Alerts This Week
Warning Icon 1 684
Alerts This Week
Warning Icon 1 684

Fedora 42: krb5 2025-3de9fe91ff critical: message spoofing risk

fedora
Calendar Grey June 9, 2025
Dist Fedora Esm H88
Fedora 42 brings improvements to krb5, boosting both Kerberos authentication security and its interoperability with Windows Server.
Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Window...

Summary

Kerberos V5 is a trusted-third-party network authentication system,

which can improve your network's security by eliminating the insecure

practice of sending passwords over the network in unencrypted form.

Update Information:

Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode

Topics%20covered

Topics Covered

security advisory encryption Fedora kerberos FIPS authenticity

Change Log

* Wed Jun 4 2025 Julien Rische - 1.21.3-6 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359705

References


[ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359705 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5 Collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2359705 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-3de9fe91ff' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: krb5
Product: Fedora 42
Version: 1.21.3
Release: 6.fc42
URL: https://web.mit.edu/kerberos/www/
Summary: The Kerberos network authentication system

Topics%20covered

Topics Covered

security advisory encryption Fedora kerberos FIPS authenticity

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here