MIT Kerberos 5 before version 1.6.4, Service Console package krb5, Service Console package pam_krb5
VIBs Included
krb5-libs krb5-workstation pam_krb5
Related CVE numbers
CVE-2009-0844, CVE-2009-0845, CVE-2009-0846
Solution
Summaries and Symptoms
Issues fixed in this patch (and their relevant symptoms, if applicable) include:
Service Console package krb5 has been updated to version krb5-1.6.1-31. This fixes the following issues:
Kerberos versions 5 1.5 through 1.6.3 might allow remote attackers to cause a denial of service and possibly obtain sensitive information by using a crafted length value that triggers a buffer over-read. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0844 to this issue.
MIT Kerberos versions 5 1.5 through 1.6.3 might allow remote attackers to cause a denial of service by using invalid ContextFlags data in the reqFlags field in a negTokenInit token. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0845 to this issue.
MIT Kerberos 5 before version 1.6.4 might allow remote attackers to cause a denial of service or possibly execute arbitrary code by using vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0846 to this issue.
Service Console package pam_krb5 has been upgraded to pam_krb5-2.2.14-10. For details on the issues that this upgrade addresses, refer to the Red Hat advisory at https://rhn.redhat.com/errata/RHBA-2009-0135.html.
Deployment Considerations
None beyond the required patch bundles and reboot information listed in the table, above.
