Bug 31157 - krb5 new security issue CVE-2022-42898
Summary: krb5 new security issue CVE-2022-42898
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 29260
  Show dependency treegraph
Reported: 2022-11-20 18:00 CET by David Walser
Modified: 2022-12-17 19:49 CET (History)
5 users (show)

See Also:
Source RPM: krb5-1.19.2-5.mga9.src.rpm
Status comment:


Description David Walser 2022-11-20 18:00:18 CET
Debian has issued an advisory on November 19:

The issue is fixed upstream in krb5 1.19.4 and heimdal 7.7.1:

Mageia 8 is also affected.
David Walser 2022-11-20 18:00:39 CET

Blocks: (none) => 29260
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in krb5 1.19.4 and heimdal 7.7.1

Comment 1 Lewis Smith 2022-11-21 11:06:45 CET
guillomovitch does both these packages, so assigning to you.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2022-11-21 22:52:38 CET
openSUSE has issued an advisory for krb5 today (November 21):
Comment 3 David Walser 2022-11-22 14:33:16 CET
Fedora has issued an advisory for krb5 today (November 22):

Severity: major => critical

David Walser 2022-11-23 20:31:22 CET

Blocks: (none) => 31172

Comment 4 David Walser 2022-11-23 20:32:34 CET
heimdal moved to Bug 31172.

Status comment: Fixed upstream in krb5 1.19.4 and heimdal 7.7.1 => Fixed upstream in 1.19.4
Source RPM: krb5-1.19.2-5.mga9.src.rpm, heimdal-7.7.0-10.mga9.src.rpm => krb5-1.19.2-5.mga9.src.rpm
Summary: krb5, heimdal new security issue CVE-2022-42898 => krb5 new security issue CVE-2022-42898

David Walser 2022-11-26 22:23:01 CET

Blocks: 31172 => (none)

Comment 5 Guillaume Rousse 2022-11-27 14:06:02 CET
Fixed by following submissions:
- krb5-1.19.2-6.mga9 in cauldron
- krb5-1.18.3-1.3.mga8 in 8/updates_testing
Comment 6 David Walser 2022-11-28 04:54:35 CET

from krb5-1.18.3-1.3.mga8.src.rpm

Note that this update won't solve the issue Dave pointed out in Bug 29260 (but it does fix the CVEs there) but that's not a regression and this CVE is a serious issue in the library, so this needs to be pushed.

Version: Cauldron => 8
CC: (none) => guillomovitch
Status comment: Fixed upstream in 1.19.4 => (none)
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 7 Herman Viaene 2022-12-17 11:21:01 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Tried to follow the wiki and my own bug 24068 Comment 4

All seems to work OK, but found same issue as in bug 29260 for krlogin.
On Davids remark then OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-12-17 17:04:25 CET

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-12-17 17:56:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-12-17 19:49:21 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.