krb5-1.13.2-10.el7

Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

Security issues fixed with this release:

CVE-2014-5355
MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a
krb5_read_message data field is represented as a string ending with a
'\0' character, which allows remote attackers to (1) cause a denial of
service (NULL pointer dereference) via a zero-byte version string or
(2) cause a denial of service (out-of-bounds read) by omitting the
'\0' character, related to appl/user_user/server.c and
lib/krb5/krb/recvauth.c.
CVE-2015-2694
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x
before 1.13.2 do not properly track whether a client's request has
been validated, which allows remote attackers to bypass an intended
preauthentication requirement by providing (1) zero bytes of data or
(2) an arbitrary realm name, related to plugins/preauth/otp/main.c and
plugins/preauth/pkinit/pkinit_srv.c.

Fixed bugs:

* Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation.
* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message: