libkrb5.so is vulnerable to authentication bypasses. A malicious user can pass a forged krb cert with the right EKU when no SANs is used as no relationship is established between a user and the certificate.
www.securityfocus.com/bid/100511
access.redhat.com/errata/RHSA-2018:0666
access.redhat.com/security/cve/CVE-2017-7562
bugzilla.redhat.com/show_bug.cgi?id=1485510
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7562
github.com/krb5/krb5/commit/07243f85a760fb37f0622d7ff0177db3f19ab025
github.com/krb5/krb5/pull/694
github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196
github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2
github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d