
Bugzilla
CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554)
bugzilla·2011-02-08·CVSS 3.7
CVE-2010-4450 [LOW] CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554)
CVE-2010-4450 OpenJDK Launcher incorrect processing of empty library path entries (6983554)
It was found that the Java launcher provided by OpenJDK did not check the
LD_LIBRARY_PATH environment variable for insecure empty path elements. A local
attacker able to trick a user into running the Java launcher while working from
an attacker-writable directory could use this flaw to load an untrusted
library, subverting the Java security model.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux
Bugzilla
CVE-2010-4469 OpenJDK Hotspot verifier heap corruption (6878713)
bugzilla·2011-02-08·CVSS 10.0
CVE-2010-4469 [CRITICAL] CVE-2010-4469 OpenJDK Hotspot verifier heap corruption (6878713)
CVE-2010-4469 OpenJDK Hotspot verifier heap corruption (6878713)
A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
Bugzilla
CVE-2010-4470 OpenJDK JAXP untrusted component state manipulation (6927050)
bugzilla·2011-02-08·CVSS 5.0
CVE-2010-4470 [MEDIUM] CVE-2010-4470 OpenJDK JAXP untrusted component state manipulation (6927050)
CVE-2010-4470 OpenJDK JAXP untrusted component state manipulation (6927050)
A flaw was found in the way JAXP (Java API for XML Processing) components were
handled, allowing them to be manipulated by untrusted applets. This could be
used to elevate privileges and bypass secure XML processing restrictions.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
Bugzilla
CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922)
bugzilla·2011-02-08·CVSS 2.6
CVE-2010-4448 [LOW] CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922)
CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922)
It was found that untrusted applets could create and place cache entries in the
name resolution cache. This could allow an attacker targeted manipulation over
name resolution until the OpenJDK VM is restarted.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
---
This issue has been addressed in following products:
Supplementary for Red Hat
Bugzilla
CVE-2010-4472 OpenJDK untrusted code allowed to replace DSIG/C14N implementation (6994263)
bugzilla·2011-02-08·CVSS 2.6
CVE-2010-4472 [LOW] CVE-2010-4472 OpenJDK untrusted code allowed to replace DSIG/C14N implementation (6994263)
CVE-2010-4472 OpenJDK untrusted code allowed to replace DSIG/C14N implementation (6994263)
A flaw was found in the XML Digital Signature component in OpenJDK. Untrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations.
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 5
Supplementary for Red Hat Enterprise Linux 6
Extras for RHEL 4
Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0281 https://rhn.redhat.com/errata/RHSA-2011-0281.html
Bugzilla
CVE-2011-0282 krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
bugzilla·2011-01-11·CVSS 5.0
CVE-2011-0282 [MEDIUM] CVE-2011-0282 krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
CVE-2011-0282 krb5: KDC crash when using LDAP backend caused by a special principal name (MITKRB5-SA-2011-002)
A NULL pointer dereference flaw was found in the way
MIT Key Distribution Center (KDC) daemon processed
not-null terminated principal names in request for
ticket-granting ticket, when the krb5kdc daemon was
configured to use and LDAP back end. A remote attacker
could use this flaw to cause denial of service (krb5kdc
daemon crash) via a ticket-granting ticket request for
specially-crafted principal name.
Acknowledgements:
Red Hat would like to thank the MIT Kerberos project for reporting
this issue.
Discussion:
This issue did NOT affect the versions of the krb5 package, as shipped
with Red Hat Enterprise Linux 3 or 4, as those versions do not support
LDAP back end / storage me
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://secunia.com/advisories/43260http://secunia.com/advisories/43273http://secunia.com/advisories/43275http://secunia.com/advisories/46397http://securityreason.com/securityalert/8073http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txthttp://www.mandriva.com/security/advisories?name=MDVSA-2011:024http://www.mandriva.com/security/advisories?name=MDVSA-2011:025http://www.redhat.com/support/errata/RHSA-2011-0199.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0200.htmlhttp://www.securityfocus.com/archive/1/516299/100/0/threadedhttp://www.securityfocus.com/archive/1/520102/100/0/threadedhttp://www.securityfocus.com/bid/46271http://www.securitytracker.com/id?1025037http://www.vmware.com/security/advisories/VMSA-2011-0012.htmlhttp://www.vupen.com/english/advisories/2011/0330http://www.vupen.com/english/advisories/2011/0333http://www.vupen.com/english/advisories/2011/0347http://www.vupen.com/english/advisories/2011/0464https://exchange.xforce.ibmcloud.com/vulnerabilities/65323http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://secunia.com/advisories/43260http://secunia.com/advisories/43273http://secunia.com/advisories/43275http://secunia.com/advisories/46397http://securityreason.com/securityalert/8073http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txthttp://www.mandriva.com/security/advisories?name=MDVSA-2011:024http://www.mandriva.com/security/advisories?name=MDVSA-2011:025http://www.redhat.com/support/errata/RHSA-2011-0199.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0200.htmlhttp://www.securityfocus.com/archive/1/516299/100/0/threadedhttp://www.securityfocus.com/archive/1/520102/100/0/threadedhttp://www.securityfocus.com/bid/46271http://www.securitytracker.com/id?1025037http://www.vmware.com/security/advisories/VMSA-2011-0012.htmlhttp://www.vupen.com/english/advisories/2011/0330http://www.vupen.com/english/advisories/2011/0333http://www.vupen.com/english/advisories/2011/0347http://www.vupen.com/english/advisories/2011/0464https://exchange.xforce.ibmcloud.com/vulnerabilities/65323
2011-02-10
Published