Tom Yu

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (krb5) versions 1.3.1 and earlier krb5-devel version 1.2.2 krb5-server version 1.2.2 krb5-libs version 1.2.2 krb5-workstation version 1.2.2 **Description** The issue concerns multiple vulnerabilities in the krb5 package of Red Hat Enterprise Linux, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. A double free vulnerability in the `krb5 rd cred` function may allow local users to execute arbitrary code. **Recommendations** For MIT Kerberos 5 (krb5) versions 1.3.1 and earlier, update to a version later than 1.3.1 to resolve the issue. For krb5-devel version 1.2.2, update to a newer version to mitigate the risk. For krb5-server version 1.2.2, update to a newer version to mitigate the risk. For krb5-libs version 1.2.2, update to a newer version to mitigate the risk. For krb5-workstation version 1.2.2, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the vulnerable components until a patch is available.

**Name of the Vulnerable Software and Affected Versions** krb5-workstation versions 1.1.1 through 1.2.7 krb5-configs version 1.1.1 krb5-devel versions 1.1.1 through 1.2.7 krb5-server versions 1.1.1 through 1.2.7 krb5-libs versions 1.1.1 through 1.2.7 krb5 versions 1.1.1 through 1.2.7 **Description** The issue affects the Kerberos protocol, allowing an attacker to impersonate any principal in a realm via a chosen-plaintext attack. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of these vulnerabilities can be carried out remotely. **Recommendations** For krb5-workstation versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-configs version 1.1.1, update to a version that contains a fix for this issue. For krb5-devel versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-server versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-libs versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5 versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the Kerberos protocol until a patch is available.

**Name of the Vulnerable Software and Affected Versions** krb5-workstation versions 1.1.1 through 1.2.7 krb5-devel versions 1.1.1 through 1.2.7 krb5-configs version 1.1.1 krb5-server versions 1.1.1 through 1.2.7 krb5-libs versions 1.1.1 through 1.2.7 krb5 versions 1.1.1 through 1.2.7 **Description** The issue concerns multiple vulnerabilities in the krb5 package of Red Hat Linux, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Certain weaknesses in the implementation of version 4 of the Kerberos protocol in the krb5 distribution allow an attacker to create unauthorized tickets using a cut-and-paste attack and "ticket splicing" when triple-DES keys are used. **Recommendations** For krb5-workstation versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-devel versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-configs version 1.1.1, update to a version that contains a fix for this issue. For krb5-server versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5-libs versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. For krb5 versions 1.1.1 through 1.2.7, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the vulnerable components until a patch is available.