Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 43 articles for you...
219

Rocky Linux 8 Libpq Limited Memory Information Leak Issue RLSA-2023-7016

Low: libpq security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2023:7016", "synopsis": "Low: libpq security update", "severity": "SEVERITY_LOW", "topic": "An update is available for libpq.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers. \n\nSecurity Fix(es):\n\n* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.9 Release Notes linked from the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2165722", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722", "description": ""}], "cves": [{"name": "CVE-2022-41862", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41862", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "cvss3BaseScore": "3.7", "cwe": "CWE-200"}], "references": [], "publishedAt": "2026-06-28T00:01:03.878968Z", "rpms": {"Rocky Linux 8": {"nvras": ["libpq-0:13.11-1.el8.src.rpm", "libpq-debuginfo-0:13.11-1.el8.aarch64.rpm", "libpq-debugsource-0:13.11-1.el8.aarch64.rpm", "libpq-devel-debuginfo-0:13.11-1.el8.aarch64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Libpq security update for Rocky Linux addresses low severity issues, ensuring better protection against memory disclosure vulnerabilities.. Rocky Linux security updates, libpq security fix, PostgreSQL client library, memory disclosure vulnerability.. Severity: Low. LinuxSecurity.com Team

Calendar%202 Jun 28, 2026 Low Rocky Linux
217

Oracle Linux 8 krb5 Important ELSA-2026-16799 CVE-2026-40355 CVE-2026-40356

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-16799 http://linux.oracle.com/errata/ELSA-2026-16799.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: krb5-devel-1.18.2-34.0.1.el8_10.i686.rpm krb5-devel-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-libs-1.18.2-34.0.1.el8_10.i686.rpm krb5-libs-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.i686.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-server-1.18.2-34.0.1.el8_10.i686.rpm krb5-server-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.i686.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-workstation-1.18.2-34.0.1.el8_10.x86_64.rpm libkadm5-1.18.2-34.0.1.el8_10.i686.rpm libkadm5-1.18.2-34.0.1.el8_10.x86_64.rpm aarch64: krb5-devel-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-libs-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-server-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-workstation-1.18.2-34.0.1.el8_10.aarch64.rpm libkadm5-1.18.2-34.0.1.el8_10.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/krb5-1.18.2-34.0.1.el8_10.src.rpm Related CVEs: CVE-2026-40355 CVE-2026-40356 Description of changes: [1.18.2-34.0.1] - Fixed race condition in krb5_set_password() [Orabug: 33609767] [1.18.2-34] - Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) Resolves: RHEL-171589 RHEL-171594 _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Updated rpms for Oracle Linux 8 released targeting important issues in krb5. Strongly recommended to apply fixes.. Oracle Linux 8, krb5, security advisory, important update, Linux patches. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 14, 2026 Important Oracle
89

Fedora 41: 2025-42a13f896e critical: kerberos encryption update

Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-42a13f896e 2025-06-10 02:58:46.832310+00:00 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 41 Version : 1.21.3 Release : 5.fc41 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode -------------------------------------------------------------------------------- ChangeLog: * Fri Jun 6 2025 Julien Rische - 1.21.3-5 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359673 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359673 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5Collisions [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2359673 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-42a13f896e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue . Fedora 41 upgrade: blocks weak encryption protocols and improves integration with Active Directory.. Fedora Security Update, Kerberos Authentication, Active Directory Integration, Encryption Updates. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 10, 2025 Critical Fedora
89

Fedora 42: krb5 2025-3de9fe91ff critical: message spoofing risk

Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-3de9fe91ff 2025-06-09 02:34:27.502391+00:00 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 42 Version : 1.21.3 Release : 6.fc42 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 4 2025 Julien Rische - 1.21.3-6 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359705 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359705 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5Collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2359705 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-3de9fe91ff' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue . Fedora 42 brings improvements to krb5, boosting both Kerberos authentication security and its interoperability with Windows Server.. krb5 security update, Fedora security advisory, encryption updates. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 09, 2025 Critical Fedora
89

