[SECURITY] [DLA 4195-1] krb5 security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4195-1] krb5 security update
From: rouca@debian.org
Date: Fri, 30 May 2025 17:26:58 +0200
Message-id: <[🔎] 9be332d920ce74d455c490c6eff1f5ca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4195-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
May 30, 2025                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : krb5
Version        : 1.18.3-6+deb11u7
CVE ID         : CVE-2025-3576
Debian Bug     : 1103525

A Vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.

In order to fix CVE-2025-3576, vulnerable cryptographic
algorithms for tickets need to be disabled explicitly
with the new allow_rc4 or allow_des3 variables.

According to the vulnerability report "Kerberosâ?? RC4-HMAC broken
in practice: spoofing PACs with MD5 collisions", disabling
this cryptographic algorithm may break some older
authentication systems, and administrators should test carefully.

Because of the risk of breaking certain configurations, the
new allow_rc4 or allow_des3 are being treated as having a
default value of 'true' for updates to older Debian releases.
This leaves the 3DES and RC4 algorithms enabled, but administrators
are strongly encouraged to disable them after verifying
compatibility in their environments.

For Debian 11 bullseye, this problem has been fixed in version
1.18.3-6+deb11u7.

We recommend that you upgrade your krb5 packages.

For the detailed security status of krb5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/krb5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmg5zkIACgkQADoaLapB
CF87MQ//TdZFCo5iWZY4KYAnJkQogKKJfbRr3ozsUg2seCZzg1XHPcLJYTCPw3vu
t8lsVSH2orzsr7IiThh9Kpo/iE2FRe6W/PmGnZ44M0m/6+C/H2Ph0hB5giZ7U3LY
S1if5ggYnHAfhwl4eKQ9DR52OgJlSEFDaIKQF/MNxMdYB0xSWhaNw3P2skQUe29Q
JRcb+Wmz5EfY4IqTV8BkiJJN+PwfCPQDCVpj52hnZ62slusp6OAMUni6MnNmTnga
+leL8+qsYVVsNyVVqxpd08LnjwSwnkx+xXS6ic45bh0aDV+TLtafbrZtSOlrHkDf
ch/KsL/0IM/cmI8k5N4IA/Nc8F6miJCik8V107LWwxzQALMD3w5dk38Sfwd6EtdR
ERUo9+A8AK4xmRbUeFOhvd8PD8s+lK2eEX4kOCoD3F++7RDbun3jLN6gGPIiVH8+
EoIFGLbUwYGXldNqnxtsLD4esXNtMWbdAHc91oyjSjg7cLDszD+UwJpg+++QspWh
zRhCVuYu2gTgaKchxAwC9JPXTLk+DMEa/77VSkFrIkSiu0GdixrNP1+UP9L2kNGn
oVGmP1Teu6kHnmJAOIqKPdQulvbmJzEiGond8qZOTjks/IdchrL/05W4Hh3fEOU/
TNXrXX0jpuk+oLKcuqyzNsgQQOyHL/k7skERalQUU2V3x0RRLXY=
=XLzh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4194-1] thunderbird security update
Next by Date: [SECURITY] [DLA 4196-1] kmail-account-wizard security update
Previous by thread: [SECURITY] [DLA 4194-1] thunderbird security update
Next by thread: [SECURITY] [DLA 4196-1] kmail-account-wizard security update
Index(es):
- Date
- Thread