A brief security analysis: For application servers, authdata elements are supposed to be mandatory by default, meaning the server should reject the request if it doesn't understand the authdata. For KDCs, authdata elements are only mandatory if they are embedded in a MANDATORY-FOR-KDC container. Because of this bug, the KDC might not properly reject a request which contains a MANDATORY-FOR-KDC container. This is no worse than the behavior in 1.7 and prior, so this does not constitute a serious security issue. I'm not aware of any defined authdata types which make use of MANDATORY-FOR-KDC.