-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 26 May 2025 22:14:10 +0200 Source: krb5 Architecture: source Version: 1.18.3-6+deb11u7 Distribution: bullseye-security Urgency: medium Maintainer: Sam Hartman <hartmans@debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1103525 Changes: krb5 (1.18.3-6+deb11u7) bullseye-security; urgency=medium . * Non Maintainer upload by LTS team * Fix CVE-2025-3576. Closes: #1103525 A Vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. * Because of the possibility of breaking certain older authentication systems, the configuration variables which have been introduced as part of the fix (allow_rc4 and allow_des3) are treated as 'true' by default. This leaves the 3DES and RC4 algorithms enabled, but administrators are strongly encouraged to disable them after verifying compatibility in their environments. * In KDC, assume all services support aes256-sha1 To facilitate negotiating session keys with acceptable security, assume that services support aes256-cts-hmac-sha1 unless a session_enctypes string attribute says otherwise. Checksums-Sha1: 347236361c095692153970f0d5de2f2d8bf74114 3814 krb5_1.18.3-6+deb11u7.dsc fdbb31fab5bdea24fc464d09bdbc245740648f1a 8715312 krb5_1.18.3.orig.tar.gz 909b9c68601cf999cd2697c83a0f56efd0faba6d 833 krb5_1.18.3.orig.tar.gz.asc 21bb06f812320d440a7e0c9142f009fb8a2eca57 121056 krb5_1.18.3-6+deb11u7.debian.tar.xz 1197ba9359ac8aab0be138c69a53336b8d23710b 21627 krb5_1.18.3-6+deb11u7_amd64.buildinfo Checksums-Sha256: 162309912574992c13fadec1c95ad65b4e1a4fef046e15e065f89b13b3e4585f 3814 krb5_1.18.3-6+deb11u7.dsc e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719 8715312 krb5_1.18.3.orig.tar.gz ded19808ba7320ad0bb3ddfb5202845b2ff36a50613af7832f78dd3cb4437419 833 krb5_1.18.3.orig.tar.gz.asc db0041a414f71358d1365c766f7a4c66e6b46774841dcdeab97042049f8fa011 121056 krb5_1.18.3-6+deb11u7.debian.tar.xz 872818579c4afcf04639a51a52f9e5fb599867aee0ba5538438d6b8846bc834e 21627 krb5_1.18.3-6+deb11u7_amd64.buildinfo Files: 8c429c7176b4c5d3a832303c582c35d9 3814 net optional krb5_1.18.3-6+deb11u7.dsc a64e8018a7572e0b4bd477c745129ffc 8715312 net optional krb5_1.18.3.orig.tar.gz bca804e12e8dc2de6930e916cd7a2ce3 833 net optional krb5_1.18.3.orig.tar.gz.asc 9d027f3c6cf2ccbe0dd724948f1de6c9 121056 net optional krb5_1.18.3-6+deb11u7.debian.tar.xz 4cf44ce6f867a22a1860f852d1915cc0 21627 net optional krb5_1.18.3-6+deb11u7_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmg5wDcACgkQADoaLapB CF86Ew//eYdl9uNlbw3kGg67HUheEM6xQ84DkFcNUg7I+2X2stmJvs7ZAg/SbPM2 dHiVzBHZjzxIF8MmQ03+/9F5a7OgyhuaK4P0RH/iIz3+wK9q8f9bACPHi6tXafOi TnxAd5TQFk3raJS5S4yedxbXuVo7LNtPvVYKDj5C4cwaIVnSw8HY17Nq5C/TEA9v 0w5RyRcpq2cLnPRjKA3D+fPB+ceUliVfe0FtYr51sjYBnv3eKntL+RtE2mk0syXj L8L0iHsLTOrasUx8gZLhZ0e0l29uIZyAleEstrVpFfFNHJrNO0Oc9fKiWA2yt5D9 A67vOCaSqwKbwoTP1UxMwDES+P8QFbTzA9WJjrJII6gXK9bYXfNWgpBWSujVBkmp F1C7ZUO/baDSZaDJRYAq5ScAGi3fOlZeNxnn20gNZddrRsUZ5las95r2TAT3ubvw a1WJet3LQwzWhuWakq1yUy5PA8OyGcP5jAP+09uAWMtdrGXZ+NNxDUNu6aKABJAH 3kRWESBzQ9Jueny/V9iOiEFWMxgkt4w6d5wGFEveSo7+bkhGIajaHr+DPyIFfkXH gPgrNzXmCkIWtWQM9aFGcssEJ+3YKmBs42xb+YbMbYuOkxF6ABsNtwkOCX2OOZ1V GcBj6SEF7pMOskg7cXEer9YySs7pdlhgs1tBLENVY+0B4Se0xqk= =kMVg -----END PGP SIGNATURE-----