Hole in Kerberos module threatens Apache web server
The Kerberos authentication protocol is intended to make networks more secure, but a security hole in the mod_auth_kerb Apache module means that it has exactly the opposite effect. Attackers could used specially prepared Kerberos queries to crash web servers with version 5.0, 5.1 or 5.2 installed – or even plant and execute arbitrary code. Other versions of the module may also potentially be affected.
No more precise details about the bug are available as yet, but it is purportedly related to a heap overflow in the spnegokrb5/der_get.c module in the der_get_oid function. No official update has been released. It seems likely that the Linux distributors will release updated packages soon, however.
- CVE-2006-5989 mod_auth_kerb segfault with FC6 client, entry in bug database from Redhat
- CVE-2006-5989 mod_auth_kerb segfaults when talking to newest KRB5 libs, entry in bug database from Redhat
(ehe)