Debian-LTS has issued an advisory on November 7: https://www.debian.org/lts/security/2020/dla-2437 The issue is fixed upstream in 1.17.2 and 1.18.3. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on November 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
Ubuntu has issued an advisory for this today (November 17): https://ubuntu.com/security/notices/USN-4635-1
Status comment: (none) => Fixed upstream in 1.18.3Severity: normal => major
Fixed in krb5-1.18.3-1.mga8 in Cauldron by Guillaume.
Source RPM: krb5-1.18.2-1.mga8.src.rpm => krb5-1.17-2.mga7.src.rpmStatus comment: Fixed upstream in 1.18.3 => Fixed upstream in 1.17.2Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Debian has issued an advisory for this on November 21: https://www.debian.org/security/2020/dsa-4795
Fedora has issued an advisory for 1.17 on November 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
I just submitted krb5-1.17-2.1 in updates_testing for mageia 7.
Advisory: ======================== Updated krb5 packages fix security vulnerability: MIT Kerberos 5 (aka krb5) before 1.17.2 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit (CVE-2020-28196). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28196 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-28196 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.17-2.1.mga7 libkrb53-devel-1.17-2.1.mga7 libkrb53-1.17-2.1.mga7 krb5-server-1.17-2.1.mga7 krb5-server-ldap-1.17-2.1.mga7 krb5-workstation-1.17-2.1.mga7 krb5-pkinit-1.17-2.1.mga7 from krb5-1.17-2.1.mga7.src.rpm
CC: (none) => guillomovitchStatus comment: Fixed upstream in 1.17.2 => (none)Assignee: guillomovitch => qa-bugs
Followed https://wiki.mageia.org/en/QA_procedure:Krb5 to get kerberos working on both i586 and x86_64 Mageia 7 vb guests, installed the updates. Rebooted to both to ensure all updates actually in use. Confirmed kinit, klist and krlogin $(hostname) still work. All ok. Validating the update.
Whiteboard: (none) => MGA7-64-OK MGA7-32-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2020-28196
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0022.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED