SUSE-SU-2025:3699-1
- Source
- https://www.suse.com/support/update/announcement/2025/suse-su-20253699-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:3699-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2025:3699-1
- Upstream
- Related
- Published
- 2025-10-21T10:07:48Z
- Modified
- 2025-10-22T18:32:27.540303Z
- Summary
- Security update for krb5
- Details
-
This update for krb5 fixes the following issues:
- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219).
Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards.
To avoid problems with those, SUSE has by default now disabled those alorithms.
The following algorithms have been removed from valid krb5 enctypes:
- des3-cbc-sha1
- arcfour-hmac-md5
To reenable those algorithms, you can use allow options in krb5.conf:
[libdefaults] allowdes3 = true allowrc4 = true
to reenable them.
- References
Affected packages
openSUSE:Leap 15.6
krb5
Package
- Name
- krb5
- Purl
- pkg:rpm/opensuse/krb5&distro=openSUSE%20Leap%2015.6
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.20.1-150600.11.14.1
Ecosystem specific
{
"binaries": [
{
"krb5-server": "1.20.1-150600.11.14.1",
"krb5-32bit": "1.20.1-150600.11.14.1",
"krb5-devel-32bit": "1.20.1-150600.11.14.1",
"krb5": "1.20.1-150600.11.14.1",
"krb5-plugin-kdb-ldap": "1.20.1-150600.11.14.1",
"krb5-plugin-preauth-spake": "1.20.1-150600.11.14.1",
"krb5-plugin-preauth-otp": "1.20.1-150600.11.14.1",
"krb5-devel": "1.20.1-150600.11.14.1",
"krb5-plugin-preauth-pkinit": "1.20.1-150600.11.14.1",
"krb5-client": "1.20.1-150600.11.14.1"
}
]
}