Bug#1104882: bookworm-pu: package krb5/1.20.1-2+deb12u4

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Wed, 2025-05-07 at 15:20 -0600, Sam Hartman wrote:
> > > > > 
> In my mind, the risk of this update is toward the high end of what we
> accept in stable updates.
> This change disables two encryption types in the over-the-wire
> protocol.
> That is, it intentionally introduces an incompatibility. If you
> install this update, things may stop workin for you.
> As Bastien points out, you can disable the security hardening and get
> things working again, but you have to take manual action.
> 
> In my mind, the PACC attack plus the threat of not-very-public GSS
> attacks is worth introducing this incompatibility.
> I also think the set of configurations that we will break is low.
> So I do recommend this update is accepted.

Thanks for the explanation, Sam.

Please go ahead.

Regards,

Adam