Your message dated Sat, 31 May 2025 21:32:13 +0000
with message-id <e1ultol-000yx5...@fasolo.debian.org>
and subject line Bug#1103525: fixed in krb5 1.20.1-2+deb12u4
has caused the Debian Bug report #1103525,
regarding krb5: CVE-2025-3576
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: krb5
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for krb5.
CVE-2025-3576[0]:
| A vulnerability in the MIT Kerberos implementation allows GSSAPI-
| protected messages using RC4-HMAC-MD5 to be spoofed due to
| weaknesses in the MD5 checksum design. If RC4 is preferred over
| stronger encryption types, an attacker could exploit MD5 collisions
| to forge message integrity codes. This may lead to unauthorized
| message tampering.
So far the only reference here is from Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=2359465
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-3576
https://www.cve.org/CVERecord?id=CVE-2025-3576
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.20.1-2+deb12u4
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 May 2025 19:06:22 +0200
Source: krb5
Architecture: source
Version: 1.20.1-2+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1103525
Changes:
krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium
.
* Non Maintainer upload by LTS team
* Fix CVE-2025-3576. Closes: #1103525
A Vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.
* Tickets will not be issued with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4
or allow_des3 variables respectively.
* In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
Checksums-Sha1:
84d088b73cfc7a2e0705bb8623c1539018655bd2 3808 krb5_1.20.1-2+deb12u4.dsc
06278439a6cd5a2aa861d8e877451b794487534b 8661660 krb5_1.20.1.orig.tar.gz
1cd01998135e3db3c4401b84459fb19ab8baabaf 833 krb5_1.20.1.orig.tar.gz.asc
8a31ba56c3296a2f3def82411f6e2c9203ff785d 111436
krb5_1.20.1-2+deb12u4.debian.tar.xz
b7118004ed61522d786e3602fd1faf6d6dacfe00 21700
krb5_1.20.1-2+deb12u4_amd64.buildinfo
Checksums-Sha256:
3a83a9c281fa9a4358fe5351ddbd8d02ce26c1b3913c4898c9769475c2d8e270 3808
krb5_1.20.1-2+deb12u4.dsc
704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 8661660
krb5_1.20.1.orig.tar.gz
2afeec5dbc586cc40b7975645e02b4c41c4d719dd02213e828c72d8239d55666 833
krb5_1.20.1.orig.tar.gz.asc
76a985c0d60ed1a62cbb82b23041185cd9bf9a600ddc0b03172bf8745ac14e85 111436
krb5_1.20.1-2+deb12u4.debian.tar.xz
e19909bae0ff808ea0edf50161337e11c8dd23ceec71d655b2670537b32ed1d3 21700
krb5_1.20.1-2+deb12u4_amd64.buildinfo
Files:
20c4064bc1e8bde0927b96fb1cfb94fb 3808 net optional krb5_1.20.1-2+deb12u4.dsc
73f5780e7b587ccd8b8cfc10c965a686 8661660 net optional krb5_1.20.1.orig.tar.gz
46551f0a032aa02dccac3789a344e028 833 net optional krb5_1.20.1.orig.tar.gz.asc
6493ab3ca67631f33d10dc4efb1a4895 111436 net optional
krb5_1.20.1-2+deb12u4.debian.tar.xz
b1761d203e619f8234a06ca729f23c50 21700 net optional
krb5_1.20.1-2+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgw6QQACgkQADoaLapB
CF/aEQ/+Ptnp97Wu5DJyC9JfyLPuVeihw9UHb0uhslQBasbtaNT1O499+PSqKMLH
ajCiCCLzUPdfSbykLN3luXPW+mT3HqvepCdhOcHFgRM8XY2ikKE5WdisLzsl3pdg
a6/oQ5JWJ7wTeyYGpXhSCN1m2xDB6Bcs8r7Y8LT6cFFyvGp1EJ+4noTW2Bo9UIYf
lj19aXBu1snQSFMuwSldXKXyKixrJTEOh+64eMOHBL/5sAaXzjsP8GJsxP7jxx+m
bEmdL8aGcay3HpP00RyZHuNGLE+OMq7c8n0tw7OiOfA0j97moK1jntUFgpo5h+Uz
uaY3Qm2q4FXd0XqKSRNOrmN7QFETdWoCtFVLYi50Uqk4ESFTn+MlXa3VbR398AI9
vL7vdwu9N7L36ybzLA6aD38zOAcfxOoE+K0VAppCFKEDZ8tdbQ9REKolSG5CzsBI
bt2eQLccvZaUHXHnE9/pwiR9Bdr6whTzEQoKJENQCfz55+LON3qbL0OdQAGvu6dD
1jJqPJ5lx6f4v+rIfFcsyMvi7u9IMlt+a1KlM4bs7i8FT5nopsVuZze6bTRTTvem
LeTK/noqzTXiCwkCAlgejMWTouPJHkXYZQXpS6N2GwBrIVsVmzWbOCZRAo1jclwp
nXrkX4O77uhHF9rkKLqb4ti9va/T0yfl+fdQb+kDmrSSrIHRjHQ=
=PmAv
-----END PGP SIGNATURE-----
pgprsZe22AN9f.pgp
Description: PGP signature
--- End Message ---
