OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Vulnerabilities in KTH Kerberos IV
From: Robert Watson (rwatsonFREEBSD.ORG)
Date: Sun Dec 10 2000 - 14:52:39 CST

On Fri, 8 Dec 2000, Jouko Pynnonen wrote:

> There are at least two common free Kerberos implementations:
> MIT and KTH (Royal Institute of Techology, Sweden). The latter is
> included in OpenBSD and FreeBSD.
...
> OS vendors were notified 11/28 via a mailing list, and KTH Kerberos
> team 12/01.

Despite being explicitly mentioned in the advisory as an affected
operating system and the statement of notification above, the FreeBSD
Project was not notified in advance of the release of this advisory. We
are currently evaluating the affect of the vulnerability on our code base,
and will no doubt be releasing a security advisory shortly.

In the future, we would appreciate it if those aware of vulnerabilities in
our code base made some minimal effort to contact us before releasing an
advisory; we have widely published the availability of our
security-officerFreeBSD.org address and service, as well as PGP keys to
protect communications as necessary. In addition, both CERT and
SecurityFocus can provide assistance in identifying vulnerable software,
and in contacting vendors affected. I'm sure other vendors have also been
caught off-guard by this vulnerability, and would similarly appreciate
advance notice.

Thanks,

Robert N M Watson FreeBSD Core Team, TrustedBSD
Project robertfledge.watson.org NAI Labs, Safeport Network Services