Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

Fedora 41: 2025-42a13f896e critical: kerberos encryption update

fedora
Calendar Grey June 10, 2025
Dist Fedora Esm H88
Fedora 41 upgrade: blocks weak encryption protocols and improves integration with Active Directory.
Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Window...

Summary

Kerberos V5 is a trusted-third-party network authentication system,

which can improve your network's security by eliminating the insecure

practice of sending passwords over the network in unencrypted form.

Update Information:

Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode

Topics%20covered

Topics Covered

security advisory Fedora kerberos network authentication Active Directory encryption type

Change Log

* Fri Jun 6 2025 Julien Rische - 1.21.3-5 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359673

References


[ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359673 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2359673 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-42a13f896e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: krb5
Product: Fedora 41
Version: 1.21.3
Release: 5.fc41
URL: https://web.mit.edu/kerberos/www/
Summary: The Kerberos network authentication system

Topics%20covered

Topics Covered

security advisory Fedora kerberos network authentication Active Directory encryption type

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here