==========================================================================
Ubuntu Security Notice USN-7314-1
March 03, 2025

krb5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Kerberos.

Software Description:
- krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
Kerberos to consume memory,leading to a denial of service. (CVE-2024-26458,
CVE-2024-26461)

It was discovered that Kerberos incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
Kerberos to consume memory,leading to a denial of service. This issue only
affected Ubuntu 24.04 LTS. (CVE-2024-26462)

It was discovered that the Kerberos kadmind daemon incorrectly handled log
files when incremental propagation was enabled. An authenticated attacker
could use this issue to cause kadmind to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2025-24528)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  krb5-admin-server               1.21.3-3ubuntu0.2
  krb5-kdc                        1.21.3-3ubuntu0.2
  libgssapi-krb5-2                1.21.3-3ubuntu0.2
  libgssrpc4t64                   1.21.3-3ubuntu0.2
  libkdb5-10t64                   1.21.3-3ubuntu0.2

Ubuntu 24.04 LTS
  krb5-admin-server               1.20.1-6ubuntu2.5
  krb5-kdc                        1.20.1-6ubuntu2.5
  libgssapi-krb5-2                1.20.1-6ubuntu2.5
  libgssrpc4t64                   1.20.1-6ubuntu2.5
  libkdb5-10t64                   1.20.1-6ubuntu2.5

Ubuntu 22.04 LTS
  krb5-admin-server               1.19.2-2ubuntu0.6
  krb5-kdc                        1.19.2-2ubuntu0.6
  libgssapi-krb5-2                1.19.2-2ubuntu0.6
  libgssrpc4                      1.19.2-2ubuntu0.6
  libkdb5-10                      1.19.2-2ubuntu0.6

Ubuntu 20.04 LTS
  krb5-admin-server               1.17-6ubuntu4.9
  krb5-kdc                        1.17-6ubuntu4.9
  libgssapi-krb5-2                1.17-6ubuntu4.9
  libgssrpc4                      1.17-6ubuntu4.9
  libkdb5-9                       1.17-6ubuntu4.9

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7314-1
  CVE-2024-26458, CVE-2024-26461, CVE-2024-26462, CVE-2025-24528

Package Information:
  https://launchpad.net/ubuntu/+source/krb5/1.21.3-3ubuntu0.2
  https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.5
  https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.6
  https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.9