Fedora has issued an advisory on August 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/ I had fixed this in Cauldron a few weeks ago but didn't realize 1.12.x was affected. Patched package building for Mageia 5 (build system currently having problems). Advisory: ======================== Updated krb5 packages fix security vulnerability: The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request (CVE-2016-3120). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3120 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.12.5-1.1.mga5 libkrb53-devel-1.12.5-1.1.mga5 libkrb53-1.12.5-1.1.mga5 krb5-server-1.12.5-1.1.mga5 krb5-server-ldap-1.12.5-1.1.mga5 krb5-workstation-1.12.5-1.1.mga5 krb5-pkinit-openssl-1.12.5-1.1.mga5 from krb5-1.12.5-1.1.mga5.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Whiteboard: (none) => has_procedure
It finally built. Assigning to QA. Advisory and package list in Comment 0, testing procedure in Comment 1.
Assignee: bugsquad => qa-bugs
Tested on Mageia 5 i586.
Whiteboard: has_procedure => has_procedure advisory MGA-32-OKCC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0306.html
Status: NEW => RESOLVEDResolution: (none) => FIXED