-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 07 May 2025 19:06:22 +0200 Source: krb5 Architecture: source Version: 1.20.1-2+deb12u4 Distribution: bookworm Urgency: medium Maintainer: Sam Hartman Changed-By: Bastien Roucariès Closes: 1103525 Changes: krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium . * Non Maintainer upload by LTS team * Fix CVE-2025-3576. Closes: #1103525 A Vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. * Tickets will not be issued with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * In KDC, assume all services support aes256-sha1 To facilitate negotiating session keys with acceptable security, assume that services support aes256-cts-hmac-sha1 unless a session_enctypes string attribute says otherwise. Checksums-Sha1: 84d088b73cfc7a2e0705bb8623c1539018655bd2 3808 krb5_1.20.1-2+deb12u4.dsc 06278439a6cd5a2aa861d8e877451b794487534b 8661660 krb5_1.20.1.orig.tar.gz 1cd01998135e3db3c4401b84459fb19ab8baabaf 833 krb5_1.20.1.orig.tar.gz.asc 8a31ba56c3296a2f3def82411f6e2c9203ff785d 111436 krb5_1.20.1-2+deb12u4.debian.tar.xz b7118004ed61522d786e3602fd1faf6d6dacfe00 21700 krb5_1.20.1-2+deb12u4_amd64.buildinfo Checksums-Sha256: 3a83a9c281fa9a4358fe5351ddbd8d02ce26c1b3913c4898c9769475c2d8e270 3808 krb5_1.20.1-2+deb12u4.dsc 704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 8661660 krb5_1.20.1.orig.tar.gz 2afeec5dbc586cc40b7975645e02b4c41c4d719dd02213e828c72d8239d55666 833 krb5_1.20.1.orig.tar.gz.asc 76a985c0d60ed1a62cbb82b23041185cd9bf9a600ddc0b03172bf8745ac14e85 111436 krb5_1.20.1-2+deb12u4.debian.tar.xz e19909bae0ff808ea0edf50161337e11c8dd23ceec71d655b2670537b32ed1d3 21700 krb5_1.20.1-2+deb12u4_amd64.buildinfo Files: 20c4064bc1e8bde0927b96fb1cfb94fb 3808 net optional krb5_1.20.1-2+deb12u4.dsc 73f5780e7b587ccd8b8cfc10c965a686 8661660 net optional krb5_1.20.1.orig.tar.gz 46551f0a032aa02dccac3789a344e028 833 net optional krb5_1.20.1.orig.tar.gz.asc 6493ab3ca67631f33d10dc4efb1a4895 111436 net optional krb5_1.20.1-2+deb12u4.debian.tar.xz b1761d203e619f8234a06ca729f23c50 21700 net optional krb5_1.20.1-2+deb12u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgw6QQACgkQADoaLapB CF/aEQ/+Ptnp97Wu5DJyC9JfyLPuVeihw9UHb0uhslQBasbtaNT1O499+PSqKMLH ajCiCCLzUPdfSbykLN3luXPW+mT3HqvepCdhOcHFgRM8XY2ikKE5WdisLzsl3pdg a6/oQ5JWJ7wTeyYGpXhSCN1m2xDB6Bcs8r7Y8LT6cFFyvGp1EJ+4noTW2Bo9UIYf lj19aXBu1snQSFMuwSldXKXyKixrJTEOh+64eMOHBL/5sAaXzjsP8GJsxP7jxx+m bEmdL8aGcay3HpP00RyZHuNGLE+OMq7c8n0tw7OiOfA0j97moK1jntUFgpo5h+Uz uaY3Qm2q4FXd0XqKSRNOrmN7QFETdWoCtFVLYi50Uqk4ESFTn+MlXa3VbR398AI9 vL7vdwu9N7L36ybzLA6aD38zOAcfxOoE+K0VAppCFKEDZ8tdbQ9REKolSG5CzsBI bt2eQLccvZaUHXHnE9/pwiR9Bdr6whTzEQoKJENQCfz55+LON3qbL0OdQAGvu6dD 1jJqPJ5lx6f4v+rIfFcsyMvi7u9IMlt+a1KlM4bs7i8FT5nopsVuZze6bTRTTvem LeTK/noqzTXiCwkCAlgejMWTouPJHkXYZQXpS6N2GwBrIVsVmzWbOCZRAo1jclwp nXrkX4O77uhHF9rkKLqb4ti9va/T0yfl+fdQb+kDmrSSrIHRjHQ= =PmAv -----END PGP SIGNATURE-----