1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package krb5/1.20.1-2+deb12u3

    From Bastien =?UTF-8?B?Um91Y2FyacOocw==?@21:1/5 to Debian Bug Tracking System on Thu Mar 13 18:09:35 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart4026468.SJyG1ETx3q
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: krb5@packages.debian.org
    Control: affects -1 + src:krb5
    User: release.debian.org@packages.debian.org
    Usertags: pu

    [ Reason ]
    * CVE-2025-24528

    [ Impact ]
    * low security bug is no-dsa but should be fixed

    [ Tests ]
    * automatic upstream test


    [ Risks ]
    Low code is straightforward

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    * Non Maintainer upload by LTS team
    * Fixes CVE-2024-26462 (Closes: #1064965)
    A memory leak vulnerability was found in /krb5/src/kdc/ndr.c.
    * Fixes CVE-2025-24528 (Closes: #1094730)
    Prevent overflow when calculating ulog block size
    * Add Salsa CI

    [ Other info ]
    None

    --nextPart4026468.SJyG1ETx3q
    Content-Disposition: attachment; filename="krb5.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="utf-8"; name="krb5.debdiff"

    diff -Nru krb5-1.20.1/debian/changelog krb5-1.20.1/debian/changelog
    --- krb5-1.20.1/debian/changelog 2024-07-01 17:31:35.000000000 +0000
    +++ krb5-1.20.1/debian/changelog 2025-02-23 17:42:24.000000000 +0000
    @@ -1,5 +1,16 @@
    +krb5 (1.20.1-2+deb12u3) bookworm; urgency=medium
    +
    + * Non Maintainer upload by LTS team
    + * Fixes CVE-2024-26462 (Closes: #1064965)
    + A memory leak vulnerability was found in /krb5/src/kdc/ndr.c.
    + * Fixes CVE-2025-24528 (Closes: #1094730)
    + Prevent overflow when calculating ulog block size
    + * Add Salsa CI
    +
    + -- Bastien Roucariès <rouca@debian.org> Sun, 23 Feb 2025 17:42:24 +0000
    +
    krb5 (1.20.1-2+deb12u2) bookworm-security; urgency=high
    -
    +
    * CVE-2024-37370: an unauthenticated attacker can modify the
    extra count in an RFC 4121 GSS token, causing the token to appear
    truncated.
    diff -Nru krb5-1.20.1/debian/patches/CVE-2024-26462.patch krb5-1.20.1/debian/patches/CVE-2024-26462.patch
    --- krb5-1.20.1/debian/patches/CVE-2024-26462.patch 1970-01-01 00:00:00.000000000 +0000
    +++ krb5-1.20.1/debian/patches/CVE-2024