Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2025:3699-1

Опубликовано: 21 окт. 2025
Источник: suse-cvrf

Описание

Security update for krb5

This update for krb5 fixes the following issues:

  • CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

  • des3-cbc-sha1
  • arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults] allow_des3 = true allow_rc4 = true

to reenable them.

Список пакетов

SUSE Linux Enterprise Module for Basesystem 15 SP6
krb5-1.20.1-150600.11.14.1
krb5-32bit-1.20.1-150600.11.14.1
krb5-client-1.20.1-150600.11.14.1
krb5-devel-1.20.1-150600.11.14.1
krb5-plugin-preauth-otp-1.20.1-150600.11.14.1
krb5-plugin-preauth-pkinit-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Basesystem 15 SP7
krb5-1.20.1-150600.11.14.1
krb5-32bit-1.20.1-150600.11.14.1
krb5-client-1.20.1-150600.11.14.1
krb5-devel-1.20.1-150600.11.14.1
krb5-plugin-preauth-otp-1.20.1-150600.11.14.1
krb5-plugin-preauth-pkinit-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Server Applications 15 SP6
krb5-plugin-kdb-ldap-1.20.1-150600.11.14.1
krb5-server-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Server Applications 15 SP7
krb5-plugin-kdb-ldap-1.20.1-150600.11.14.1
krb5-server-1.20.1-150600.11.14.1
openSUSE Leap 15.6
krb5-1.20.1-150600.11.14.1
krb5-32bit-1.20.1-150600.11.14.1
krb5-client-1.20.1-150600.11.14.1
krb5-devel-1.20.1-150600.11.14.1
krb5-devel-32bit-1.20.1-150600.11.14.1
krb5-plugin-kdb-ldap-1.20.1-150600.11.14.1
krb5-plugin-preauth-otp-1.20.1-150600.11.14.1
krb5-plugin-preauth-pkinit-1.20.1-150600.11.14.1
krb5-plugin-preauth-spake-1.20.1-150600.11.14.1
krb5-server-1.20.1-150600.11.14.1

Ссылки

Описание

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP6:krb5-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:krb5-32bit-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:krb5-client-1.20.1-150600.11.14.1
SUSE Linux Enterprise Module for Basesystem 15 SP6:krb5-devel-1.20.1-150600.11.14.1
Ссылки