package: krb5-pkinit version: 1.17-3+deb10u3 severity: important Starting with RHEL9, Redhat updated the CMS digest signature to SHA256 instead of SHA1. This makes sense after all since SHA1 was deprecated in 2011. The main effect of this is that older clients will not be able to do anonymous pkinit with a RHEL9 KDC.
MIT Kerberos has supported SHA256 signatures since version 1.15. Update the CMS digest algorithm for pkinit to SHA256. This probably breaks compatibility with jessie and before. So, assuming this is accepted for buster and bullseye (it's already in sid and bookworm): * Stretch will work with buster and jessie * Buster and forward will work going forward up through sid but will not work with jessie or backward Even if some problem results, anonymous pkinit (and pkinit in general) is fairly rarely used.
signature.asc
Description: PGP signature
