CVE-2009-0844

Name of the Vulnerable Software and Affected Versions krb5 versions 1.5 through 1.6.3 mit-krb5 versions prior to 1.6.3-r6

Description The issue affects the confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. The get input token function in the SPNEGO implementation allows remote attackers to cause a denial of service and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.

Recommendations For krb5 versions 1.5 through 1.6.3, update to a version later than 1.6.3 to resolve the issue. For mit-krb5 versions prior to 1.6.3-r6, update to version 1.6.3-r6 or later to resolve the issue. As a temporary workaround, consider restricting access to the SPNEGO implementation until a patch is available.