[CVE-2009-0845] krb5 <= 1.6.3, remote denial of service

infwonder · **Posted:** Mon Mar 30, 2009 1:21 am

CVE-2009-0845 wrote:

The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.

This is fixed in upstream svn:
http://src.mit.edu/fisheye/browse/krb5/ ... 5&r2=22084

More information can be found here:
http://krbdev.mit.edu/rt/Ticket/Display ... st&id=6402

We currently have version 1.6.3 in both types of repo.

Refernces:
http://web.nvd.nist.gov/view/vuln/detai ... -2009-0845
http://www.securityfocus.com/bid/34257

!8!

infwonder · **Posted:** Wed Apr 08, 2009 1:19 am

Official SA:
http://web.mit.edu/kerberos/advisories/ ... 09-001.txt

And here is another security issue:

http://web.mit.edu/kerberos/advisories/ ... 09-002.txt

They are both to be fixed in upcoming 1.6.4 and 1.7 release.

[CVE-2009-0845] krb5 <= 1.6.3, remote denial of service

Who is online