Fedora 40: FEDORA-2024-29a74ac2b0 critical: krb5 PKINIT Fix

Security: CVE-2024-3596: Fix for BlastRADIUS vulnerability in libkrad (support for Message-Authenticator attribute) Marvin attack: Removal of the "RSA" method for PKINIT Fix of miscellaneous mistakes in the code. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-29a74ac2b0 2024-11-15 03:17:43.956683 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 40 Version : 1.21.3 Release : 2.fc40 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Security: CVE-2024-3596: Fix for BlastRADIUS vulnerability in libkrad (support for Message-Authenticator attribute) Marvin attack: Removal of the "RSA" method for PKINIT Fix of miscellaneous mistakes in the code Enhancement: Rework of TCP request timeout (disabled by default, global timeout setting added) -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 30 2024 Julien Rische - 1.21.3-2 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) Resolves: rhbz#2304071 - Fix various issues detected by static analysis Resolves: rhbz#2322704 - Remove RSA protocol for PKINIT Resolves: rhbz#2322706 - Make TCP waiting time configurable Resolves: rhbz#2322711 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2304071 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) https://bugzilla.redhat.com/show_bug.cgi?id=2304071 [ 2 ] Bug #2322704 - Fix various issues detected bystatic analysis https://bugzilla.redhat.com/show_bug.cgi?id=2322704 [ 3 ] Bug #2322706 - Remove RSA protocol for PKINIT https://bugzilla.redhat.com/show_bug.cgi?id=2322706 [ 4 ] Bug #2322711 - Make TCP waiting time configurable https://bugzilla.redhat.com/show_bug.cgi?id=2322711 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-29a74ac2b0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: . The Fedora 40 advisory on krb5 highlights critical vulnerabilities related to CVE-2024-3596, urging users to update promptly to ensure system security and integrity.. Fedora 40, krb5, libkrad, security advisory, PKINIT. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Nov 15, 2024 Critical Fedora
98

Red Hat Linux 9: RHSA-2003:091-01 Critical: Kerberos Authentication Attack

Updated Kerberos packages for Red Hat Linux 9 fix a number of vulnerabilities found in MIT Kerberos. . ` --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kerberos packages fix various vulnerabilities Advisory ID: RHSA-2003:091-01 Issue date: 2003-04-02 Updated on: 2003-04-02 Product: Red Hat Linux Keywords: krb5 Cross references: RHSA-2003:051 RHSA-2003:052 Obsoletes: RHSA-2003:021 CVE Names: CAN-2003-0028 CAN-2003-082 CAN-2003-0138 CAN-2003-0139 ---------------------------------------------------------------------1. Topic: Updated Kerberos packages for Red Hat Linux 9 fix a number of vulnerabilities found in MIT Kerberos. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped as part of Red Hat Linux 9. These issues include: Vulnerabilities have been found in the triple-DES key support found in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0139 to this issue. Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key, which is shared with another realm, to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CAN-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CAN-2003-0028). The Key Distribution Center (KDC) allows remote, authenticatedattackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes the KDC to corrupt its heap (CAN-2003-0082). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain patches that correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 9: SRPMS: i386: 6. Verification: MD5 sum Package Name --------------------------------------------------------------------------a8520da58b790a356d0a94ae75f7957b 9/en/os/SRPMS/krb5-1.2.7-14.src.rpm 49e7783cb50c3694411b7856d098eff5 9/en/os/i386/krb5-devel-1.2.7-14.i386.rpm 6cb5040d3a4bd21a801e8c1e5da6388d 9/en/os/i386/krb5-libs-1.2.7-14.i386.rpm 8eb2a755c2fdf52b779960ec66cc6783 9/en/os/i386/krb5-server-1.2.7-14.i386.rpm bbcde88fa4f273c7c45a927dc5b40d58 9/en/os/i386/krb5-workstation-1.2.7-14.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available at All Red Hat products You can verify each package with the following command: rpm --checksig-v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: mit mit mit -CAN-2003-0028 CAN-2003-0082 CAN-2003-0138 CAN-2003-0139 8. Contact: The Red Hat security contact is . More contact details at All Red Hat products Copyright 2003 Red Hat, Inc. _______________________________________________ Red Hat-watch-list mailing list To unsubscribe, visit: `. Updated Kerberos packages for Red Hat Linux 9 fix critical vulnerabilities affecting authentication functionality.. Red Hat Linux, Kerberos Security Patches, Authentication Problems. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jul 15, 2023 Critical Red Hat
197

