Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REJM7FX5TXBAJNRQ7XSMGPQSLMSSGMA3/ It seems the patch is: https://src.fedoraproject.org/rpms/krb5/blob/a4cd3984b366bc0aa420165f4eea887cb96d0885/f/0025-Generate-and-verify-message-MACs-in-libkrad.patch
Source RPM: (none) => krb5-1.21.3-1.mga10.src.rpm, krb5-1.20.1-1.2.mga9.src.rpmStatus comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-3596
Thanks for the patch reference. Assigning to KDE/Plasma.
Assignee: bugsquad => kde
Suggested advisory: ======================== The updated packages fix a security vulnerability: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. (CVE-2024-3596) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REJM7FX5TXBAJNRQ7XSMGPQSLMSSGMA3/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.20.1-1.3.mga9 krb5-pkinit-1.20.1-1.3.mga9 krb5-server-1.20.1-1.3.mga9 krb5-server-ldap-1.20.1-1.3.mga9 krb5-workstation-1.20.1-1.3.mga9 lib(64)krb53-1.20.1-1.3.mga9 lib(64)krb53-devel-1.20.1-1.3.mga9 from SRPM: krb5-1.20.1-1.3.mga9.src.rpm
Version: Cauldron => 9Status comment: Patch available from Fedora => (none)Status: NEW => ASSIGNEDAssignee: kde => qa-bugsWhiteboard: MGA9TOO => (none)Source RPM: krb5-1.21.3-1.mga10.src.rpm, krb5-1.20.1-1.2.mga9.src.rpm => krb5-1.20.1-1.2.mga9.src.rpm
Keywords: (none) => advisory
Tried to follow the wiki as in bug 33344 Comment 2. But after the initial steps for the server setup (no problems encountered) I noticed that: there is no file /etc/xinetd.d/eklogin and # systemctl restart xinetd.service Failed to restart xinetd.service: Unit xinetd.service not found.
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #3) > Tried to follow the wiki as in bug 33344 Comment 2. > But after the initial steps for the server setup (no problems encountered) I > noticed that: > there is no file /etc/xinetd.d/eklogin > and > # systemctl restart xinetd.service > Failed to restart xinetd.service: Unit xinetd.service not found. I think we need to update the wiki https://wiki.archlinux.org/title/Kerberos , I hope the link help you
urpmf /etc/xinetd.d/eklogin -f krb5-appl-servers-1.0.3-16.mga9.x86_64:/etc/xinetd.d/eklogin So should krb5-appl-servers be a require to allow follow the test procedure as is written in the wiki
Herman can you repeat test installing by hand krb5-appl-servers?
Installed and then run the procedure again, works OK now, except that the final krlogin does not return anything, but that is a minor deviation I guess. OK then.
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0385.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED