SUSE has issued an advisory on April 8: https://lwn.net/Articles/968978/ Mageia 9 is also affected.
Status comment: (none) => Patches available from SUSECVE: (none) => CVE-2024-26458, CVE-2024-26461Source RPM: (none) => krb5-1.21.2-2.mga10.src.rpmWhiteboard: (none) => MGA9TOO
This starting point: https://lwn.net/Articles/968978/ * CVE-2024-26458 * CVE-2024-26461 contains these URLs: * https://bugzilla.suse.com/show_bug.cgi?id=1220770 * https://bugzilla.suse.com/show_bug.cgi?id=1220771 which lead to what look like these patches: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_5.png https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_1.png In the absence of an obvious maintainer, assigning this globally. CC'ing wally who has done most recent commits.
Assignee: bugsquad => pkg-bugsCC: (none) => jani.valimaa
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. (CVE-2024-26458) Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. (CVE-2024-26461) References: https://lwn.net/Articles/968978/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.20.1-1.1.mga9 krb5-pkinit-1.20.1-1.1.mga9 krb5-server-1.20.1-1.1.mga9 krb5-server-ldap-1.20.1-1.1.mga9 krb5-workstation-1.20.1-1.1.mga9 lib(64)krb53-1.20.1-1.1.mga9 lib(64)krb53-devel-1.20.1-1.1.mga9 from SRPM: krb5-1.20.1-1.1.mga9.src.rpm
Version: Cauldron => 9Source RPM: krb5-1.21.2-2.mga10.src.rpm => krb5-1.20.1-1.mga9.src.rpmStatus: NEW => ASSIGNEDStatus comment: Patches available from SUSE => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)
RH mageia 9 x86_64 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm Marking krb5 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list installing krb5-1.20.1-1.1.mga9.x86_64.rpm krb5-server-ldap-1.20.1-1.1.mga9.x86_64.rpm lib64krb53-devel-1.20.1-1.1.mga9.x86_64.rpm krb5-pkinit-1.20.1-1.1.mga9.x86_64.rpm krb5-server-1.20.1-1.1.mga9.x86_64.rpm lib64krb53-1.20.1-1.1.mga9.x86_64.rpm krb5-workstation-1.20.1-1.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/7: krb5 ################################################################################################## 2/7: lib64krb53 ################################################################################################## 3/7: lib64krb53-devel ################################################################################################## 4/7: krb5-server ################################################################################################## 5/7: krb5-server-ldap ################################################################################################## 6/7: krb5-pkinit ################################################################################################## 7/7: krb5-workstation ################################################################################################## 1/3: removing lib64krb53-devel-1.20.1-1.mga9.x86_64 ################################################################################################## 2/3: removing lib64krb53-1.20.1-1.mga9.x86_64 ################################################################################################## 3/3: removing krb5-1.20.1-1.mga9.x86_64 ################################################################################################## I think the procedure https://wiki.mageia.org/en/QA_procedure:Krb5 should give some suggestions other than just [If the setup script complains that the forward and reverse dsn settings do not match, post a request for help to the qa discussion list.] I let in clean install, and Wait to see if others do a successful test
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Followed QA procedure, and it works OK as described, until at the end the krlogin command does not return feedback, and a telnet returns connection refused. This is all quite the same as in previous bugs 31157 and 29260 and 24068, so giving the OK following those and the comment above.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
With three bugs for examples, that should be good enough. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0158.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
That update also solved CVE-2024-26462.
CVE: CVE-2024-26458, CVE-2024-26461 => CVE-2024-26458, CVE-2024-26461, CVE-2024-26462Summary: krb5 new security issues CVE-2024-26458 and CVE-2024-26461 => krb5 new security issues CVE-2024-26458 and CVE-2024-2646[12]