A null pointer dereference in libgssapi_krb5 can lead to a Denial of Service in kerberized daemons. See referenced bug report for details and patch (committed to SVN trunk and 1.7 branch).
ping, please apply this patch. http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=22084&view=rev
Committed mit-krb5-1.6.3-r5 with new patch set release including this patch. Made arch unstable as local installed files are definitely modified. g, mueli
Arches, please test and mark stable: =app-crypt/mit-krb5-1.6.3-r5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
ppc64 done
ppc done
amd64/x86 stable
Stable on alpha.
arm/ia64/m68k/s390/sh/sparc stable
Stable for HPPA.
CVE-2009-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0845): The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.
glsa with #263398
GLSA 200904-09