Your message dated Fri, 19 Jun 2026 15:05:03 +0000
with message-id <[email protected]>
and subject line Bug#1138466: fixed in krb5 1.22.1-3
has caused the Debian Bug report #1138466,
regarding krb5: FTBFS with openssl 4.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138466
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: krb5
Version: 1.22.1-2
Severity: normal
Tags: sid
control: affects -1 src:openssl
User: [email protected]
Usertags: openssl-4.0
OpenSSL 4.0 is in experimental. This package fails to build against it:
| gcc -fPIC -DSHARED -DHAVE_CONFIG_H -I../../../include
-I../../../../src/include -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2 -Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/krb5-1.22.1=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -Wall -Wcast-align -Wshadow
-Wmissing-prototypes -Wno-format-zero-length -Woverflow -Wstrict-overflow
-Wmissing-format-attribute -Wmissing-prototypes -Wreturn-type -Wmissing-braces
-Wparentheses -Wswitch -Wunused-function -Wunused-label -Wunused-variable
-Wunused-value -Wunknown-pragmas -Wsign-compare -Werror=uninitialized
-Wno-maybe-uninitialized -Werror=pointer-arith -Werror=int-conversion
-Werror=incompatible-pointer-types -Werror=discarded-qualifiers
-Werror=implicit-int -Werror=strict-prototypes
-Werror=declaration-after-statement -Werror-implicit-function-declaration
-pthread -c ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -o
pkinit_crypto_openssl.so.o && mv -f pkinit_crypto_openssl.so.o
pkinit_crypto_openssl.so
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function
‘cms_signeddata_verify’:
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2005:34:
error: invalid use of incomplete typedef ‘ASN1_OCTET_STRING’ {aka ‘struct
asn1_string_st’}
| 2005 | if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2061:44:
error: invalid use of incomplete typedef ‘ASN1_OCTET_STRING’ {aka ‘struct
asn1_string_st’}
| 2061 | out = BIO_new_mem_buf((*octets)->data, (*octets)->length);
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2061:61:
error: invalid use of incomplete typedef ‘ASN1_OCTET_STRING’ {aka ‘struct
asn1_string_st’}
| 2061 | out = BIO_new_mem_buf((*octets)->data, (*octets)->length);
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function
‘crypto_retrieve_X509_sans’:
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2347:15:
error: assignment discards ‘const’ qualifier from pointer target type
[-Werror=discarded-qualifiers]
| 2347 | if (!(ext = X509_get_ext(cert, l)) || !(ialt =
X509V3_EXT_d2i(ext))) {
| | ^
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2382:66:
error: invalid use of incomplete typedef ‘ASN1_STRING’ {aka ‘struct
asn1_string_st’}
| 2382 | name.length =
gen->d.otherName->value->value.sequence->length;
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2383:72:
error: invalid use of incomplete typedef ‘ASN1_STRING’ {aka ‘struct
asn1_string_st’}
| 2383 | name.data = (char
*)gen->d.otherName->value->value.sequence->data;
| |
^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2417:42:
error: invalid use of incomplete typedef ‘ASN1_IA5STRING’ {aka ‘struct
asn1_string_st’}
| 2417 | if (memchr(gen->d.dNSName->data, '\0',
gen->d.dNSName->length))
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2417:70:
error: invalid use of incomplete typedef ‘ASN1_IA5STRING’ {aka ‘struct
asn1_string_st’}
| 2417 | if (memchr(gen->d.dNSName->data, '\0',
gen->d.dNSName->length))
| |
^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2420:40:
error: invalid use of incomplete typedef ‘ASN1_IA5STRING’ {aka ‘struct
asn1_string_st’}
| 2420 | gen->d.dNSName->data);
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2422:50:
error: invalid use of incomplete typedef ‘ASN1_IA5STRING’ {aka ‘struct
asn1_string_st’}
| 2422 | strdup((char *)gen->d.dNSName->data);
| | ^~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function
‘get_matching_data’:
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4864:24:
error: passing argument 1 of ‘rfc2253_name’ discards ‘const’ qualifier
from pointer target type [-Werror=discarded-qualifiers]
| 4864 | ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4769:25: note:
expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of
type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’}
| 4769 | rfc2253_name(X509_NAME *name, char **str_out)
| | ~~~~~~~~~~~^~~~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4867:24:
error: passing argument 1 of ‘rfc2253_name’ discards ‘const’ qualifier
from pointer target type [-Werror=discarded-qualifiers]
| 4867 | ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4769:25: note:
expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of
type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’}
| 4769 | rfc2253_name(X509_NAME *name, char **str_out)
| | ~~~~~~~~~~~^~~~
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: In function
‘create_identifiers_from_stack’:
| ../../../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5255:12:
error: assignment discards ‘const’ qualifier from pointer target type
[-Werror=discarded-qualifiers]
| 5255 | xn = X509_get_subject_name(x);
| | ^
| cc1: some warnings being treated as errors
Full buildlog
https://breakpoint.cc/openssl-rebuild/logs-4/attempted/krb5_1.22.1-2_amd64-2026-04-19T11:07:32Z
Sebastian
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.22.1-3
Done: Sam Hartman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Jun 2026 08:30:16 -0600
Source: krb5
Architecture: source
Version: 1.22.1-3
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Closes: 1128877 1138466 1139821
Changes:
krb5 (1.22.1-3) unstable; urgency=medium
.
[ Emmanuel Arias ]
* CVE-2026-11850: Prevent read overrun in libkdb_ldap (Closes: #1139821).
.
[ Sam Hartman ]
* Fix C23 use of strchr, Closes: #1128877
* Remove lintian tag that ldap plugin is linked against libc6; no longer
needed
* Upstream patch for OpenSSL 4.0 compatibility, Closes: #1138466
* Upstream commit f5bbfa4 to use openssl facilities to verify certificates;
needed to avoid discarding const qualifier from Openssl 4.0 patch
Checksums-Sha1:
845bb8aaa01fff2fc5fb696c6d662d3f0ffbb32e 3397 krb5_1.22.1-3.dsc
1d8d7d0ebabe58a4c8fd73e994b9185fddeb70d6 111476 krb5_1.22.1-3.debian.tar.xz
a0b70184d6328b4ef43b7cd07566dcc6f67bc8a0 5430 krb5_1.22.1-3_source.buildinfo
Checksums-Sha256:
b619af9a52f00c4888e1f53f38d5e147e8c518d1c5b0cda120873fa4ebd4ea77 3397
krb5_1.22.1-3.dsc
519ad7537260ebc450a678b38f00c8deaf0e05d848d0e5cfeef1ddb154663ba8 111476
krb5_1.22.1-3.debian.tar.xz
7920ad149020edb369818ac43505bcf704974c5dadb99e9ccbfe454863d9686f 5430
krb5_1.22.1-3_source.buildinfo
Files:
3730d9a46e9231b4d200afaab70ff91b 3397 net optional krb5_1.22.1-3.dsc
43ba1f462c405922f93d52df62f9d3dd 111476 net optional
krb5_1.22.1-3.debian.tar.xz
17f3f77631ce2425aa43ae8752a25f1d 5430 net optional
krb5_1.22.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCajVT1wAKCRAsbEw8qDeG
dHx3AQDDJPFs5+Ydjhj6Vo7s4YSNZb1Z2sR42GzteXd4/qYEtgD+PGJW+prLvCa1
JVoMZ0eUAsdEMNEagaUDh0kMJQBp7wQ=
=eZWN
-----END PGP SIGNATURE-----
pgp2jM126jrbV.pgp
Description: PGP signature
--- End Message ---
