It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled.
The PKINIT plugin was introduced in version 1.6.3; versions prior are not affected by this vulnerability.
This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5 as they did not include support for PKINIT.
Upstream fix is here:
and it is fixed in upstream version 1.11.1.
Created krb5 tracking bugs for this issue
Affects: fedora-all [bug 914756]
krb5-1.10.2-9.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0656 https://rhn.redhat.com/errata/RHSA-2013-0656.html
krb5-1.10.3-14.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Kerberos 5 release krb5-1.9.5 announcement: