Security update for krb5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2305-1 Final 1 1 2024-07-04T22:13:07Z current 2024-07-04T22:13:07Z 2024-07-04T22:13:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle15:15.2-2024-2305,SUSE-2024-2305,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2305,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2305,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2305 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242305-1/ Link for SUSE-SU-2024:2305-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018874.html E-Mail link for SUSE-SU-2024:2305-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227186 SUSE Bug 1227186 https://bugzilla.suse.com/1227187 SUSE Bug 1227187 https://www.suse.com/security/cve/CVE-2024-37370/ SUSE CVE CVE-2024-37370 page https://www.suse.com/security/cve/CVE-2024-37371/ SUSE CVE CVE-2024-37371 page Container suse/sle15:15.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-1.16.3-150100.3.36.1 krb5-32bit-1.16.3-150100.3.36.1 krb5-64bit-1.16.3-150100.3.36.1 krb5-client-1.16.3-150100.3.36.1 krb5-devel-1.16.3-150100.3.36.1 krb5-devel-32bit-1.16.3-150100.3.36.1 krb5-devel-64bit-1.16.3-150100.3.36.1 krb5-mini-1.16.3-150100.3.36.1 krb5-mini-devel-1.16.3-150100.3.36.1 krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 krb5-server-1.16.3-150100.3.36.1 krb5-1.16.3-150100.3.36.1 as a component of Container suse/sle15:15.2 krb5-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-32bit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-client-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-devel-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-server-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS krb5-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-32bit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-client-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-devel-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-server-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS krb5-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-32bit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-client-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-devel-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 krb5-server-1.16.3-150100.3.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 Container suse/sle15:15.2:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-server-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-server-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-server-1.16.3-150100.3.36.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242305-1/ https://www.suse.com/security/cve/CVE-2024-37370.html CVE-2024-37370 https://bugzilla.suse.com/1227186 SUSE Bug 1227186 https://bugzilla.suse.com/1227187 SUSE Bug 1227187 In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Container suse/sle15:15.2:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:krb5-server-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server 15 SP2-LTSS:krb5-server-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-32bit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-client-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-devel-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-kdb-ldap-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-preauth-otp-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-plugin-preauth-pkinit-1.16.3-150100.3.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:krb5-server-1.16.3-150100.3.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242305-1/ https://www.suse.com/security/cve/CVE-2024-37371.html CVE-2024-37371 https://bugzilla.suse.com/1227186 SUSE Bug 1227186 https://bugzilla.suse.com/1227187 SUSE Bug 1227187