Synopsis:	Low: pam_krb5 security and bug fix update
Issue date:	2010-03-30
CVE Names:	CVE-2009-1384

A flaw was found in pam_krb5. In some non-default configurations
(specifically, those where pam_krb5 would be the first module to prompt 
for a password), the text of the password prompt varied based on whether 
or not the username provided was a username known to the system. A 
remote attacker could use this flaw to recognize valid usernames, which 
would aid a dictionary-based password guess attack. (CVE-2009-1384)

This update also fixes the following bugs:

* certain applications which do not properly implement PAM conversations
may fail to authenticate users whose passwords have expired and must be
changed, or may succeed without forcing the user's password to be 
changed. This bug is triggered by a previously-applied fix to pam_krb5 
which makes it comply more closely to PAM specifications. If an 
application misbehaves, enabling the "chpw_prompt" option for its 
service should restore the old behavior. (BZ#509092)

* pam_krb5 does not allow the user to change an expired password in 
cases where the Key Distribution Center (KDC) is configured to refuse 
attempts to obtain forwardable password-changing credentials. This 
update fixes this issue. (BZ#489015)

* failure to verify TGT because of wrong keytab handling. (BZ#450776)

SL 5.x

     SRPMS:
pam_krb5-2.2.14-15.src.rpm
     i386:
pam_krb5-2.2.14-15.i386.rpm
     x86_64:
pam_krb5-2.2.14-15.i386.rpm
pam_krb5-2.2.14-15.x86_64.rpm

-Connie Sieh
-Troy Dawson