krb5 (1.20.1-6ubuntu2.6) noble-security; urgency=medium
* SECURITY UPDATE: Use of weak cryptographic hash.
- debian/patches/CVE-2025-3576.patch: Add allow_des3 and allow_rc4 options.
Disallow usage of des3 and rc4 unless allowed in the config. Replace
warn_des3 with warn_deprecated in ./src/lib/krb5/krb/get_in_tkt.c. Add
allow_des3 and allow_rc4 boolean in ./src/include/k5-int.h. Prevent usage
of deprecated enctypes in ./src/kdc/kdc_util.c.
- debian/patches/CVE-2025-3576-post1.patch: Add enctype comparison with
ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ./src/kdc/kdc_util.c.
- CVE-2025-3576
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Thu, 15 May 2025 10:09:20 +0200
krb5 (1.20.1-6ubuntu2.5) noble-security; urgency=medium
* SECURITY UPDATE: denial of service via two memory leaks
- debian/patches/CVE-2024-26458.patch: fix two unlikely memory leaks in
src/lib/gssapi/krb5/k5sealv3.c, src/lib/rpc/pmap_rmt.c.
- CVE-2024-26458
- CVE-2024-26461
* SECURITY UPDATE: denial of service via memory leak
- debian/patches/CVE-2024-26462.patch: fix leak in KDC NDR encoding in
src/kdc/ndr.c.
- CVE-2024-26462
* SECURITY UPDATE: kadmind DoS via iprop log file
- debian/patches/CVE-2025-24528.patch: prevent overflow when
calculating ulog block size in src/lib/kdb/kdb_log.c.
- CVE-2025-24528
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 25 Feb 2025 10:30:21 -0500
krb5 (1.20.1-6ubuntu2.4) noble-security; urgency=medium
* No-change rebuild to solve a build issue on armhf.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 13 Feb 2025 07:23:16 -0500
krb5 (1.20.1-6ubuntu2.3) noble-security; urgency=medium
* SECURITY UPDATE: Use of MD5-based message authentication over plaintext
communications could lead to forgery attacks.
- debian/patches/CVE-2024-3596.patch: Secure Response Authenticator
by adding support for the Message-Authenticator attribute in non-EAP
authentication methods.
- CVE-2024-3596
* Update libk5crypto3 symbols: add k5_hmac_md5 symbol.
-- Nicolas Campuzano Jimenez <nicolas.campuzano@canonical.com> Tue, 28 Jan 2025 00:57:01 -0500
krb5 (1.20.1-6ubuntu2.2) noble; urgency=medium
* SRU: LP: #2083480: No-change rebuild to disable frame pointers on
ppc64el and s390x.
-- Matthias Klose <doko@ubuntu.com> Wed, 02 Oct 2024 14:40:50 +0200
krb5 (1.20.1-6ubuntu2.1) noble-security; urgency=medium
* SECURITY UPDATE: Invalid token requests
- debian/patches/CVE-2024-37370.patch: Fix vulnerabilities in GSS
message token handling
- CVE-2024-37370
- CVE-2024-37371
-- Bruce Cable <bruce.cable@canonical.com> Mon, 15 Jul 2024 13:27:45 +1000
krb5 (1.20.1-6ubuntu2) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 07:42:10 +0000
krb5 (1.20.1-6ubuntu1) noble; urgency=medium
* Fix tests with Python 3.12.
