A flaw was found in krb5 certificate EKU validation which could lead to improper authorization if a forged certificate with the right EKU and no SAN is used.
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0666 https://access.redhat.com/errata/RHSA-2018:0666