CVE-2009-4212

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 (krb5) versions 1.3 through 1.6.3 MIT Kerberos 5 (krb5) versions 1.7 before 1.7.1 krb5-devel-64bit (affected versions not specified) krb5-debuginfo-32bit (affected versions not specified) krb5-x86 (affected versions not specified) mit-krb5 versions prior to 1.9.2-r1 krb5-plugin-preauth-pkinit-debuginfo (affected versions not specified) krb5-debuginfo-64bit (affected versions not specified) krb5-debugsource (affected versions not specified) krb5-debuginfo-x86 (affected versions not specified) krb5-64bit (affected versions not specified) krb5-debuginfo (affected versions not specified) krb5-apps-servers (affected versions not specified) krb5-apps-clients (affected versions not specified)

Description The issue involves multiple vulnerabilities in the krb5 package, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The vulnerabilities are related to integer underflows in the AES and RC4 decryption functionality in the crypto library. This can cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid.

Recommendations For MIT Kerberos 5 (krb5) versions 1.3 through 1.6.3, update to a version outside of this range. For MIT Kerberos 5 (krb5) versions 1.7 before 1.7.1, update to version 1.7.1 or later. For mit-krb5 versions prior to 1.9.2-r1, update to version 1.9.2-r1 or later. For other affected packages, at the moment, there is no information about a newer version that contains a fix for this vulnerability.