1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package krb5/1.20.1-2+deb12u4

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Wed May 7 22:04:40 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart2654408.Lt9SDvczpP
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: krb5@packages.debian.org
    Control: affects -1 + src:krb5
    User: release.debian.org@packages.debian.org
    Usertags: pu



    [ Reason ]
    CVE-2025-3576

    [ Impact ]
    CVE-2025-3576 is not fixed.

    [ Tests ]
    Test suite

    [ Risks ]
    low disabling security hardening is possible

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    * Fix CVE-2025-3576. Closes: #1103525
    A Vulnerability in the MIT Kerberos implementation
    allows GSSAPI-protected messages using RC4-HMAC-MD5
    to be spoofed due to weaknesses in the MD5 checksum design.
    If RC4 is preferred over stronger encryption types,
    an attacker could exploit MD5 collisions to forge message
    integrity codes. This may lead to unauthorized
    message tampering.
    * Tickets will not be issued with RC4 or triple-DES session
    keys unless explicitly configured with the new allow_rc4
    or allow_des3 variables respectively.
    * In KDC, assume all services support aes256-sha1
    To facilitate negotiating session keys with acceptable security,
    assume that services support aes256-cts-hmac-sha1 unless a
    session_enctypes string attribute says otherwise.


    [ Other info ]
    Reviewed by debian maintainer

    --nextPart2654408.Lt9SDvczpP
    Content-Disposition: attachment; filename="krb5.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="krb5.debdiff"

    diff -Nru krb5-1.20.1/debian/changelog krb5-1.20.1/debian/changelog
    --- krb5-1.20.1/debian/changelog 2025-02-23 18:42:24.000000000 +0100
    +++ krb5-1.20.1/debian/changelog 2025-05-07 19:06:22.000000000 +0200
    @@ -1,3 +1,24 @@
    +krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium
    +
    + * Non Maintainer upload by LTS team
    + * Fix CVE-2025-3576. Closes: #1103525
    + A Vulnerability in the MIT Kerberos implementation
    + allows GSSAPI-protected messages using RC4-HMAC-MD5
    + to be spoofed due to weaknesses in the MD5 checksum design.
    + If RC4 is preferred over stronger encryption types,
    + an attacker could exploit MD5 collisions to forge message
    + integrity codes. This may lead to unauthorized
    + message tampering.
    + * Tickets will not be issued with RC4 or triple-DES session
    + keys unless explicitly configured with the new allow_rc4
    + or allow_des3 variables respectively.
    + * In KDC, assume all services support aes256-sha1
    + To facilitate negotiating session keys with acceptable security,
    + assume that services support aes256-cts-hmac-sha