Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/06/28/5 The problem is solved with version 1.21.3 or with: https://github.com/krb5/krb5/commit/b0a2f8a5365f2eec3e27d78907de9f9d2c80505a Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-37370, CVE-2024-37371Status comment: (none) => Fixed upstream in 1.21.3 and patch available from upstreamSource RPM: (none) => krb5-1.21.2-3.mga10.src.rpm
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. (CVE-2024-37370) In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371) References: https://www.openwall.com/lists/oss-security/2024/06/28/5 ======================== Updated packages in core/updates_testing: ======================== krb5-1.20.1-1.2.mga9 krb5-pkinit-1.20.1-1.2.mga9 krb5-server-1.20.1-1.2.mga9 krb5-server-ldap-1.20.1-1.2.mga9 krb5-workstation-1.20.1-1.2.mga9 lib(64)krb53-1.20.1-1.2.mga9 lib(64)krb53-devel-1.20.1-1.2.mga9 from SRPM: krb5-1.20.1-1.2.mga9.src.rpm
Status comment: Fixed upstream in 1.21.3 and patch available from upstream => (none)Source RPM: krb5-1.21.2-3.mga10.src.rpm => krb5-1.20.1-1.1.mga9.src.rpmWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Followed wiki with success, good to go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs