Explore top 10 tips to secure your open-source projects now. Read More
×Low: libpq security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2023:7016", "synopsis": "Low: libpq security update", "severity": "SEVERITY_LOW", "topic": "An update is available for libpq.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers. \n\nSecurity Fix(es):\n\n* postgresql: Client memory disclosure when connecting with Kerberos to modified server (CVE-2022-41862)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.9 Release Notes linked from the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2165722", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722", "description": ""}], "cves": [{"name": "CVE-2022-41862", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41862", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "cvss3BaseScore": "3.7", "cwe": "CWE-200"}], "references": [], "publishedAt": "2026-06-28T00:01:03.878968Z", "rpms": {"Rocky Linux 8": {"nvras": ["libpq-0:13.11-1.el8.src.rpm", "libpq-debuginfo-0:13.11-1.el8.aarch64.rpm", "libpq-debugsource-0:13.11-1.el8.aarch64.rpm", "libpq-devel-debuginfo-0:13.11-1.el8.aarch64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Libpq security update for Rocky Linux addresses low severity issues, ensuring better protection against memory disclosure vulnerabilities.. Rocky Linux security updates, libpq security fix, PostgreSQL client library, memory disclosure vulnerability.. Severity: Low. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-16799 http://linux.oracle.com/errata/ELSA-2026-16799.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: krb5-devel-1.18.2-34.0.1.el8_10.i686.rpm krb5-devel-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-libs-1.18.2-34.0.1.el8_10.i686.rpm krb5-libs-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.i686.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-server-1.18.2-34.0.1.el8_10.i686.rpm krb5-server-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.i686.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.x86_64.rpm krb5-workstation-1.18.2-34.0.1.el8_10.x86_64.rpm libkadm5-1.18.2-34.0.1.el8_10.i686.rpm libkadm5-1.18.2-34.0.1.el8_10.x86_64.rpm aarch64: krb5-devel-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-libs-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-pkinit-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-server-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-server-ldap-1.18.2-34.0.1.el8_10.aarch64.rpm krb5-workstation-1.18.2-34.0.1.el8_10.aarch64.rpm libkadm5-1.18.2-34.0.1.el8_10.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/krb5-1.18.2-34.0.1.el8_10.src.rpm Related CVEs: CVE-2026-40355 CVE-2026-40356 Description of changes: [1.18.2-34.0.1] - Fixed race condition in krb5_set_password() [Orabug: 33609767] [1.18.2-34] - Fix NegoEx parsing vulnerabilities (CVE-2026-40355, CVE-2026-40356) Resolves: RHEL-171589 RHEL-171594 _______________________________________________ El-errata mailing list
Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-42a13f896e 2025-06-10 02:58:46.832310+00:00 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 41 Version : 1.21.3 Release : 5.fc41 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode -------------------------------------------------------------------------------- ChangeLog: * Fri Jun 6 2025 Julien Rische - 1.21.3-5 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359673 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359673 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5Collisions [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2359673 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-42a13f896e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-3de9fe91ff 2025-06-09 02:34:27.502391+00:00 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 42 Version : 1.21.3 Release : 6.fc42 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Disallowing use of the arcfour-hmac(-md5) encryption type for session keys Add support for the PKINIT paChecksum2 sequence, required for Active Directory interoperability on Windows Server 2025 Fix generation of RADIUS Message-Authenticator in FIPS mode -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 4 2025 Julien Rische - 1.21.3-6 - Do not block HMAC-MD4/5 in FIPS mode Resolves: rhbz#2370259 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 Resolves: rhbz#2357215 - Disallow RC4 HMAC-MD5 session keys by default (CVE-2025-3576) Resolves: rhbz#2359705 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2357215 - PKINIT: implement paChecksum2 from MS-PKCA v20230920 [fedora] https://bugzilla.redhat.com/show_bug.cgi?id=2357215 [ 2 ] Bug #2359705 - CVE-2025-3576 krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling Message Spoofing via MD5Collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2359705 [ 3 ] Bug #2370259 - Do not block HMAC-MD4/5 in FIPS mode [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2370259 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-3de9fe91ff' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Security: CVE-2024-3596: Fix for BlastRADIUS vulnerability in libkrad (support for Message-Authenticator attribute) Marvin attack: Removal of the "RSA" method for PKINIT Fix of miscellaneous mistakes in the code. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-29a74ac2b0 2024-11-15 03:17:43.956683 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 40 Version : 1.21.3 Release : 2.fc40 URL : https://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. -------------------------------------------------------------------------------- Update Information: Security: CVE-2024-3596: Fix for BlastRADIUS vulnerability in libkrad (support for Message-Authenticator attribute) Marvin attack: Removal of the "RSA" method for PKINIT Fix of miscellaneous mistakes in the code Enhancement: Rework of TCP request timeout (disabled by default, global timeout setting added) -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 30 2024 Julien Rische - 1.21.3-2 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) Resolves: rhbz#2304071 - Fix various issues detected by static analysis Resolves: rhbz#2322704 - Remove RSA protocol for PKINIT Resolves: rhbz#2322706 - Make TCP waiting time configurable Resolves: rhbz#2322711 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2304071 - libkrad: implement support for Message-Authenticator (CVE-2024-3596) https://bugzilla.redhat.com/show_bug.cgi?id=2304071 [ 2 ] Bug #2322704 - Fix various issues detected bystatic