enterprise-support team mailing list archive

Thread
Date

[Bug 2110460] [NEW] Merge krb5 from Debian Unstable for questing

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <2110460@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 May 2025 06:15:32 -0000
Reply-to: Bug 2110460 <2110460@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Scheduled-For: ubuntu-25.06
Ubuntu: 1.21.3-4ubuntu2
Debian Unstable: 1.21.3-5

A new release of krb5 is available for merging from Debian Unstable.

If it turns out this needs a sync rather than a merge, please change the
tag 'needs-merge' to 'needs-sync', and (optionally) update the title as
desired.

### New Debian Changes ###

krb5 (1.21.3-5) unstable; urgency=medium

  * Non-maintainer upload with maintainer agreement.
  * Fix CVE-2025-24528: Prevent overflow when calculating
    ulog block size (Closes: #1094730)

 -- Bastien Roucariès <rouca@xxxxxxxxxx>  Sun, 23 Feb 2025 17:12:14
+0000


### Old Ubuntu Delta ###

krb5 (1.21.3-4ubuntu2) plucky; urgency=medium

  * SECURITY UPDATE: denial of service via two memory leaks
    - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
      src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
    - CVE-2024-26458
    - CVE-2024-26461
  * SECURITY UPDATE: kadmind DoS via iprop log file
    - debian/patches/CVE-2025-24528.patch: prevent overflow when
      calculating ulog block size in src/lib/kdb/kdb_log.c.
    - CVE-2025-24528

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 25 Feb 2025
10:22:31 -0500

krb5 (1.21.3-4ubuntu1) plucky; urgency=medium

  * SECURITY UPDATE: Use of MD5-based message authentication over plaintext
    communications could lead to forgery attacks.
    - debian/patches/CVE-2024-3596.patch: Secure Response Authentication
      by adding support for the Message-Authenticator attribute in non-EAP
      authentication methods.
    - CVE-2024-3596
  * Update libk5crypto3 symbols: add k5_hmac_md5 symbol.

 -- Nicolas Campuzano Jimenez <nicolas.campuzano@xxxxxxxxxxxxx>  Tue, 04
Feb 2025 11:30:48 -0500

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: needs-merge upgrade-software-version

** Changed in: krb5 (Ubuntu)
    Milestone: None => ubuntu-25.06

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2110460

Title:
  Merge krb5 from Debian Unstable for questing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2110460/+subscriptions