krb5 -- multiple checksum handling vulnerabilities

The MIT Kerberos team reports:

MIT krb incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121)
of the GSS-API krb5 mechanism.
An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.
MIT krb5 KDC incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.
An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor
key is RC4. The consequences are believed to be minor.