analysis https://bugzilla.redhat.com/show_bug.cgi?id=2322704 [ 3 ] Bug #2322706 - Remove RSA protocol for PKINIT https://bugzilla.redhat.com/show_bug.cgi?id=2322706 [ 4 ] Bug #2322711 - Make TCP waiting time configurable https://bugzilla.redhat.com/show_bug.cgi?id=2322711 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-29a74ac2b0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Updated Kerberos packages for Red Hat Linux 9 fix a number of vulnerabilities found in MIT Kerberos. . ` --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kerberos packages fix various vulnerabilities Advisory ID: RHSA-2003:091-01 Issue date: 2003-04-02 Updated on: 2003-04-02 Product: Red Hat Linux Keywords: krb5 Cross references: RHSA-2003:051 RHSA-2003:052 Obsoletes: RHSA-2003:021 CVE Names: CAN-2003-0028 CAN-2003-082 CAN-2003-0138 CAN-2003-0139 ---------------------------------------------------------------------1. Topic: Updated Kerberos packages for Red Hat Linux 9 fix a number of vulnerabilities found in MIT Kerberos. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped as part of Red Hat Linux 9. These issues include: Vulnerabilities have been found in the triple-DES key support found in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0139 to this issue. Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key, which is shared with another realm, to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CAN-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CAN-2003-0028). The Key Distribution Center (KDC) allows remote, authenticatedattackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes the KDC to corrupt its heap (CAN-2003-0082). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain patches that correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 9: SRPMS: i386: 6. Verification: MD5 sum Package Name --------------------------------------------------------------------------a8520da58b790a356d0a94ae75f7957b 9/en/os/SRPMS/krb5-1.2.7-14.src.rpm 49e7783cb50c3694411b7856d098eff5 9/en/os/i386/krb5-devel-1.2.7-14.i386.rpm 6cb5040d3a4bd21a801e8c1e5da6388d 9/en/os/i386/krb5-libs-1.2.7-14.i386.rpm 8eb2a755c2fdf52b779960ec66cc6783 9/en/os/i386/krb5-server-1.2.7-14.i386.rpm bbcde88fa4f273c7c45a927dc5b40d58 9/en/os/i386/krb5-workstation-1.2.7-14.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available at All Red Hat products You can verify each package with the following command: rpm --checksig-v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: mit mit mit -CAN-2003-0028 CAN-2003-0082 CAN-2003-0138 CAN-2003-0139 8. Contact: The Red Hat security contact is . More contact details at All Red Hat products Copyright 2003 Red Hat, Inc. _______________________________________________ Red Hat-watch-list mailing list To unsubscribe, visit: `. Updated Kerberos packages for Red Hat Linux 9 fix critical vulnerabilities affecting authentication functionality.. Red Hat Linux, Kerberos Security Patches, Authentication Problems. . Severity: Critical. LinuxSecurity.com Team
Multiple security vulnerabilities were discovered in heimdal, an implementation of the Kerberos 5 authentication protocol, which may result in denial of service, information disclosure, or remote code execution. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3206-1
USN-5142-1 introduced a regression in Samba.. =========================================================================Ubuntu Security Notice USN-5142-3 December 13, 2021 samba regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS Summary: USN-5142-1 introduced a regression in Samba. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: USN-5142-1 fixed vulnerabilities in Samba. Some of the upstream changes introduced a regression in Kerberos authentication in certain environments. Please see the following upstream bug for more information: This update fixes the problem. Original advisory details: Stefan Metzmacher discovered that Samba incorrectly handled SMB1 client connections. A remote attacker could possibly use this issue to downgrade connections to plaintext authentication. (CVE-2016-2124) Andrew Bartlett discovered that Samba incorrectly mapping domain users to local users. An authenticated attacker could possibly use this issue to become root on domain members. (CVE-2020-25717) Andrew Bartlett discovered that Samba did not correctly sandbox Kerberos tickets issues by an RODC. An RODC could print administrator tickets, contrary to expectations. (CVE-2020-25718) Andrew Bartlett discovered that Samba incorrectly handled Kerberos tickets. Delegated administrators could possibly use this issue to impersonate accounts, leading to total domain compromise. (CVE-2020-25719) Andrew Bartlett discovered that Samba did not provide stable AD identifiers to Kerberos acceptors. (CVE-2020-25721) Andrew Bartlett discovered that Samba did not properly check sensitive attributes. An authenticated attacker could possibly use this issue to escalate privileges. (CVE-2020-25722) Stefan Metzmacher discovered that Samba incorrectly handled certain large DCE/RPCrequests. A remote attacker could possibly use this issue to bypass signature requirements. (CVE-2021-23192) William Ross discovered that Samba incorrectly handled memory. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly escalate privileges. (CVE-2021-3738) Joseph Sutton discovered that Samba incorrectly handled certain TGS requests. An authenticated attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2021-3671) The fix for CVE-2020-25717 results in possible behaviour changes that could affect certain environments. Please see the upstream advisory for more information: Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: samba 2:4.13.14+dfsg-0ubuntu0.21.10.4 Ubuntu 21.04: samba 2:4.13.14+dfsg-0ubuntu0.21.04.4 Ubuntu 20.04 LTS: samba 2:4.13.14+dfsg-0ubuntu0.20.04.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5142-3 https://ubuntu.com/security/notices/USN-5142-1 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1950363 Package Information: https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.21.10.4 https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.21.04.4 https://launchpad.net/ubuntu/+source/samba/2:4.13.14+dfsg-0ubuntu0.20.04.4 . A recent Ubuntu update addresses a Samba issue affecting Kerberos authentication, thereby bolstering security measures in specific settings.. Samba Regression, Kerberos Authentication, Ubuntu Security Notice, Samba Security Issues, Authentication Fixes. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.