Upstream has issued an advisory on February 3:
Debian has issued an advisory for this:
Patched packages uploaded for Mageia 4 and Cauldron.
Updated krb5 packages fix security vulnerabilities:
Incorrect memory management in the libgssapi_krb5 library might result in
denial of service or the execution of arbitrary code (CVE-2014-5352).
Incorrect memory management in kadmind's processing of XDR data might result
in denial of service or the execution of arbitrary code (CVE-2014-9421).
Incorrect processing of two-component server principals might result in
impersonation attacks (CVE-2014-9422).
An information leak in the libgssrpc library (CVE-2014-9423).
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing on Mageia 4x64 real hardware following procedure mentioned in Comment 1
From current packages :
$ rpm -q -i krb5-server
Name : krb5-server
Version : 1.11.4
Release : 1.3.mga4
To updated testing packages :
In both instances after restarting xinetd.service, command
$ krlogin $(hostname)
This rlogin session is encrypting all data transmissions.
has_procedure MGA4-64-OK =>
has_procedure advisory MGA4-64-OK
I've never been able to get Dave's full test cases working in a VM with the secure msec level set, but I have krb5.conf configured for our AD server domain here, and kinit (AD username) works and klist shows me my ticket. I think that's a sufficient test (Mageia 4 i586).
has_procedure advisory MGA4-64-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OK
Please push to 4 updates.
An update for this issue has been pushed to Mageia Updates repository.