An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. The Common Vulnerabilities and Exposures project has assigned the name CAN-2002-0036 to this issue. The Key Distribution Center (KDC) before version 1.2.5 allows remote, authenticated, attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0058 to this issue. A vulnerability in the Kerberos before version 1.2.3 allows users from one realm to impersonate users in other realms that have the same inter-realm keys. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0059 to this issue. The MIT advisory for these issues also mentions format string vulnerabilities in the logging routines (CAN-2003-0060). Previous versions of the kerberos packages from Red Hat already contain fixes for this issue.
These were addressed in RHSA-2003-052, closing.