A denial of service flaw was found in Kerberos's GSS-API spnego security mechanism implementation. A remote attacker could use this flaw to cause gss-server crash via invalid ContextFlags for the reqFlags field in the NegTokenInit in spnego_mech.c, which triggers an assertion failure. Similar vulnerability than CVE-2009-0845. PGP-signed patch from upstream will be available at: http://web.mit.edu/kerberos/advisories/2010-002-patch.txt.asc
This issue does NOT affect the versions of the krb5-workstation package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue does NOT affect the version of the krb5-workstation-servers package, as shipped with Fedora release of 11. This issue affects the version of the krb5-workstation-servers package, as shipped with Fedora release of 12.
This issue is now public: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2010-002.txt
krb5-1.7.1-6.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/krb5-1.7.1-6.fc12
krb5-1.7.1-7.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc13
krb5-1.7.1-6.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.7.1-7.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.