Your message dated Sat, 23 May 2026 10:05:20 +0000
with message-id <[email protected]>
and subject line Bug#1135317: fixed in krb5 1.20.1-2+deb12u5
has caused the Debian Bug report #1135317,
regarding krb5: CVE-2026-40355 CVE-2026-40356
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.22.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for krb5.
CVE-2026-40355[0]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer
| dereference if an application calls gss_accept_sec_context() on a
| system with a NegoEx mechanism registered in /etc/gss/mech. An
| unauthenticated remote attacker can trigger this, causing the
| process to terminate in parse_nego_message.
CVE-2026-40356[1]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer
| underflow and resultant out-of-bounds read if an application calls
| gss_accept_sec_context() on a system with a NegoEx mechanism
| registered in /etc/gss/mech. An unauthenticated remote attacker can
| trigger this, possibly causing the process to terminate in
| parse_message.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40355
https://www.cve.org/CVERecord?id=CVE-2026-40355
[1] https://security-tracker.debian.org/tracker/CVE-2026-40356
https://www.cve.org/CVERecord?id=CVE-2026-40356
[2] https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.20.1-2+deb12u5
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 09:23:58 +0200
Source: krb5
Architecture: source
Version: 1.20.1-2+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1135317
Changes:
krb5 (1.20.1-2+deb12u5) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356)
(Closes: #1135317)
Checksums-Sha1:
6655dbff5f35427c8256ca03c11978e0f6d6111d 3982 krb5_1.20.1-2+deb12u5.dsc
21b192bf47f949506fba47a842b5947590a90aa0 112068
krb5_1.20.1-2+deb12u5.debian.tar.xz
4108b883e75f763f75b58d35de0647588e0b2e89 6239
krb5_1.20.1-2+deb12u5_source.buildinfo
Checksums-Sha256:
643c1e56f5d2022f7685f5d5490a4fc348adc68a4bb42adbc1780e4a5b1bb05e 3982
krb5_1.20.1-2+deb12u5.dsc
195842a66252dfee21b3402b5048f8dea11ea92056742aedf71b356e26f4513f 112068
krb5_1.20.1-2+deb12u5.debian.tar.xz
167ab7c79dbd3faa7b09bc182ff458635525ac53c5748fd58f62c954edb02d7d 6239
krb5_1.20.1-2+deb12u5_source.buildinfo
Files:
d699542b2cc82980a13e88392e89ca32 3982 net optional krb5_1.20.1-2+deb12u5.dsc
013b61397378a929ef1ead73a9bd75af 112068 net optional
krb5_1.20.1-2+deb12u5.debian.tar.xz
74f66e96cc1d25d0c868ed44d7c6ac59 6239 net optional
krb5_1.20.1-2+deb12u5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoAhCdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EzGcP/3zr3WTi+elLZeZyKMLxGrJixL6oMGNs
3Rwm4CetGWxd8LshOwLoG3Rwimczv3km4gjDNfm+JNJ5vH4tjcgJp2i0k5DG3/SY
b6Tki4YmlUlQ+pLpcJHg//tBvdmMroS/Rsv8ykJ9CzqKuNBuFkz0pavqGu6e5hbJ
31kX4+q6GJFpbLWE2uie/9zrY2Q/lOtryLbeDqoAGxmDtAXoMnm94h5RT77TqpBA
oj8T6YZo4xzd/rlmOxneLLWMrV654P6DG6kXE45oMarVzrcu6GBQLXC14upYcgSI
KpI6QUV5wRnSKkwsXwKen+9MFMvpf2140j1y03vYmtKciTPfddnBUKC0/g3daZW8
athbq/Mp826JU7NE0ObtmupfwhUVye/6wZ0UxP1h9XjuCjICAwpnNImHVKGRifwC
yrSdlxNZ9kWKawJxFF7em0cnmj5uU8H0KMEKLTST0QYtSMyrkHntt2GpO+I7Xfwy
rjG7K65w4hmTidNTuyhONyWgXzKwtJi+2bAIYXZFK21DoGOvZQ1ooxQA4n338R09
8qmp4f/jhexTT1rA+f0xuN4K9Upk7CK7MRBhaQN374Sv4bEAhb6aeVTCOWfZbGYw
Y9rMznOdGINP3g7MDlpuAyJbII4vMmtpaf4zkysY0ySBM13ogig7qYty3xpZnM8M
OcaiH96fCZDG
=GXpR
-----END PGP SIGNATURE-----
pgpqb4fs9bZJr.pgp
Description: PGP signature
--- End Message ---
