Re: krb5 review

To: debian-lts@lists.debian.org
Subject: Re: krb5 review
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 23 May 2025 17:11:37 -0400
Message-id: <[🔎] aDDkibzKILEY1OUN@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 22705506.EfDdHjke4D@debian-ei>
References: <[🔎] 13767581.uLZWGnKmhe@debian-ei> <[🔎] aDDNwtxWb1UuqGKq@localhost> <[🔎] 22705506.EfDdHjke4D@debian-ei>

On Fri, May 23, 2025 at 10:42:56PM +0200, Bastien Roucaries wrote:
> Le vendredi 23 mai 2025, 21:34:26 heure d’été d’Europe centrale Roberto C. 
> Sánchez a écrit :
>
> > To me, that specifically requires that the krb5 maintainers be in
> > agreement with fixing this in bookworm and then landing the fix in
> > bookworm first (since that it is already in unstable and trixie). Once
> > that happens, then we can consider landing the fix in bullseye and
> > older. Have you communicated with the maintainers of krb5 to know how
> > they feel about fixing this in bookworm?
> 
> Bookworm was fixed by PU

Can you confirm this?

The last upload to proposed-updates was on 2025-04-14, version
1.20.1-2+deb12u3, and it fixed CVE-2024-26462 and CVE-2025-24528. This
version was included in the recent 12.11 point release, and I do not see
a newer version anywhere that the PTS or the security tracker would be
aware of.

Additionally, the CVE is still triaged like this:

[bookworm] - krb5 <no-dsa> (Minor issue)

Which would also suggest that there is nothing pending in PU at the
moment.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: krb5 review
  - From: Bastien Roucaries <rouca@debian.org>

References:
- krb5 review
  - From: Bastien Roucaries <rouca@debian.org>
- Re: krb5 review
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: krb5 review
  - From: Bastien Roucaries <rouca@debian.org>

Prev by Date: Re: krb5 review
Next by Date: Re: krb5 review
Previous by thread: Re: krb5 review
Next by thread: Re: krb5 review
Index(es):
- Date
- Thread