This bug was fixed in the package krb5 - 1.21.3-5ubuntu1
---------------
krb5 (1.21.3-5ubuntu1) questing; urgency=medium
* Merge with Debian unstable (LP: #2110460). Remaining changes:
- SECURITY UPDATE: Use of MD5-based message authentication over plaintext
communications could lead to forgery attacks.
+ debian/patches/CVE-2024-3596.patch: Secure Response Authentication
by adding support for the Message-Authenticator attribute in non-EAP
authentication methods.
+ CVE-2024-3596
- Update libk5crypto3 symbols: add k5_hmac_md5 symbol.
- SECURITY UPDATE: denial of service via two memory leaks
+ debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
+ CVE-2024-26458
+ CVE-2024-26461
* Dropped:
- SECURITY UPDATE: kadmind DoS via iprop log file
+ debian/patches/CVE-2025-24528.patch: prevent overflow when
calculating ulog block size in src/lib/kdb/kdb_log.c.
+ CVE-2025-24528
[In 1.21.3-5]
krb5 (1.21.3-5) unstable; urgency=medium
* Non-maintainer upload with maintainer agreement.
* Fix CVE-2025-24528: Prevent overflow when calculating
ulog block size (Closes: #1094730)
-- Andreas Hasenack <[email protected]> Tue, 22 Jul 2025 15:48:33
-0300
** Changed in: krb5 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26458
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26461
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3596
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-24528
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2110460
Title:
Merge krb5 from Debian Unstable for questing
Status in krb5 package in Ubuntu:
Fix Released
Bug description:
Scheduled-For: ubuntu-25.06
Ubuntu: 1.21.3-4ubuntu2
Debian Unstable: 1.21.3-5
A new release of krb5 is available for merging from Debian Unstable.
If it turns out this needs a sync rather than a merge, please change
the tag 'needs-merge' to 'needs-sync', and (optionally) update the
title as desired.
### New Debian Changes ###
krb5 (1.21.3-5) unstable; urgency=medium
* Non-maintainer upload with maintainer agreement.
* Fix CVE-2025-24528: Prevent overflow when calculating
ulog block size (Closes: #1094730)
-- Bastien Roucariès <[email protected]> Sun, 23 Feb 2025 17:12:14
+0000
### Old Ubuntu Delta ###
krb5 (1.21.3-4ubuntu2) plucky; urgency=medium
* SECURITY UPDATE: denial of service via two memory leaks
- debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
- CVE-2024-26458
- CVE-2024-26461
* SECURITY UPDATE: kadmind DoS via iprop log file
- debian/patches/CVE-2025-24528.patch: prevent overflow when
calculating ulog block size in src/lib/kdb/kdb_log.c.
- CVE-2025-24528
-- Marc Deslauriers <[email protected]> Tue, 25 Feb 2025
10:22:31 -0500
krb5 (1.21.3-4ubuntu1) plucky; urgency=medium
* SECURITY UPDATE: Use of MD5-based message authentication over plaintext
communications could lead to forgery attacks.
- debian/patches/CVE-2024-3596.patch: Secure Response Authentication
by adding support for the Message-Authenticator attribute in non-EAP
authentication methods.
- CVE-2024-3596
* Update libk5crypto3 symbols: add k5_hmac_md5 symbol.
-- Nicolas Campuzano Jimenez <[email protected]> Tue,
04 Feb 2025 11:30:48 -0500
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2110460/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
