CVE-2007-2443

Name of the Vulnerable Software and Affected Versions: MIT Kerberos 5 (krb5) versions 1.6.1 and earlier krb5-server-1.5 krb5-libs-1.5 krb5-devel-1.5 krb5-1.5 krb5-workstation-1.5 mit-krb5 versions prior to 1.5.2-r3

Description: The issue is related to multiple vulnerabilities in the krb5 package, which can lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. Specifically, an integer signedness error in the gssrpc svcauth unix function in svc auth unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.

Recommendations: For MIT Kerberos 5 (krb5) versions 1.6.1 and earlier, consider updating to a version later than 1.6.1. For krb5-server-1.5, krb5-libs-1.5, krb5-devel-1.5, krb5-1.5, and krb5-workstation-1.5, update to a version later than 1.5. For mit-krb5 versions prior to 1.5.2-r3, update to version 1.5.2-r3 or later. As a temporary workaround, consider restricting access to the gssrpc svcauth unix function in the RPC library until a patch is available.