-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4195-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès May 30, 2025 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : krb5 Version : 1.18.3-6+deb11u7 CVE ID : CVE-2025-3576 Debian Bug : 1103525 A Vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. In order to fix CVE-2025-3576, vulnerable cryptographic algorithms for tickets need to be disabled explicitly with the new allow_rc4 or allow_des3 variables. According to the vulnerability report "Kerberosâ RC4-HMAC broken in practice: spoofing PACs with MD5 collisions", disabling this cryptographic algorithm may break some older authentication systems, and administrators should test carefully. Because of the risk of breaking certain configurations, the new allow_rc4 or allow_des3 are being treated as having a default value of 'true' for updates to older Debian releases. This leaves the 3DES and RC4 algorithms enabled, but administrators are strongly encouraged to disable them after verifying compatibility in their environments. For Debian 11 bullseye, this problem has been fixed in version 1.18.3-6+deb11u7. We recommend that you upgrade your krb5 packages. For the detailed security status of krb5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/krb5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmg5zkIACgkQADoaLapB CF87MQ//TdZFCo5iWZY4KYAnJkQogKKJfbRr3ozsUg2seCZzg1XHPcLJYTCPw3vu t8lsVSH2orzsr7IiThh9Kpo/iE2FRe6W/PmGnZ44M0m/6+C/H2Ph0hB5giZ7U3LY S1if5ggYnHAfhwl4eKQ9DR52OgJlSEFDaIKQF/MNxMdYB0xSWhaNw3P2skQUe29Q JRcb+Wmz5EfY4IqTV8BkiJJN+PwfCPQDCVpj52hnZ62slusp6OAMUni6MnNmTnga +leL8+qsYVVsNyVVqxpd08LnjwSwnkx+xXS6ic45bh0aDV+TLtafbrZtSOlrHkDf ch/KsL/0IM/cmI8k5N4IA/Nc8F6miJCik8V107LWwxzQALMD3w5dk38Sfwd6EtdR ERUo9+A8AK4xmRbUeFOhvd8PD8s+lK2eEX4kOCoD3F++7RDbun3jLN6gGPIiVH8+ EoIFGLbUwYGXldNqnxtsLD4esXNtMWbdAHc91oyjSjg7cLDszD+UwJpg+++QspWh zRhCVuYu2gTgaKchxAwC9JPXTLk+DMEa/77VSkFrIkSiu0GdixrNP1+UP9L2kNGn oVGmP1Teu6kHnmJAOIqKPdQulvbmJzEiGond8qZOTjks/IdchrL/05W4Hh3fEOU/ TNXrXX0jpuk+oLKcuqyzNsgQQOyHL/k7skERalQUU2V3x0RRLXY= =XLzh -----END PGP SIGNATURE-----
