Version in base suite: 1.20.1-2+deb12u3 Base version: krb5_1.20.1-2+deb12u3 Target version: krb5_1.20.1-2+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/krb5/krb5_1.20.1-2+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/krb5/krb5_1.20.1-2+deb12u4.dsc changelog | 21 ++ krb5-kdc.NEWS | 8 patches/CVE-2025-3576.patch | 318 +++++++++++++++++++++++++++++++++++ patches/kdc-assume-aes-support.patch | 47 +++++ patches/series | 2 5 files changed, 396 insertions(+) diff -Nru krb5-1.20.1/debian/changelog krb5-1.20.1/debian/changelog --- krb5-1.20.1/debian/changelog 2025-02-23 17:42:24.000000000 +0000 +++ krb5-1.20.1/debian/changelog 2025-05-07 17:06:22.000000000 +0000 @@ -1,3 +1,24 @@ +krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium + + * Non Maintainer upload by LTS team + * Fix CVE-2025-3576. Closes: #1103525 + A Vulnerability in the MIT Kerberos implementation + allows GSSAPI-protected messages using RC4-HMAC-MD5 + to be spoofed due to weaknesses in the MD5 checksum design. + If RC4 is preferred over stronger encryption types, + an attacker could exploit MD5 collisions to forge message + integrity codes. This may lead to unauthorized + message tampering. + * Tickets will not be issued with RC4 or triple-DES session + keys unless explicitly configured with the new allow_rc4 + or allow_des3 variables respectively. + * In KDC, assume all services support aes256-sha1 + To facilitate negotiating session keys with acceptable security, + assume that services support aes256-cts-hmac-sha1 unless a + session_enctypes string attribute says otherwise. + + -- Bastien Roucariès Wed, 07 May 2025 19:06:22 +0200 + krb5 (1.20.1-2+deb12u3) bookworm; urgency=medium * Non Maintainer upload by LTS team diff -Nru krb5-1.20.1/debian/krb5-kdc.NEWS krb5-1.20.1/debian/krb5-kdc.NEWS --- krb5-1.20.1/debian/krb5-kdc.NEWS 2025-02-23 16:33:21.000000000 +0000 +++ krb5-1.20.1/debian/krb5-kdc.NEWS 2025-05-07 17:06:22.000000000 +0000 @@ -1,3 +1,11 @@ +krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium + + In order to fix CVE-2025-3576, vulnerable cryptographic + for tickets are disabled by default unless explicitly configured + with the new allow_rc4 or allow_des3 variables respectively. + + -- Bastien Roucariès Sun, 04 May 2025 22:44:14 +0200 + krb5 (1.13.1+dfsg-1) experimental; urgency=low The KDC process now listens on TCP port 88 as well as UDP port 88 by diff -Nru krb5-1.20.1/debian/patches/CVE-2025-3576.patch krb5-1.20.1/debian/patches/CVE-2025-3576.patch --- krb5-1.20.1/debian/patches/CVE-2025-3576.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.20.1/debian/patches/CVE-2025-3576.patch 2025-05-07 17:06:22.000000000 +0000 @@ -0,0 +1,318 @@ +From: Greg Hudson +Date: Fri, 16 Dec 2022 18:31:07 -0500 +Subject: [PATCH] Don't issue session keys with deprecated enctypes + +A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for +its checksum and GSS operations before applying HMAC, and is therefore +potentially vulnerable to hash collision attacks if a protocol +contains a restricted signing oracle. + +In light of these potential attacks, begin the functional deprecation +of DES3 and RC4 by disallowing their use as session key enctypes by +default. Add the variables allow_des3 and allow_rc4 in case +negotiability of these enctypes for session keys needs to be turned +back on, with the expectation that in future releases the enctypes +will be more comprehensively deprecated. + +ticket: 9081 +origin: backport, https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463 +--- + doc/admin/conf_files/krb5_conf.rst | 12 ++++++++++++ + doc/admin/enctypes.rst | 23 ++++++++++++++++++++--- + src/include/k5-int.h | 4 ++++ + src/kdc/kdc_util.c | 10 ++++++++++ + src/lib/krb5/krb/get_in_tkt.c | 31 ++++++++++++++++++++----------- + src/lib/krb5/krb/init_ctx.c | 10 ++++++++++ + src/tests/gssapi/t_enctypes.py | 3 ++- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++++++++++++++++++++++++++-- + src/util/k5test.py | 4 ++-- + 10 files changed, 107 insertions(+), 20 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index d5d6e06..d7d4baf 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,6 +95,18 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + ++**allow_des3** ++ Permit the KDC to issue tickets with des3-cbc-sha1 session keys. ++ In future releases, this flag will allow des3-cbc-sha1 to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ ++**allow_rc4** ++ Permit the KDC to issue tickets with arcfour-hmac session keys. ++ In future releases, this flag will allow arcfour-hmac to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index 694922c..dce19ad 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,12 +48,15 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. ++enctypes. Starting in krb5-1.21, all services are assumed to support ++aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session ++keys will not be issued by default. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal. See :ref:`set_string` +-in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal, overriding the service's ++long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. ++See :ref:`set_string` in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -87,6 +90,20 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + ++**allow_des3** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ des3-cbc-sha1 session keys. In a future release, this flag will ++ control whether des3-cbc-sha1 is permitted in similar fashion to ++ weak enctypes. ++ ++**allow_rc4** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ arcfour-hmac session keys. In a future release, this flag will ++ control whether arcfour-hmac is permitted in similar fashion to ++ weak enctypes. ++ + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 5c582dc..b89763f 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,6 +180,8 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" ++#define KRB5_CONF_ALLOW_DES3 "allow_des3" ++#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1244,6 +1246,8 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; ++ krb5_boolean allow_des3; ++ krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 9f2a67d..490864f 