-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 May 2025 19:06:22 +0200
Source: krb5
Architecture: source
Version: 1.20.1-2+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1103525
Changes:
krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium
.
* Non Maintainer upload by LTS team
* Fix CVE-2025-3576. Closes: #1103525
A Vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.
* Tickets will not be issued with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4
or allow_des3 variables respectively.
* In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
Checksums-Sha1:
84d088b73cfc7a2e0705bb8623c1539018655bd2 3808 krb5_1.20.1-2+deb12u4.dsc
06278439a6cd5a2aa861d8e877451b794487534b 8661660 krb5_1.20.1.orig.tar.gz
1cd01998135e3db3c4401b84459fb19ab8baabaf 833 krb5_1.20.1.orig.tar.gz.asc
8a31ba56c3296a2f3def82411f6e2c9203ff785d 111436 krb5_1.20.1-2+deb12u4.debian.tar.xz
b7118004ed61522d786e3602fd1faf6d6dacfe00 21700 krb5_1.20.1-2+deb12u4_amd64.buildinfo
Checksums-Sha256:
3a83a9c281fa9a4358fe5351ddbd8d02ce26c1b3913c4898c9769475c2d8e270 3808 krb5_1.20.1-2+deb12u4.dsc
704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 8661660 krb5_1.20.1.orig.tar.gz
2afeec5dbc586cc40b7975645e02b4c41c4d719dd02213e828c72d8239d55666 833 krb5_1.20.1.orig.tar.gz.asc
76a985c0d60ed1a62cbb82b23041185cd9bf9a600ddc0b03172bf8745ac14e85 111436 krb5_1.20.1-2+deb12u4.debian.tar.xz
e19909bae0ff808ea0edf50161337e11c8dd23ceec71d655b2670537b32ed1d3 21700 krb5_1.20.1-2+deb12u4_amd64.buildinfo
Files:
20c4064bc1e8bde0927b96fb1cfb94fb 3808 net optional krb5_1.20.1-2+deb12u4.dsc
73f5780e7b587ccd8b8cfc10c965a686 8661660 net optional krb5_1.20.1.orig.tar.gz
46551f0a032aa02dccac3789a344e028 833 net optional krb5_1.20.1.orig.tar.gz.asc
6493ab3ca67631f33d10dc4efb1a4895 111436 net optional krb5_1.20.1-2+deb12u4.debian.tar.xz
b1761d203e619f8234a06ca729f23c50 21700 net optional krb5_1.20.1-2+deb12u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgw6QQACgkQADoaLapB CF/aEQ/+Ptnp97Wu5DJyC9JfyLPuVeihw9UHb0uhslQBasbtaNT1O499+PSqKMLH ajCiCCLzUPdfSbykLN3luXPW+mT3HqvepCdhOcHFgRM8XY2ikKE5WdisLzsl3pdg a6/oQ5JWJ7wTeyYGpXhSCN1m2xDB6Bcs8r7Y8LT6cFFyvGp1EJ+4noTW2Bo9UIYf lj19aXBu1snQSFMuwSldXKXyKixrJTEOh+64eMOHBL/5sAaXzjsP8GJsxP7jxx+m bEmdL8aGcay3HpP00RyZHuNGLE+OMq7c8n0tw7OiOfA0j97moK1jntUFgpo5h+Uz uaY3Qm2q4FXd0XqKSRNOrmN7QFETdWoCtFVLYi50Uqk4ESFTn+MlXa3VbR398AI9 vL7vdwu9N7L36ybzLA6aD38zOAcfxOoE+K0VAppCFKEDZ8tdbQ9REKolSG5CzsBI bt2eQLccvZaUHXHnE9/pwiR9Bdr6whTzEQoKJENQCfz55+LON3qbL0OdQAGvu6dD 1jJqPJ5lx6f4v+rIfFcsyMvi7u9IMlt+a1KlM4bs7i8FT5nopsVuZze6bTRTTvem LeTK/noqzTXiCwkCAlgejMWTouPJHkXYZQXpS6N2GwBrIVsVmzWbOCZRAo1jclwp nXrkX4O77uhHF9rkKLqb4ti9va/T0yfl+fdQb+kDmrSSrIHRjHQ=
=PmAv
-----END PGP SIGNATURE-----


--==============90591847874245286=Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaDt1XAAKCRCb9qggYcy5 Ie47AQDvJ8s4iDO3I0i1jwN1STbYAMjIiHQ2GZnJWstflu4KjgEAj8EjOH8klJc9 RgUEwh+IsfJGK8RcYz6Vspk0QB2H1As=7M0P
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)