CVE-2009-0846

Name of the Vulnerable Software and Affected Versions krb5 versions prior to 1.6.4 mit-krb5 versions prior to 1.6.3-r6 krb5-libs versions 1.3.4 krb5-devel versions 1.3.4 krb5-server versions 1.3.4 krb5-workstation versions 1.3.4 krb5-debuginfo versions (affected versions not specified) krb5-debuginfo-32bit versions (affected versions not specified) krb5-debuginfo-64bit versions (affected versions not specified) krb5-debugsource versions (affected versions not specified)

Description The issue allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be carried out remotely.

Recommendations For krb5 versions prior to 1.6.4, update to version 1.6.4 or later. For mit-krb5 versions prior to 1.6.3-r6, update to version 1.6.3-r6 or later. For krb5-libs versions 1.3.4, update to a version that is not affected by this issue. For krb5-devel versions 1.3.4, update to a version that is not affected by this issue. For krb5-server versions 1.3.4, update to a version that is not affected by this issue. For krb5-workstation versions 1.3.4, update to a version that is not affected by this issue. For krb5-debuginfo, krb5-debuginfo-32bit, krb5-debuginfo-64bit, and krb5-debugsource, update to versions that are not affected by this issue, as the specific affected versions are not specified.