1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Re: Regarding confirmation for CVE-2025-57736 in krb5

    From Greg Hudson@ghudson@mit.edu to kerberos@mit.edu on Mon Sep 1 14:32:14 2025
    From Newsgroup: comp.protocols.kerberos

    On 9/1/25 03:02, Ankit Srivastava via Kerberos wrote:
    Hi Team,
    While reviewing Kerberos 1.22.1 release note[...] I have found CVE claim [...]
    But the same has not been mentioned in 1.22 !

    I'm not sure what this means. The release notes in the (withdrawn)
    krb5-1.22 tarball can't be changed.

    So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ?

    Only 1.22 is impacted. Prior releases never had this bug, and 1.22.1
    fixes it.

    --- Synchronet 3.21a-Linux NewsLink 1.2