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1045,6 +1045,16 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(kdc_context, ktype[i])) + continue; + ++ /* ++ * Prevent these deprecated enctypes from being used as session keys ++ * unless they are explicitly allowed. In the future they will be more ++ * comprehensively disabled and eventually removed. ++ */ ++ if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !kdc_context->allow_des3) ++ continue; ++ if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4) ++ continue; ++ + if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 8b5ab59..4ca7b4e 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1583,22 +1583,31 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if des3-cbc-sha1 was used for either the +- * reply key or the session key. */ ++/* Display a warning via the prompter if a deprecated enctype was used for ++ * either the reply key or the session key. */ + static void +-warn_des3(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_deprecated(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- const char *banner; ++ krb5_enctype etype; ++ char encbuf[128], banner[256]; + +- if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && +- ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) +- return; + if (ctx->prompter == NULL) + return; + +- banner = _("Warning: encryption type des3-cbc-sha1 used for " +- "authentication is weak and will be disabled"); ++ if (krb5int_c_deprecated_enctype(as_key_enctype)) ++ etype = as_key_enctype; ++ else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) ++ etype = ctx->cred.keyblock.enctype; ++ else ++ return; ++ ++ if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ return; ++ snprintf(banner, sizeof(banner), ++ _("Warning: encryption type %s used for authentication is " ++ "deprecated and will be disabled"), encbuf); ++ + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1849,7 +1858,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_des3(context, ctx, encrypting_key.enctype); ++ warn_deprecated(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 87b486c..a6c2bbe 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,6 +221,16 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_des3 = tmp; ++ ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_rc4 = tmp; ++ + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index 7494d7f..f5f1184 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,7 +18,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', ++ 'allow_des3': 'true', 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index c982508..38cf96c 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, ++conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 9024aee..5a21361 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,6 +25,8 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} ++conf5 = {'libdefaults': {'allow_rc4': 'true'}} ++conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -54,10 +56,12 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. ++# 3b: Skip RC4 (as the KDC does not allow it for session keys by ++# default) and negotiate aes128-cts session key, with only an aes256 ++# long-term service key. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -67,4 +71,24 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + ++# 5: allow_rc4 permits negotiation of rc4-hmac session key. ++realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. ++realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) ++test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 7: default config negotiates aes256-sha1 session key for RC4-only service. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) ++test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') ++realm.stop() ++ + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 619f199..6c5a586 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1346,14 +1346,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), diff -Nru krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch --- krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch 2025-05-07 17:06:22.000000000 +0000 @@ -0,0 +1,47 @@ +From: Greg Hudson +Date: Wed, 14 Dec 2022 13:20:46 -0500 +Subject: [PATCH] In KDC, assume all services support aes256-sha1 + +To facilitate negotiating session keys with acceptable security, +assume that services support aes256-cts-hmac-sha1 unless a +session_enctypes string attribute says otherwise. + +ticket: 9075 +origin: backport, https://github.com/krb5/krb5/commit/2cbd847e0e92bc4e219b65c770ae33f851b22afc +--- + src/kdc/kdc_util.c | 4 ++++ + src/tests/t_keyrollover.py | 6 +++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 490864f..fd57c64 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1023,6 +1023,10 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + free(etypes_str); + free(etypes); + ++ /* Assume every server without a session_enctypes attribute supports ++ * aes256-cts-hmac-sha1-96. */ ++ if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96) ++ return TRUE; + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + } +diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py +index 2c825a6..e9840df 100755 +--- a/src/tests/t_keyrollover.py ++++ b/src/tests/t_keyrollover.py +@@ -22,9 +22,9 @@ realm.run([kvno, princ1]) + realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) + # Make sure an old TGT fails after purging old TGS key. + realm.run([kvno, princ2], expected_code=1) +-et = "aes128-cts-hmac-sha256-128" +-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ +- (realm.realm, realm.realm, et, et) ++msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ ++ 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \ ++ (realm.realm, realm.realm) + realm.run([klist, '-e'], expected_msg=msg) + + # Check that new key actually works. diff -Nru krb5-1.20.1/debian/patches/series krb5-1.20.1/debian/patches/series --- krb5-1.20.1/debian/patches/series 2025-02-23 17:42:24.000000000 +0000 +++ krb5-1.20.1/debian/patches/series 2025-05-07 17:06:22.000000000 +0000 @@ -11,3 +11,5 @@ CVE-2024-37370 CVE-2024-26462.patch CVE-2025-24528.patch +CVE-2025-3576.patch +kdc-assume-aes-support.patch