On Fri, May 23, 2025 at 10:42:56PM +0200, Bastien Roucaries wrote: > Le vendredi 23 mai 2025, 21:34:26 heure d’été d’Europe centrale Roberto C. > Sánchez a écrit : > > > To me, that specifically requires that the krb5 maintainers be in > > agreement with fixing this in bookworm and then landing the fix in > > bookworm first (since that it is already in unstable and trixie). Once > > that happens, then we can consider landing the fix in bullseye and > > older. Have you communicated with the maintainers of krb5 to know how > > they feel about fixing this in bookworm? > > Bookworm was fixed by PU
Can you confirm this? The last upload to proposed-updates was on 2025-04-14, version 1.20.1-2+deb12u3, and it fixed CVE-2024-26462 and CVE-2025-24528. This version was included in the recent 12.11 point release, and I do not see a newer version anywhere that the PTS or the security tracker would be aware of. Additionally, the CVE is still triaged like this: [bookworm] - krb5 <no-dsa> (Minor issue) Which would also suggest that there is nothing pending in PU at the moment. Regards, -Roberto -- Roberto C. Sánchez
