-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 May 2025 22:14:10 +0200
Source: krb5
Architecture: source
Version: 1.18.3-6+deb11u7
Distribution: bullseye-security
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1103525
Changes:
krb5 (1.18.3-6+deb11u7) bullseye-security; urgency=medium
.
* Non Maintainer upload by LTS team
* Fix CVE-2025-3576. Closes: #1103525
A Vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.
* Because of the possibility of breaking certain older
authentication systems, the configuration variables which
have been introduced as part of the fix (allow_rc4 and
allow_des3) are treated as 'true' by default. This leaves
the 3DES and RC4 algorithms enabled, but administrators
are strongly encouraged to disable them after verifying
compatibility in their environments.
* In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
Checksums-Sha1:
347236361c095692153970f0d5de2f2d8bf74114 3814 krb5_1.18.3-6+deb11u7.dsc
fdbb31fab5bdea24fc464d09bdbc245740648f1a 8715312 krb5_1.18.3.orig.tar.gz
909b9c68601cf999cd2697c83a0f56efd0faba6d 833 krb5_1.18.3.orig.tar.gz.asc
21bb06f812320d440a7e0c9142f009fb8a2eca57 121056 krb5_1.18.3-6+deb11u7.debian.tar.xz
1197ba9359ac8aab0be138c69a53336b8d23710b 21627 krb5_1.18.3-6+deb11u7_amd64.buildinfo
Checksums-Sha256:
162309912574992c13fadec1c95ad65b4e1a4fef046e15e065f89b13b3e4585f 3814 krb5_1.18.3-6+deb11u7.dsc
e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719 8715312 krb5_1.18.3.orig.tar.gz
ded19808ba7320ad0bb3ddfb5202845b2ff36a50613af7832f78dd3cb4437419 833 krb5_1.18.3.orig.tar.gz.asc
db0041a414f71358d1365c766f7a4c66e6b46774841dcdeab97042049f8fa011 121056 krb5_1.18.3-6+deb11u7.debian.tar.xz
872818579c4afcf04639a51a52f9e5fb599867aee0ba5538438d6b8846bc834e 21627 krb5_1.18.3-6+deb11u7_amd64.buildinfo
Files:
8c429c7176b4c5d3a832303c582c35d9 3814 net optional krb5_1.18.3-6+deb11u7.dsc
a64e8018a7572e0b4bd477c745129ffc 8715312 net optional krb5_1.18.3.orig.tar.gz
bca804e12e8dc2de6930e916cd7a2ce3 833 net optional krb5_1.18.3.orig.tar.gz.asc
9d027f3c6cf2ccbe0dd724948f1de6c9 121056 net optional krb5_1.18.3-6+deb11u7.debian.tar.xz
4cf44ce6f867a22a1860f852d1915cc0 21627 net optional krb5_1.18.3-6+deb11u7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmg5wDcACgkQADoaLapB
CF86Ew//eYdl9uNlbw3kGg67HUheEM6xQ84DkFcNUg7I+2X2stmJvs7ZAg/SbPM2
dHiVzBHZjzxIF8MmQ03+/9F5a7OgyhuaK4P0RH/iIz3+wK9q8f9bACPHi6tXafOi
TnxAd5TQFk3raJS5S4yedxbXuVo7LNtPvVYKDj5C4cwaIVnSw8HY17Nq5C/TEA9v
0w5RyRcpq2cLnPRjKA3D+fPB+ceUliVfe0FtYr51sjYBnv3eKntL+RtE2mk0syXj
L8L0iHsLTOrasUx8gZLhZ0e0l29uIZyAleEstrVpFfFNHJrNO0Oc9fKiWA2yt5D9
A67vOCaSqwKbwoTP1UxMwDES+P8QFbTzA9WJjrJII6gXK9bYXfNWgpBWSujVBkmp
F1C7ZUO/baDSZaDJRYAq5ScAGi3fOlZeNxnn20gNZddrRsUZ5las95r2TAT3ubvw
a1WJet3LQwzWhuWakq1yUy5PA8OyGcP5jAP+09uAWMtdrGXZ+NNxDUNu6aKABJAH
3kRWESBzQ9Jueny/V9iOiEFWMxgkt4w6d5wGFEveSo7+bkhGIajaHr+DPyIFfkXH
gPgrNzXmCkIWtWQM9aFGcssEJ+3YKmBs42xb+YbMbYuOkxF6ABsNtwkOCX2OOZ1V
GcBj6SEF7pMOskg7cXEer9YySs7pdlhgs1tBLENVY+0B4Se0xqk=
=kMVg
-----END PGP SIGNATURE-----
Attachment:
pgpis88DMZDgc.pgp
Description: PGP signature