MIT Kerberos Development Team Information for VU#602625
KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely
- Vendor Information Help Date Notified: 08 Dec 2000
- Statement Date:
- Date Updated: 11 Jan 2001
I do not believe it is a problem. The krb4 code within the MIT krb5 distributions does not contain any setuid application code that calls the krb4 library. Certainly our telnetd does not permit those variables to be set.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.