Your message dated Tue, 12 May 2026 13:34:28 +0000
with message-id <[email protected]>
and subject line Bug#1135317: fixed in krb5 1.22.1-2.1
has caused the Debian Bug report #1135317,
regarding krb5: CVE-2026-40355 CVE-2026-40356
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.22.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for krb5.
CVE-2026-40355[0]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer
| dereference if an application calls gss_accept_sec_context() on a
| system with a NegoEx mechanism registered in /etc/gss/mech. An
| unauthenticated remote attacker can trigger this, causing the
| process to terminate in parse_nego_message.
CVE-2026-40356[1]:
| In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer
| underflow and resultant out-of-bounds read if an application calls
| gss_accept_sec_context() on a system with a NegoEx mechanism
| registered in /etc/gss/mech. An unauthenticated remote attacker can
| trigger this, possibly causing the process to terminate in
| parse_message.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40355
https://www.cve.org/CVERecord?id=CVE-2026-40355
[1] https://security-tracker.debian.org/tracker/CVE-2026-40356
https://www.cve.org/CVERecord?id=CVE-2026-40356
[2] https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.22.1-2.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 09:08:30 +0200
Source: krb5
Architecture: source
Version: 1.22.1-2.1
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1135317
Changes:
krb5 (1.22.1-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix two NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356)
(Closes: #1135317)
Checksums-Sha1:
e724f73157bbd1b228ce40f2166c4c1a97a7f008 4165 krb5_1.22.1-2.1.dsc
186d34e0c89f56981ad5b8493b6f381c6a8f6864 103732 krb5_1.22.1-2.1.debian.tar.xz
f0170ebc9473300a2438e84adc91854de6c8bdfe 6215 krb5_1.22.1-2.1_source.buildinfo
Checksums-Sha256:
568a340aa493fba5e305c00adb4ac713cdcdd686155599c725612ce06dc82d8a 4165
krb5_1.22.1-2.1.dsc
8406a94f0e05ca15219cc795a44327f0d4ce4fdddd756ad14cde181121abdf99 103732
krb5_1.22.1-2.1.debian.tar.xz
01bfbc302eb0f4ae2d4907e5cff980f891c99fa7a4378f8b1a40510ead70e4c4 6215
krb5_1.22.1-2.1_source.buildinfo
Files:
a8d31eecbf84fb7a87d1f26252f9700c 4165 net optional krb5_1.22.1-2.1.dsc
dcb29362e60922b6ae1fab4f1ce2e277 103732 net optional
krb5_1.22.1-2.1.debian.tar.xz
391d16f72494e1f8eb3bd5d9f2acace7 6215 net optional
krb5_1.22.1-2.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoAgn9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAyYP/ixx2hRTZoRuWMAygC8gnUM83Y5MOsge
CQihI0acuEMNc4a2vyfZFmswjvUFgByigASsZmzieQMSEppDvp+Ee6GLDOck5+va
ICSgTxpO8lW+9mfH+CqObrmtryHvqiK1lPaW8UwBvwwZ/WpxgGKrt6KLwCZFsy7w
cK1QQ/L+OD2kW/iaMkI+6T1+zvEQfHYzLGPG8nGcthxapVnVeKNcwOoGObQl9wIy
d4Dv1Gt3ZZkO3wXJ4w9Awi6Gtz3xeGG+/QuDfi4/3yLsX9JnpbtRbchUHXIzEIlH
aQfoCoc6kYrTmb1xQRNheDV8bn4i7e3WX2C09WcB5CrhVUhPp4xktk3mi8+X4Gvx
/ul//v4jntOTgrgJf2p25XoB2DejICXbfDqmvVtKdQLUn1ORPe2YqlTZlWWsSp4t
8H3FdTHeA1Vpbbv9Th+qPMOmhfAbE0JRBdCq7GXPXl1lTapKDNG8umbvPt1fWDlO
i6nc7gpZEz5VZ0MYfjg7ScCZ/4TtSwzS4RFKa04FkDZ2vnBZ1NvJm+c3I26oEVY8
W+gc/BKm/3/aFnsQK8/UGrJXEf117sEzc/d52kxCdAGET63nZSQ7N4aPOEpGcq0r
mXtYfilj4E/xlRh0KvWbm5Vl2qpkpwhdhQ7kkQD2hhCRZFTzIDv2K1X57QsYvXxq
MczWdBM4390X
=nICF
-----END PGP SIGNATURE-----
pgpJCMqPQWVrj.pgp
Description: PGP signature
--- End Message ---
