All versions of the kadmind daemon are vulnerable to a remote root exploit, if compiled with support for the Kerberos 4 kadmin protocol. Heimdal 0.5.1 should fix this problem.
If you are running a version older than 0.5.1 AND have Kerberos 4 support enabled in kadmind you should disable kadmind until you have time to upgrade.
To tell if kadmind is vulnerable you can run:
# /usr/heimdal/libexec/kadmind --version kadmind (Heimdal 0.5.1, KTH-KRB 1.2) Copyright (c) 1999-2002 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@pdc.kth.se
Non-vulnerable include Heimdal 0.5.1, and binaries that DO NOT show a Kerberos 4 version string (KTH-KRB 1.2 in the example).
The kadmind service should run on your master kdc, and can be run either from inetd, or as a standalone daemon.
See also CAN-2002-1225 (and possibly CAN-2002-1226).