KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0062
Also:
The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0063 IDENTIFIER = WIND00120131
WIND00124674.zip is for 1.4
WIND00124675.zip is for 1.5
WIND00120156.zip is for 2.0
1. Unzip the patch under [install_dir]/updates
2. From the [install_dir]/updates directory, run the command "../maintenance/mtool/mtool_linux"
3. Follow the instructions for installing the point patch.
4. Once the patch has been installed, run the command "make -C build krb5.rebuild" to rebuild the krb5 package with the source file fix.
5. Run "make fs" next
6. Upload the kernel and rootfs into the target and boot it up.