-- Matthias Klose <doko@ubuntu.com> Sun, 24 Mar 2024 12:51:41 +0100
krb5 (1.20.1-6) unstable; urgency=medium
* Fix up libverto1*->libverto1*t64, Closes: #1065702
-- Sam Hartman <hartmans@debian.org> Sun, 10 Mar 2024 19:36:33 -0600
krb5 (1.20.1-5.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1064164
-- Lukas Märdian <slyon@debian.org> Wed, 28 Feb 2024 15:25:37 +0000
krb5 (1.20.1-5) unstable; urgency=medium
[ Helmut Grohne ]
* Annotate test dependencies <!nocheck>. (Closes: #1054461)
[ Sam Hartman ]
* Fix keyutils to be linux-any
-- Helmut Grohne <helmut@subdivi.de> Tue, 24 Oct 2023 07:17:27 +0200
krb5 (1.20.1-4) unstable; urgency=low
[ Steve Langasek ]
* libkrb5support0: require strict binary dependency to deal with glibc 2.38, Closes: #1043184
[Jelmer Vernooij]
* krb5-user: Use alternatives for kinit, klist, kswitch, ksu, kpasswd,
kdestroy, kadmin and ktutil. This allows installation
together with heimdal-clients. Closes: #213316, #751203
[ Sam Hartman ]
* Enable build-time tests, Thanks Andreas Hasenack, Closes: #1017763
* Work around doxygen change that breaks doc build, Thanks Greg
Hudson, Closes: #1051523
-- Sam Hartman <hartmans@debian.org> Mon, 11 Sep 2023 11:06:57 -0600
krb5 (1.20.1-3) unstable; urgency=high
* Fixes CVE-2023-36054: a remote authenticated attacker can cause
kadmind to free an uninitialized pointer. Upstream believes remote
code execusion is unlikely, Closes: #1043431
-- Sam Hartman <hartmans@debian.org> Mon, 14 Aug 2023 14:06:53 -0600
krb5 (1.20.1-2) unstable; urgency=medium
* Tighten dependencies on libkrb5support0. This means that the entire
upgrade from bullseye to bookworm needs to be lockstep, but it appears
that's what is required, Closes: #1036055
-- Sam Hartman <hartmans@debian.org> Mon, 15 May 2023 17:44:41 -0600
krb5 (1.20.1-1) unstable; urgency=high
[ Bastian Germann ]
* Sync debian/copyright with NOTICE from upstream
[ Debian Janitor ]
* Trim trailing whitespace.
* Strip unusual field spacing from debian/control.
* Use secure URI in Homepage field.
* Merge upstream signing key files.
* Update renamed lintian tag names in lintian overrides.
* Update standards version to 4.6.1, no changes needed.
* Remove field Section on binary package krb5-gss-samples that
duplicates source.
* Fix field name cases in debian/control (VCS-Browser => Vcs-Browser,
VCS-Git => Vcs-Git).
[ Sam Hartman ]
* New upstream release
- Integer overflows in PAC parsing; potentially critical for 32-bit
KDCs or when cross-realm acts maliciously; DOS in other conditions;
CVE-2022-42898, Closes: #1024267
* Tighten version dependencies around crypto library, Closes: 1020424
* krb5-user reccomends rather than Depends on krb5-config. This avoids
a hard dependency on bind9-host, but also supports cases where
krb5-config is externally managed, Closes: #1005821
-- Sam Hartman <hartmans@debian.org> Thu, 17 Nov 2022 10:34:28 -0700
krb5 (1.20-1) unstable; urgency=medium
* New Upstream Version
* Do not specify master key type to avoid weak crypto, Closes: #1009927
-- Sam Hartman <hartmans@debian.org> Fri, 22 Jul 2022 16:32:38 -0600
krb5 (1.20~beta1-1) experimental; urgency=medium
* New Upstream version
-- Sam Hartman <hartmans@debian.org> Thu, 07 Apr 2022 11:57:27 -0600
krb5 (1.19.2-2) unstable; urgency=medium
* Standards version 4.6.0; no change
* kpropd: run after network.target, Closes: #948820
* krb5-kdc: Remove /var from PidFile, Closes: #982009
-- Sam Hartman <hartmans@debian.org> Mon, 21 Feb 2022 13:05:20 -0700
krb5 (1.19.2-1) experimental; urgency=medium
* New Upstream version
* Include patch to work with OpenSSL 3.0, Closes: #995152
* Depend on tex-gyre, Closes: #997407
-- Sam Hartman <hartmans@debian.org> Wed, 27 Oct 2021 14:04:42 -0600
krb5 (1.18.3-7) unstable; urgency=medium
* Fix KDC null dereference crash on FAST request with no server field,
CVE-2021-37750, Closes: #992607
* Fix memory leak in krb5_gss_inquire_cred, Closes: #991140
* Add javascript libraries for docs, thanks Andreas Beckmann, Closes: #988743
* Drop build-dependency on libncurses5-dev which hasn't been needed
since krb5-appl was removed, Closes: #981161
-- Sam Hartman <hartmans@debian.org> Fri, 27 Aug 2021 08:13:47 -0600
krb5 (1.18.3-6) unstable; urgency=high
* Pull in upstream patch to fix CVE-2021-36222 (KDC NULL dereference),
Closes: #991365
-- Benjamin Kaduk <kaduk@mit.edu> Wed, 21 Jul 2021 11:07:07 -0700
krb5 (1.18.3-5) unstable; urgency=medium
* Update breaks on libk5crypto3 toward other internal libraries because
of removed internal symbols, Closes: #985739
-- Sam Hartman <hartmans@debian.org> Sun, 28 Mar 2021 13:43:01 -0400
krb5 (1.18.3-4) unstable; urgency=medium
* Sigh, either use <= with the old version in the
libapache-mod-auth-kerb constraint or << with the new version. <=
with the new version is no good. (used <= with the old version)
-- Sam Hartman <hartmans@debian.org> Mon, 23 Nov 2020 11:53:02 -0500
krb5 (1.18.3-3) unstable; urgency=medium
* Update breaks for libapache2-mod-auth-kerb now that we think we have a fix.
