Package "krb5-multidev"

  krb5 (1.19.2-2ubuntu0.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Use of weak cryptographic hash.
    - debian/patches/CVE-2025-3576.patch: Add allow_des3 and allow_rc4 options.
      Disallow usage of des3 and rc4 unless allowed in the config. Replace
      warn_des3 with warn_deprecated in ./src/lib/krb5/krb/get_in_tkt.c. Add
      allow_des3 and allow_rc4 boolean in ./src/include/k5-int.h. Prevent usage
      of deprecated enctypes in ./src/kdc/kdc_util.c.
    - debian/patches/CVE-2025-3576-post1.patch: Add enctype comparison with
      ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ./src/kdc/kdc_util.c.
    - CVE-2025-3576

 -- Hlib Korzhynskyy <email address hidden> Thu, 15 May 2025 12:06:20 +0200

  krb5 (1.19.2-2ubuntu0.6) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service via two memory leaks
    - debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
      src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
    - CVE-2024-26458
    - CVE-2024-26461
  * SECURITY UPDATE: kadmind DoS via iprop log file
    - debian/patches/CVE-2025-24528.patch: prevent overflow when
      calculating ulog block size in src/lib/kdb/kdb_log.c.
    - CVE-2025-24528

 -- Marc Deslauriers <email address hidden> Tue, 25 Feb 2025 12:26:06 -0500

  krb5 (1.19.2-2ubuntu0.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Use of MD5-based message authentication over plaintext
    communications could lead to forgery attacks.
    - debian/patches/CVE-2024-3596.patch: Secure Response Authenticator
      by adding support for the Message-Authenticator attribute in non-EAP
      authentication methods.
    - CVE-2024-3596
  * Update libk5crypto3 symbols: add k5_hmac_md5 symbol.

 -- Nicolas Campuzano Jimenez <email address hidden> Mon, 27 Jan 2025 19:37:24 -0500

  krb5 (1.19.2-2ubuntu0.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Invalid token requests
    - debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS
    message token handling
    - CVE-2024-37370
    - CVE-2024-37371

 -- Bruce Cable <email address hidden> Mon, 15 Jul 2024 13:46:10 +1000

  krb5 (1.19.2-2ubuntu0.3) jammy-security; urgency=medium

  * SECURITY UPDATE: freeing of uninitialized memory
    - debian/patches/CVE-2023-36054.patch: ensure array count consistency in
      kadm5 RPC.
    - CVE-2023-36054

 -- Camila Camargo de Matos <email address hidden> Tue, 24 Oct 2023 13:59:06 -0300