Debian 10: DLA-3206-1 Critical: Resolved Heimdal Vulnerabilities

Multiple security vulnerabilities were discovered in heimdal, an implementation of the Kerberos 5 authentication protocol, which may result in denial of service, information disclosure, or remote code execution. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3206-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Guilhem Moulin November 26, 2022 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : heimdal Version : 7.5.0+dfsg-3+deb10u1 CVE ID : CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640 Debian Bug : 946786 996586 1024187 Multiple security vulnerabilities were discovered in heimdal, an implementation of the Kerberos 5 authentication protocol, which may result in denial of service, information disclosure, or remote code execution. CVE-2019-14870 Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not apply delegation_not_allowed (aka not-delegated) user attributes for S4U2Self. Instead the forwardable flag is set even if the impersonated client has the not-delegated flag set. CVE-2021-3671 Joseph Sutton discovered that the Heimdal KDC before 7.7.1 does not check for missing missing sname in TGS-REQ (Ticket Granting Server - Request) before before dereferencing. An authenticated user could use this flaw to crash the KDC. CVE-2021-44758 It was discovered that Heimdal is prone to a NULL dereference in acceptors when the initial SPNEGO token has no acceptable mechanisms, which may result in denial of service for a server application that uses the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). CVE-2022-3437 Evgeny Legerov reported that the DES and Triple-DES decryption routines in the Heimdal GSSAPI library before 7.7.1 were proneto buffer overflow on malloc() allocated memory when presented with a maliciously small packet. In addition, the Triple-DES and RC4 (arcfour) decryption routine were prone to non-constant time leaks, which could potentially yield to a leak of secret key material when using these ciphers. CVE-2022-41916 It was discovered that Heimdal's PKI certificate validation library before 7.7.1 can under some circumstances perform an out-of-bounds memory access when normalizing Unicode, which may result in denial of service. CVE-2022-42898 Greg Hudson discovered an integer multiplication overflow in the Privilege Attribute Certificate (PAC) parsing routine, which may result in denial of service for Heimdal KDCs and possibly Heimdal servers (e.g., via GSS-API) on 32-bit systems. CVE-2022-44640 Douglas Bagnall and the Heimdal maintainers independently discovered that Heimdal's ASN.1 compiler before 7.7.1 generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free() function on the decoded structure upon decode error, which may result in remote code execution in the Heimdal KDC and possibly the Kerberos client, the X.509 library, and other components as well. For Debian 10 buster, these problems have been fixed in version 7.5.0+dfsg-3+deb10u1. We recommend that you upgrade your heimdal packages. For the detailed security status of heimdal please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/heimdal Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Several security flaws in the Heimdal authentication framework have been addressed in Debian LTS DLA-3206-1. Ensure you update your packages promptly.. Heimdal Security Update, Debian Advisory, Kerberos Exploit Risks. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Nov 26, 2022 Critical Debian LTS
172

Ubuntu 21.10 USN-5142-3 Security Advisory: Samba Kerberos Regression

USN-5142-1 introduced a regression in Samba.. =========================================================================Ubuntu Security Notice USN-5142-3 December 13, 2021 samba regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS Summary: USN-5142-1 introduced a regression in Samba. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: USN-5142-1 fixed vulnerabilities in Samba. Some of the upstream changes introduced a regression in Kerberos authentication in certain environments. Please see the following upstream bug for more information: This update fixes the problem. Original advisory details: Stefan Metzmacher discovered that Samba incorrectly handled SMB1 client connections. A remote attacker could possibly use this issue to downgrade connections to plaintext authentication. (CVE-2016-2124) Andrew Bartlett discovered that Samba incorrectly mapping domain users to local users. An authenticated attacker could possibly use this issue to become root on domain members. (CVE-2020-25717) Andrew Bartlett discovered that Samba did not correctly sandbox Kerberos tickets issues by an RODC. An RODC could print administrator tickets, contrary to expectations. (CVE-2020-25718) Andrew Bartlett discovered that Samba incorrectly handled Kerberos tickets. Delegated administrators could possibly use this issue to impersonate accounts, leading to total domain compromise. (CVE-2020-25719) Andrew Bartlett discovered that Samba did not provide stable AD identifiers to Kerberos acceptors. (CVE-2020-25721) Andrew Bartlett discovered that Samba did not properly check sensitive attributes. An authenticated attacker could possibly use this issue to escalate privileges. (CVE-2020-25722) Stefan Metzmacher discovered that Samba incorrectly handled certain large DCE/RPCrequests. A remote attacker could possibly use this issue to bypass signature requirements. (CVE-2021-23192) William Ross discovered that Samba incorrectly handled memory. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly escalate privileges. (CVE-2021-3738) Joseph Sutton discovered that Samba incorrectly handled certain TGS requests. An authenticated attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2021-3671) The fix for CVE-2020-25717 results in possible behaviour changes that could affect certain environments. Please see the upstream advisory for more information: Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: samba 2:4.13.14+dfsg-0ubuntu0.21.10.4 Ubuntu 21.04: samba 2:4.13.14+dfsg-0ubuntu0.21.04.4 Ubuntu 20.04 LTS: samba 2:4.13.14+dfsg-0ubuntu0.20.04.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5142-3 https://ubuntu.com/security/notices/USN-5142-1 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1950363 Package Information: https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.21.10.4 https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.21.04.4 https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.20.04.4 . A recent Ubuntu update addresses a Samba issue affecting Kerberos authentication, thereby bolstering security measures in specific settings.. Samba Regression, Kerberos Authentication, Ubuntu Security Notice, Samba Security Issues, Authentication Fixes. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Dec 13, 2021 Critical Ubuntu
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200