Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 1031501]

This has a different identifier from CVE-2013-1418, but points to the same patch.  Is there anything to update in the packaging here beyond what we already did for 1418?

No.  I'm not sure why they split this other than the code looks slightly different but the fix is identical, and one is in 1.10.x and other 1.12.  I'm actually at a complete loss as to why MITRE did this.  As far as I'm concerned, this is CVE-2013-1418 (or bug #1026942).

Okay, then.  I'll see if I can add this to the changelogs in source control, so that if/when we push other updates it'll show up there.  Thanks!

Yeah, I think for some reason that this is for 1.10.x and the other is for 1.11 (which makes no sense as the code is so similar).  I guess mention it but I'm quite certain these two CVEs should be one.

Apparently, split was triggered by this wording in the upstream RT / commit:

  *A related* but more minor vulnerability requires authentication to
  exploit, and is only present if a third-party KDC database module can
  dereference a null pointer under certain conditions.

Note: This issue can be triggered only if multiple realms are served from one KDC

Statement:

(none)

IssueDescription:

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request.

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1245 https://rhn.redhat.com/errata/RHSA-2014-1245.html

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1389 https://rhn.redhat.com/errata/RHSA-2014-1389.html