Steven Luo

**Name of the Vulnerable Software and Affected Versions** pam-krb5 versions prior to 3.13 **Description** The issue concerns multiple vulnerabilities in the libpam-krb5 package of the Debian GNU/Linux operating system. These vulnerabilities can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. Specifically, when pam-krb5 is linked against MIT Kerberos and used in a setuid context, it fails to properly initialize the Kerberos libraries. This allows local users to gain privileges by modifying the Kerberos configuration file and then launching a PAM-based setuid application. **Recommendations** For versions prior to 3.13, update to version 3.13 or later to resolve the issue. As a temporary workaround, consider restricting access to setuid applications that use pam-krb5 to minimize the risk of exploitation. Additionally, avoid using modified Kerberos configuration files with PAM-based setuid applications until the issue is resolved.