Hi Team, While reviewing Kerberos 1.22.1 release note<https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> <https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> I have found CVE claim mentioned below :Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
But the same has not been mentioned in 1.22 ! Based on my due diligence It looks like commit 7ae0adc<https://github.com/krb5/krb5/commit/7ae0adcdf16687810f747e284c9fb571a561c5bd#diff-08d5eceeaa8561414331bf0e35a895bdb2b926688aeec402dc42be201763979e> caused this issue which was merged in 1.22 with newly introduced function "kg_verify_checksum_v3" function and CVE got resolved with commit 2531770<https://github.com/krb5/krb5/commit/2531770c10115cb8b5ff529f813d86fa5a36db4c>. So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ? Regards Ankit Srivastava, ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