* Mark libkrad-dev as multi-arch: same
-- Sam Hartman <hartmans@debian.org> Mon, 23 Nov 2020 10:07:02 -0500
krb5 (1.18.3-2) unstable; urgency=medium
* Break libapache2-mod-auth-kerb; see #975344 . Obviously this is not a stable situation, but I want to at least let users know that by installing this krb5 libapache2-mod-auth-kerb will not work until we fix it.
-- Sam Hartman <hartmans@debian.org> Fri, 20 Nov 2020 14:46:00 -0500
krb5 (1.18.3-1) unstable; urgency=medium
* New upstream version
- Fix error when DES disabled, Closes: #932298
* Fix typo in lintian overrides.
* Update hurd compat patch, thanks Pino Toscano, Closes: #933770
-- Sam Hartman <hartmans@debian.org> Thu, 19 Nov 2020 11:08:16 -0500
krb5 (1.18.2-1) experimental; urgency=medium
* New Upstream version
* Include several pre-release patches from 1.18.3:
- Unregister thread key in SPNEGO finalization
- Set pw_expiration during LDAP load
- Avoid using LMDB environments across forks
- Allow gss_unwrap_iov() of unpadded RC4 tokens
- Fix input length checking in SPNEGO DER decoding
- Set lockdown attribute when creating LDAP KDB
- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196,
Closes: #973880)
* Release new upstream to experimental
-- Sam Hartman <hartmans@debian.org> Mon, 09 Nov 2020 16:28:52 -0500
krb5 (1.17-10) unstable; urgency=medium
* Also set localstatedir to be consistent with old builds, Closes: #962522
* Include journalctl dump from krb5kdc tests so we can figure out why ppc tests are breaking.
-- Sam Hartman <hartmans@debian.org> Mon, 09 Nov 2020 16:28:25 -0500
krb5 (1.17-9) unstable; urgency=low
* Fix build-indep, Closes: #962470
-- Sam Hartman <hartmans@debian.org> Mon, 08 Jun 2020 10:02:57 -0400
krb5 (1.17-8) unstable; urgency=low
* krb5-doc is multi-arch Foreign, Closes: #959984
* Convert to using dh sequencer, Closes: #930690
* Low urgency to give us a chance to shake out the DH changes
-- Sam Hartman <hartmans@debian.org> Thu, 28 May 2020 10:31:24 -0400
krb5 (1.17-7) unstable; urgency=medium
* Use python3 for building docs; pull patch from upstream, Closes: #939483
-- Sam Hartman <hartmans@debian.org> Mon, 23 Mar 2020 10:46:41 -0400
krb5 (1.17-6) unstable; urgency=medium
* Stop depending on texlive-generic-extra, which is no longer built,
Closes: #933286
-- Sam Hartman <hartmans@debian.org> Thu, 01 Aug 2019 14:15:13 -0400
krb5 (1.17-5) unstable; urgency=high
* Upstream patch to filter invalid enctypes when nfs calls to indicate
which enctypes it supports, Closes: #932000
* Do not error out if a keytab includes a single-des enctype, Closes:
#932132
-- Sam Hartman <hartmans@debian.org> Wed, 17 Jul 2019 09:20:27 -0400
krb5 (1.17-4) unstable; urgency=low
* Remove single DES support entirely; it has been deprecated for a
number of years and is going away in 1.18. We want to find out now
any debian problems.
* Migrate from git-dpm to git-debrebase; it truly is better. Thanks Ian.
* Add a krb5-user.news for single DES going away
* Remove the old news file across all packages
-- Sam Hartman <hartmans@debian.org> Mon, 08 Jul 2019 22:04:39 -0400
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libkrb5support0`.
Generated by dwww version 1.16 on Mon Dec 15 21:03:05 CET 2025.