Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-8.10.z
Affects Version/s: rhel-8.10.z
Component/s: krb5
Labels:
- commit

Fixed in Build:
krb5-1.18.2-32.el8_10
Regression:
No
Severity:
Important
Epic Link:
FREEIPA-12280
Keywords:

ZStream
sprint_count:
3

AssignedTeam:
rhel-idm-ipa
Sub-System Group:

ssg_idm

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
2025-Q2-Bravo-S2, 2025-Q2-Bravo-S3, 2025-Q2-Bravo-S4
Release Blocker:
Approved Blocker

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/149793
Test Coverage:

Automated

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

To ensure RC4 HMAC-MD5 was not used in FIPS mode, access to HMAC-MD4/5 is not allowed in this mode. However, since we provide the [libdefaults]radius_md5_fips_override configuration parameter to allow using RADIUS regardless to the FIPS restrictions, we should allow HMAC-MD5 to be used too in this case, because it is required for the newly supported Message-Authenticator attribute. Having an exception for MD5 alone, but not for HMAC-MD5 does not make sense.

links to

RHBA-2025:150462 updated toolbox-container container image

RHSA-2025:149793 krb5 security update

Assignee:: Julien Rische

Reporter:: Julien Rische

Developer:: Julien Rische

QA Contact:: Michal Polovka

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/04/10 9:12 AM

Updated:: 2025/09/13 1:40 PM

Resolved:: 2025/06/03 1:22 AM

Next Planned Release Date:: 2025/06/12

Release Date:: 2025/06/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide