[39548] in Kerberos
Re: Regarding confirmation for CVE-2025-57736 in krb5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 1 14:32:27 2025
Message-ID: <ddb3dfa3-fd53-4ec1-9f3b-476abe37c01e@mit.edu>
Date: Mon, 1 Sep 2025 14:32:14 -0400
MIME-Version: 1.0
To: Ankit Srivastava <ankit.k.srivastava@oracle.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <SJ5PPF2C6461432913CDC01CA6643EC6AB1BF07A@SJ5PPF2C6461432.namprd10.prod.outlook.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 9/1/25 03:02, Ankit Srivastava via Kerberos wrote:
> Hi Team,
> While reviewing Kerberos 1.22.1 release note[...] I have found CVE claim [...]
> But the same has not been mentioned in 1.22 !
I'm not sure what this means. The release notes in the (withdrawn)
krb5-1.22 tarball can't be changed.
> So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ?
Only 1.22 is impacted. Prior releases never had this bug, and 1.22.1
fixes it.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
