A flaw was found in how the KDC processed invalid requests. An unauthenticated remote attacker could send an invalid request to a KDC process that would cause it to crash due to an assertion failure, resulting in a denial of service of the KDC.
This flaw only affects MIT krb5 version 1.7 and later; earlier versions did not contain the vulnerable code.
This is now public upstream via MITKRB5-SA-2010-001:
This issue does not affect Red Hat Enterprise Linux 3, 4, or 5 as they do not ship with Kerberos >=1.7, and this is a vulnerability in code introduced in Kerberos 1.7.
This issue does affect Fedora 11 and 12.
krb5-1.7.1-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.