How to determine the version (UNCLASSIFIED)

Mackanick, Jason W CTR DISA GIG-OP jason.mackanick.ctr at disa.mil
Wed Jan 9 16:18:13 EST 2008 

Classification:  UNCLASSIFIED 
Caveats: NONE

Thanks Roberto,

That can help me with some direction.  I have to provide guidance and automated shell scripts for Sun, HP, AIX and Redhat.  I new about the changelog for Redhat, but didn't know about the krb5-config command.   


Jason Mackanick, CISSP
DISA FSO Support & Standards Section
Technical Support Team

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Roberto C. Sánchez
Sent: Wednesday, January 09, 2008 4:09 PM
To: kerberos at mit.edu
Subject: Re: How to determine the version (UNCLASSIFIED)

On Wed, Jan 09, 2008 at 10:53:11AM -0500, Mackanick, Jason W CTR DISA GIG-OP wrote:
> Classification:  UNCLASSIFIED
> Caveats: NONE
>  
> Various vendors for unix package kerberos with the operating system.  
> Is there a method to determine the version number for compliance 
> purposes with items such as advisories that are propagated to a CVE?
> 

Jason,

Assuming that the vendor ships the kerberos development packages, something like this might be what you want:

krb5-config --version
Kerberos 5 release 1.4.4

A cursory look would tell you that I am vulnerable to a heap of CVEs related to Kerberos.

However, in my case I am running Debian Etch.  Debian has a policy of not introducing new upstream versions just to patch security fixes, so they always do targeted security fixes.  So, the version installed on my machine is something like this:

apt-cache policy libkrb5-dev |grep Installed
  Installed: 1.4.4-7etch4

Looking at the package changelog, there are several entries (4, in fact) like this:

krb5 (1.4.4-7etch4) stable-security; urgency=emergency

  * Fix bug in fix for CVE-2007-3999: the previous patch could allow an
    overflow of up to 32 bytes.   Depending on how locals are layed out on
    the stack, this may or may not be a problem.

 -- Sam Hartman <hartmans at debian.org>  Tue, 04 Sep 2007 19:51:49 -0400

The total number of CVEs noted in the changelog for the current release is six.  So, while a look at the raw version number as reported by Kerberos looks bad, further infestigation shows that I am OK in that department (assuming there have only been six CVEs total since the release of 1.4.4; I have not checked).

So, I guess it depends in part on your Unix vendor's security policy.
Since you are .mil, you are most probably using Solaris.  I know that Sun deploys packages (you can access information about them using pkginfo), but that about exhausts my knowledge of Solaris-specific sysadmin knowledge.  So, if sun ships detailed changelogs with their packages (like Debian does), you might be able to glean the necessary information from there.

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Classification:  UNCLASSIFIED 
Caveats: NONE

More information about the Kerberos mailing list