10th Apr 2003 [SBWID-6130]
COMMAND
	heimdal Cryptographic weakness
SYSTEMS AFFECTED
	version 0.5.2 and prior
PROBLEM
	In Debian Security Advisory DSA-269:
	A cryptographic weakness in version 4 of the  Kerberos  protocol  allows
	an  attacker  to  use  a  chosen-plaintext  attack  to  impersonate  any
	principal in a realm. Additional cryptographic weaknesses  in  the  krb4
	implementation permit the use  of  cut-and-paste  attacks  to  fabricate
	krb4 tickets for unauthorized client principals if triple-DES  keys  are
	used to key krb4 services. These attacks can  subvert  a  site's  entire
	Kerberos authentication infrastructure.
	This version of the heimdal package changes  the  default  behavior  and
	disallows cross-realm authentication for Kerberos version 4. Because  of
	the fundamental nature of the  problem,  cross-realm  authentication  in
	Kerberos version 4 cannot be made secure  and  sites  should  avoid  its
	use. A new option  (--kerberos4-cross-realm)  is  provided  to  the  kdc
	command to re-enable version  4  cross-realm  authentication  for  those
	sites that must use this functionality but  desire  the  other  security
	fixes.
SOLUTION
	upgrade