{"affected":[{"ecosystem_specific":{"binaries":[{"krb5":"1.20.1-150600.11.14.1","krb5-32bit":"1.20.1-150600.11.14.1","krb5-client":"1.20.1-150600.11.14.1","krb5-devel":"1.20.1-150600.11.14.1","krb5-plugin-preauth-otp":"1.20.1-150600.11.14.1","krb5-plugin-preauth-pkinit":"1.20.1-150600.11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP6","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.1-150600.11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5":"1.20.1-150600.11.14.1","krb5-32bit":"1.20.1-150600.11.14.1","krb5-client":"1.20.1-150600.11.14.1","krb5-devel":"1.20.1-150600.11.14.1","krb5-plugin-preauth-otp":"1.20.1-150600.11.14.1","krb5-plugin-preauth-pkinit":"1.20.1-150600.11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP7","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.1-150600.11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5-plugin-kdb-ldap":"1.20.1-150600.11.14.1","krb5-server":"1.20.1-150600.11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Server Applications 15 SP6","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.1-150600.11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5-plugin-kdb-ldap":"1.20.1-150600.11.14.1","krb5-server":"1.20.1-150600.11.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Server Applications 15 SP7","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.1-150600.11.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5":"1.20.1-150600.11.14.1","krb5-32bit":"1.20.1-150600.11.14.1","krb5-client":"1.20.1-150600.11.14.1","krb5-devel":"1.20.1-150600.11.14.1","krb5-devel-32bit":"1.20.1-150600.11.14.1","krb5-plugin-kdb-ldap":"1.20.1-150600.11.14.1","krb5-plugin-preauth-otp":"1.20.1-150600.11.14.1","krb5-plugin-preauth-pkinit":"1.20.1-150600.11.14.1","krb5-plugin-preauth-spake":"1.20.1-150600.11.14.1","krb5-server":"1.20.1-150600.11.14.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"krb5","purl":"pkg:rpm/opensuse/krb5&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.1-150600.11.14.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for krb5 fixes the following issues:\n\n- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using\n  RC4-HMAC-MD5 (bsc#1241219).\n\nKrb5 as very old protocol supported quite a number of ciphers\nthat are not longer up to current cryptographic standards.\n\nTo avoid problems with those, SUSE has by default now disabled\nthose alorithms.\n\nThe following algorithms have been removed from valid krb5 enctypes:\n\n- des3-cbc-sha1\n- arcfour-hmac-md5\n\nTo reenable those algorithms, you can use allow options in krb5.conf:\n\n[libdefaults]\nallow_des3 = true\nallow_rc4 = true\n\nto reenable them.\n","id":"SUSE-SU-2025:3699-1","modified":"2025-10-21T10:07:48Z","published":"2025-10-21T10:07:48Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20253699-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241219"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-3576"}],"related":["CVE-2025-3576"],"summary":"Security update for krb5","upstream":["CVE-2025-3576"]}