Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0.z
Component/s: krb5
Labels:
- commit

Regression:
No
Severity:
Moderate

AssignedTeam:
rhel-idm-ipa
Sub-System Group:

ssg_idm

Story Points:
0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
CVE - Common Vulnerabilities and Exposures
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

An change was mad upstream to disallow use of RC4 by default (an additional configuration parameter has to be set to allow it):
https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463

This restriction is also part of MS-KILE:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919

This change was reverted to avoid conflicts with the crypto-policy system. But it may still be needed for restricting use of RC4 for session keys specifically.

duplicates

RHEL-88047 CVE-2025-3576: RC4 HMAC-MD5 checksum vulnerability enabling GSSAPI-protected message spoofing via MD5 collisions [rhel-10]

Closed

split to

RHEL-84872 [DEV Task]: Disallow use of RC4 HMAC-MD5 for session keys by default (CVE-2025-3576)

Closed

Assignee:: Julien Rische

Reporter:: Julien Rische

Developer:: Julien Rische

QA Contact:: Michal Polovka

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/03/24 4:07 PM

Updated:: 2025/04/30 7:10 AM

Resolved:: 2025/04/28 12:15 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates