enterprise-support team mailing list archive

Thread
Date

[Bug 2110460] Re: Merge krb5 from Debian Unstable for questing

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2110460@xxxxxxxxxxxxxxxxxx>
Date: Sat, 26 Jul 2025 14:39:33 -0000
Reply-to: Bug 2110460 <2110460@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package krb5 - 1.21.3-5ubuntu1

---------------
krb5 (1.21.3-5ubuntu1) questing; urgency=medium

  * Merge with Debian unstable (LP: #2110460). Remaining changes:
    - SECURITY UPDATE: Use of MD5-based message authentication over plaintext
      communications could lead to forgery attacks.
      + debian/patches/CVE-2024-3596.patch: Secure Response Authentication
        by adding support for the Message-Authenticator attribute in non-EAP
        authentication methods.
      + CVE-2024-3596
    - Update libk5crypto3 symbols: add k5_hmac_md5 symbol.
    - SECURITY UPDATE: denial of service via two memory leaks
      + debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
        src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
      + CVE-2024-26458
      + CVE-2024-26461
  * Dropped:
    - SECURITY UPDATE: kadmind DoS via iprop log file
      + debian/patches/CVE-2025-24528.patch: prevent overflow when
        calculating ulog block size in src/lib/kdb/kdb_log.c.
      + CVE-2025-24528
      [In 1.21.3-5]

krb5 (1.21.3-5) unstable; urgency=medium

  * Non-maintainer upload with maintainer agreement.
  * Fix CVE-2025-24528: Prevent overflow when calculating
    ulog block size (Closes: #1094730)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Tue, 22 Jul 2025 15:48:33
-0300

** Changed in: krb5 (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26458

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26461

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-24528

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2110460

Title:
  Merge krb5 from Debian Unstable for questing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2110460/+subscriptions

References

[Bug 2110460] [NEW] Merge krb5 from Debian Unstable for questing
From: Bryce Harrington, 2025-05-12