[39547] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Regarding confirmation for CVE-2025-57736 in krb5

daemon@ATHENA.MIT.EDU (Ankit Srivastava via Kerberos)
Mon Sep 1 03:04:10 2025

To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 1 Sep 2025 07:02:38 +0000
Message-ID: <SJ5PPF2C6461432913CDC01CA6643EC6AB1BF07A@SJ5PPF2C6461432.namprd10.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
From: Ankit Srivastava via Kerberos <kerberos@mit.edu>
Reply-To: Ankit Srivastava <ankit.k.srivastava@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi Team,
While reviewing Kerberos 1.22.1 release note<https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> <https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.1.html> I have found CVE claim mentioned below :Fix a vulnerability in GSS MIC verification [CVE-2025-57736].

But the same has not been mentioned in 1.22 !

Based on my due diligence It looks like commit 7ae0adc<https://github.com/krb5/krb5/commit/7ae0adcdf16687810f747e284c9fb571a561c5bd#diff-08d5eceeaa8561414331bf0e35a895bdb2b926688aeec402dc42be201763979e> caused this issue which was merged in 1.22  with newly introduced function "kg_verify_checksum_v3"
function and CVE got resolved with commit  2531770<https://github.com/krb5/krb5/commit/2531770c10115cb8b5ff529f813d86fa5a36db4c>.

So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ?

Regards

Ankit Srivastava,
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[39547] in Kerberos

Regarding confirmation for CVE-2025-57736 in krb5

daemon@ATHENA.MIT.EDU (Ankit Srivastava via Kerberos)Mon Sep 1 03:04:10 2025

daemon@ATHENA.MIT.EDU (Ankit Srivastava via Kerberos)
Mon Sep 1 03:04:10 2025