Your message dated Sat, 23 May 2026 10:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1135317: fixed in krb5 1.21.3-5+deb13u1
has caused the Debian Bug report #1135317,
regarding krb5: CVE-2026-40355 CVE-2026-40356
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.22.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for krb5.
CVE-2026-40355[0]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer
| dereference if an application calls gss_accept_sec_context() on a
| system with a NegoEx mechanism registered in /etc/gss/mech. An
| unauthenticated remote attacker can trigger this, causing the
| process to terminate in parse_nego_message.
CVE-2026-40356[1]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer
| underflow and resultant out-of-bounds read if an application calls
| gss_accept_sec_context() on a system with a NegoEx mechanism
| registered in /etc/gss/mech. An unauthenticated remote attacker can
| trigger this, possibly causing the process to terminate in
| parse_message.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40355
https://www.cve.org/CVERecord?id=CVE-2026-40355
[1] https://security-tracker.debian.org/tracker/CVE-2026-40356
https://www.cve.org/CVERecord?id=CVE-2026-40356
[2] https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.21.3-5+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 09:16:51 +0200
Source: krb5
Architecture: source
Version: 1.21.3-5+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1135317
Changes:
krb5 (1.21.3-5+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356)
(Closes: #1135317)
Checksums-Sha1:
4b809a2645d73d6af8b6e7d8997fec286665916f 4189 krb5_1.21.3-5+deb13u1.dsc
3e383bbe88cbed56bdad4ba655c40abf0e961cf7 9136145 krb5_1.21.3.orig.tar.gz
bba46878ffc67fcd96821cd7b8f451b5b1b2f475 833 krb5_1.21.3.orig.tar.gz.asc
da5ad2ca88f2b585813f8f4bc1fa3fe8163aa1c3 105252
krb5_1.21.3-5+deb13u1.debian.tar.xz
75e840fd7b1ec4245fb1afc6680ee91f168ee7da 6239
krb5_1.21.3-5+deb13u1_source.buildinfo
Checksums-Sha256:
d17d2840bc97fea2c2375245569ca67838a2b557ee083c6cbe42b129a317212c 4189
krb5_1.21.3-5+deb13u1.dsc
b7a4cd5ead67fb08b980b21abd150ff7217e85ea320c9ed0c6dadd304840ad35 9136145
krb5_1.21.3.orig.tar.gz
85047c935fe949ef2e275885451b168557b923dd13a5aab0ef8fe6acd27b94d7 833
krb5_1.21.3.orig.tar.gz.asc
02b873b239fbe7ddf016dfe44deba4130673f4606c18c93da0622e2bc8500fb4 105252
krb5_1.21.3-5+deb13u1.debian.tar.xz
d87aa31971d1b2e2ff86bcb0ab6293637cb324261ce32ee984bd3497421e5325 6239
krb5_1.21.3-5+deb13u1_source.buildinfo
Files:
e10499904baa7bc8d4945d9e9ece447c 4189 net optional krb5_1.21.3-5+deb13u1.dsc
beb34d1dfc72ba0571ce72bed03e06eb 9136145 net optional krb5_1.21.3.orig.tar.gz
cc604e5e51a7c3c314751c68c0cd5a09 833 net optional krb5_1.21.3.orig.tar.gz.asc
5946cd017e80e40a2584fcc9cba7cd64 105252 net optional
krb5_1.21.3-5+deb13u1.debian.tar.xz
30c210ddc2a753a5e08e8a0f513592ef 6239 net optional
krb5_1.21.3-5+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoAg69fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOCkP/21+MlvFAlqJDxrDrI8OFIaIIgKJfbuB
Curu34DuGk5A0ojMmmZC+qgOf7j3AFk/xC54NwFnhVzxa0ngGawvl5FUsge5zN0b
Q9yarUKVM9m2bzUhPZd8/xXvzj35t2WSZT89H7iKty2VU4fvqlp2VqLg+tprzRiQ
Sx7R8/fGZocoHR6QdFdZ0L0fxET426fxrNWs1Uoc30amy4wN4TaoxZJZjQsWFc3f
Q2gVdQUQyuLdSBU8+RJlmtUu3XA6e9GXbUkE9lln+7lgbeVQzjugdNaJEaCRXenj
b9p3Ri3IQmhVIOK6+nMn61/qRfICavDfQDliytxYG3SoG+S/Fd3Zo85jHgz2eN4m
IkouvtDPddo3pepZuDRK6Ny950Dhoc9LZNNno6YUnMwdn1GKqtffj/lfOS8XTtGl
ttW+XqlX2tnrJt2FI643OklbpjMsSlMiK0a/gVNp4VjL7Q5fmUw0C6zYhCt0AQc2
o8yXBFXWdGRPdNLPDy1OERqd1DMXP535UG3r72I5vbTIhyYP7MNQBIxRlDaibrz2
74AGo1mxfuuRVtxvk7TQai2wKggGu7ZOojifd5mNAxadIWSqw18/sKGDAvG9W/iR
WDFkm27Gd6HYpH0H53tztGRdyHP54l/jqaVdCuLNTGQYRsZr4wVxuDTuIKRHSxx3
F1gLj8CFzrz0
=qihM
-----END PGP SIGNATURE-----
pgphM5IB0lzSk.pgp
Description: PGP signature
--- End Message ---
