CVE-2009-0845

Name of the Vulnerable Software and Affected Versions krb5 versions 1.5 through 1.6.3 mit-krb5 versions prior to 1.6.3-r6

Description The issue concerns multiple vulnerabilities in the krb5 package, which can lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, the spnego gss accept sec context function in lib/gssapi/spnego/spnego mech.c in MIT Kerberos 5 allows remote attackers to cause a denial of service via invalid ContextFlags data in the reqFlags field in a negTokenInit token.

Recommendations For krb5 versions 1.5 through 1.6.3, update to a version later than 1.6.3 to resolve the issue. For mit-krb5 versions prior to 1.6.3-r6, update to version 1.6.3-r6 or later to resolve the issue. As a temporary workaround, consider restricting access to the spnego gss accept sec context function until a patch is available.