Andrew Korty

Name of the Vulnerable Software and Affected Versions: mit-krb5 versions prior to 1.5.2 Kerberos 5 versions 1.4 through 1.4.4 Kerberos 5 versions 1.5 through 1.5.1 Description: The issue affects the RPC library in Kerberos 5, which can be exploited remotely, potentially leading to a denial of service or arbitrary code execution. This could compromise the confidentiality, integrity, and availability of protected information. Recommendations: For mit-krb5 versions prior to 1.5.2, update to version 1.5.2 or later. For Kerberos 5 versions 1.4 through 1.4.4, update to a version outside of this range. For Kerberos 5 versions 1.5 through 1.5.1, update to a version outside of this range. As a temporary workaround, consider restricting access to the RPC library in Kerberos 5 to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: mit-krb5 versions prior to 1.5.2 GSS-API library for Kerberos 5 versions 1.5 through 1.5.1 Description: The issue affects the mit-krb5 package in Gentoo Linux and the GSS-API library for Kerberos 5, allowing remote attackers to exploit vulnerabilities that may lead to a violation of confidentiality, integrity, and availability of protected information. Specifically, the "mechglue" abstraction interface in the GSS-API library can cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers, such as `mechglue` interface. Recommendations: For mit-krb5 versions prior to 1.5.2, update to version 1.5.2 or later. For GSS-API library for Kerberos 5 versions 1.5 through 1.5.1, update to version 1.5.2 or later. As a temporary workaround, consider restricting access to the `mechglue` abstraction interface until a patch is available.