A null pointer dereference in libgssapi_krb5 can lead to a Denial of Service in kerberized daemons. See referenced bug report for details and patch (committed to SVN trunk and 1.7 branch).
ping, please apply this patch.
Committed mit-krb5-1.6.3-r5 with new patch set release including this patch. Made arch unstable as local installed files are definitely modified.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable on alpha.
Stable for HPPA.
The spnego_gss_accept_sec_context function in
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3,
when SPNEGO is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via invalid
ContextFlags data in the reqFlags field in a negTokenInit token.
glsa with #263398