Debian-LTS has issued an advisory on November 7:
The issue is fixed upstream in 1.17.2 and 1.18.3.
Mageia 7 is also affected.
Fedora has issued an advisory for this on November 9:
Ubuntu has issued an advisory for this today (November 17):
Fixed upstream in 1.18.3Severity:
Fixed in krb5-1.18.3-1.mga8 in Cauldron by Guillaume.
Fixed upstream in 1.18.3 =>
Fixed upstream in 1.17.2Version:
Debian has issued an advisory for this on November 21:
Fedora has issued an advisory for 1.17 on November 21:
I just submitted krb5-1.17-2.1 in updates_testing for mageia 7.
Updated krb5 packages fix security vulnerability:
MIT Kerberos 5 (aka krb5) before 1.17.2 allows unbounded recursion via an
ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support
for BER indefinite lengths lacks a recursion limit (CVE-2020-28196).
Updated packages in core/updates_testing:
Fixed upstream in 1.17.2 =>
Followed https://wiki.mageia.org/en/QA_procedure:Krb5 to get kerberos working
on both i586 and x86_64 Mageia 7 vb guests, installed the updates. Rebooted to
both to ensure all updates actually in use.
Confirmed kinit, klist and krlogin $(hostname) still work. All ok.
Validating the update.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.