MIT Kerberos Development Team Information for VU#602625

KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely

Status

Not Affected

Vendor Statement

I do not believe it is a problem. The krb4 code within the MIT krb5 distributions does not contain any setuid application code that calls the krb4 library. Certainly our telnetd does not permit those variables to be set.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.