Public bug reported: Please sync krb5 1.22.1-2 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped: * Fix FTBFS with gcc-15 because of old-style function declarations (LP: #2123950). * Merge with Debian unstable (LP: #2110460). Remaining changes: - SECURITY UPDATE: Use of MD5-based message authentication over plaintext communications could lead to forgery attacks. + debian/patches/CVE-2024-3596.patch: Secure Response Authentication by adding support for the Message-Authenticator attribute in non-EAP authentication methods. + CVE-2024-3596 - Update libk5crypto3 symbols: add k5_hmac_md5 symbol. - SECURITY UPDATE: denial of service via two memory leaks + debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c. + CVE-2024-26458 + CVE-2024-26461 * Dropped: - SECURITY UPDATE: kadmind DoS via iprop log file + debian/patches/CVE-2025-24528.patch: prevent overflow when calculating ulog block size in src/lib/kdb/kdb_log.c. + CVE-2025-24528 [In 1.21.3-5] The FTBFS fix was applied in Debian 1.22.1-1 and the vulnerabilities were also fixed in 1.22.1-1 even though Debian didn't list them, they all made into upstream's version 1.22.1, therefore they can be dropped. Changelog entries since current resolute version 1.21.3-5ubuntu2: krb5 (1.22.1-2) unstable; urgency=medium * Release to unstable -- Sam Hartman <[email protected]> Fri, 14 Nov 2025 08:18:38 -0700 krb5 (1.22.1-1) experimental; urgency=medium * New upstream version - Builds with gcc-15, Closes: #1097099 * Update symbols files -- Sam Hartman <[email protected]> Tue, 07 Oct 2025 16:28:29 -0600 A test build is currently being done here: https://launchpad.net/~ebarretto/+archive/ubuntu/devel-testing/+packages?field.name_filter=krb5&field.status_filter=published&field.series_filter=resolute ** Affects: krb5 (Ubuntu) Importance: Wishlist Status: New ** Changed in: krb5 (Ubuntu) Importance: Undecided => Wishlist ** Description changed: Please sync krb5 1.22.1-2 (main) from Debian unstable (main) Explanation of the Ubuntu delta and why it can be dropped: - * Fix FTBFS with gcc-15 because of old-style function - declarations (LP: #2123950). - * Merge with Debian unstable (LP: #2110460). Remaining changes: - - SECURITY UPDATE: Use of MD5-based message authentication over plaintext - communications could lead to forgery attacks. - + debian/patches/CVE-2024-3596.patch: Secure Response Authentication - by adding support for the Message-Authenticator attribute in non-EAP - authentication methods. - + CVE-2024-3596 - - Update libk5crypto3 symbols: add k5_hmac_md5 symbol. - - SECURITY UPDATE: denial of service via two memory leaks - + debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in - src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c. - + CVE-2024-26458 - + CVE-2024-26461 - * Dropped: - - SECURITY UPDATE: kadmind DoS via iprop log file - + debian/patches/CVE-2025-24528.patch: prevent overflow when - calculating ulog block size in src/lib/kdb/kdb_log.c. - + CVE-2025-24528 - [In 1.21.3-5] + * Fix FTBFS with gcc-15 because of old-style function + declarations (LP: #2123950). + * Merge with Debian unstable (LP: #2110460). Remaining changes: + - SECURITY UPDATE: Use of MD5-based message authentication over plaintext + communications could lead to forgery attacks. + + debian/patches/CVE-2024-3596.patch: Secure Response Authentication + by adding support for the Message-Authenticator attribute in non-EAP + authentication methods. + + CVE-2024-3596 + - Update libk5crypto3 symbols: add k5_hmac_md5 symbol. + - SECURITY UPDATE: denial of service via two memory leaks + + debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in + src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c. + + CVE-2024-26458 + + CVE-2024-26461 + * Dropped: + - SECURITY UPDATE: kadmind DoS via iprop log file + + debian/patches/CVE-2025-24528.patch: prevent overflow when + calculating ulog block size in src/lib/kdb/kdb_log.c. + + CVE-2025-24528 + [In 1.21.3-5] The FTBFS fix was applied in Debian 1.22.1-1 and the vulnerabilities were also fixed in 1.22.1-1 even though Debian didn't list them, they all made into upstream's version 1.22.1, therefore they can be dropped. Changelog entries since current resolute version 1.21.3-5ubuntu2: krb5 (1.22.1-2) unstable; urgency=medium - * Release to unstable + * Release to unstable - -- Sam Hartman <[email protected]> Fri, 14 Nov 2025 08:18:38 -0700 + -- Sam Hartman <[email protected]> Fri, 14 Nov 2025 08:18:38 -0700 krb5 (1.22.1-1) experimental; urgency=medium - * New upstream version - - Builds with gcc-15, Closes: #1097099 - * Update symbols files + * New upstream version + - Builds with gcc-15, Closes: #1097099 + * Update symbols files - -- Sam Hartman <[email protected]> Tue, 07 Oct 2025 16:28:29 -0600 + -- Sam Hartman <[email protected]> Tue, 07 Oct 2025 16:28:29 -0600 + + A test build is currently being done here: + https://launchpad.net/~ebarretto/+archive/ubuntu/devel-testing/+packages?field.name_filter=krb5&field.status_filter=published&field.series_filter=resolute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2132388 Title: Sync krb5 1.22.1-2 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2132388/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
