Package Release Info

krb5-1.21.3-160000.2.2

Update Info: Base Release
Available in Package Hub : 16.0

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

krb5-32bit

krb5-devel-32bit

Change Logs

* Thu Jan 30 2025 scabrero@suse.de

- Prevent overflow when calculating ulog block size. An authenticated
  attacker can cause kadmind to write beyond the end of the mapped
  region for the iprop log file, likely causing a process crash;
  (CVE-2025-24528); (bsc#1236619).
- Add patch 0010-CVE-2025-24528.patch

* Mon Jul 01 2024 scabrero@suse.de

- Update to 1.21.3
  * Fix vulnerabilities in GSS message token handling:
  * CVE-2024-37370, bsc#1227186
  * CVE-2024-37371, bsc#1227187
  * Fix a potential bad pointer free in krb5_cccol_have_contents()
  * Fix a memory leak in the macOS ccache type
- Update patch 0009-Fix-three-memory-leaks.patch

* Mon May 13 2024 asn@cryptomilk.org

- Enable the LMDB backend for KDB

* Thu May 02 2024 kukuk@suse.com

- Remove requires for not used cron

* Fri Mar 22 2024 scabrero@suse.de

- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
  * CVE-2024-26458, bsc#1220770
  * CVE-2024-26461, bsc#1220771
  * CVE-2024-26462, bsc#1220772

* Thu Feb 29 2024 pmonreal@suse.com

- Add crypto-policies support [bsc#1211301]
  * Update krb5.conf in vendor-files.tar.bz2

* Wed Dec 20 2023 dmueller@suse.com

- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
  * Fix double-free in KDC TGS processing [CVE-2023-39975].

* Sat Jul 15 2023 dmueller@suse.com

- update to 1.21.1 (CVE-2023-36054):
  * Fix potential uninitialized pointer free in kadm5 XDR parsing
    [CVE-2023-36054]; (bsc#1214054).
  * Added a credential cache type providing compatibility with
    the macOS 11 native credential cache.
  * libkadm5 will use the provided krb5_context object to read
    configuration values, instead of creating its own.
  * Added an interface to retrieve the ticket session key
    from a GSS context.
  * The KDC will no longer issue tickets with RC4 or triple-DES
    session keys unless explicitly configured with the new
    allow_rc4 or allow_des3 variables respectively.
  * The KDC will assume that all services can handle aes256-sha1
    session keys unless the service principal has a
    session_enctypes string attribute.
  * Support for PAC full KDC checksums has been added to
    mitigate an S4U2Proxy privilege escalation attack.
  * The PKINIT client will advertise a more modern set
    of supported CMS algorithms.
  * Removed unused code in libkrb5, libkrb5support,
    and the PKINIT module.
  * Modernized the KDC code for processing TGS requests,
    the code for encrypting and decrypting key data,
    the PAC handling code, and the GSS library packet
    parsing and composition code.
  * Improved the test framework's detection of memory
    errors in daemon processes when used with asan.

* Thu May 04 2023 fcrozat@suse.com

- Add _multibuild to define additional spec files as additional
  flavors.
  Eliminates the need for source package links in OBS.

* Fri Mar 03 2023 scabrero@suse.de

- Update 0007-SELinux-integration.patch for SELinux 3.5;
  (bsc#1208887);