Security update for krb5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:3729-1 Final 1 1 2025-10-22T13:19:35Z current 2025-10-22T13:19:35Z 2025-10-22T13:19:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 fixes the following issues: - CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using RC4-HMAC-MD5 (bsc#1241219). Krb5 as very old protocol supported quite a number of ciphers that are not longer up to current cryptographic standards. To avoid problems with those, SUSE has by default now disabled those alorithms. The following algorithms have been removed from valid krb5 enctypes: - des3-cbc-sha1 - arcfour-hmac-md5 To reenable those algorithms, you can use allow options in krb5.conf: [libdefaults] allow_des3 = true allow_rc4 = true to reenable them. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.3:latest-2025-3729,Container suse/sle-micro-rancher/5.4:latest-2025-3729,Image SLES15-SP4-BYOS-2025-3729,Image SLES15-SP4-BYOS-GCE-2025-3729,Image SLES15-SP4-Hardened-BYOS-2025-3729,Image SLES15-SP4-Hardened-BYOS-GCE-2025-3729,Image SLES15-SP4-SAP-2025-3729,Image SLES15-SP4-SAP-Azure-LI-BYOS-2025-3729,Image SLES15-SP4-SAP-Azure-LI-BYOS-Production-2025-3729,Image SLES15-SP4-SAP-Azure-VLI-BYOS-2025-3729,Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production-2025-3729,Image SLES15-SP4-SAP-BYOS-2025-3729,Image SLES15-SP4-SAP-BYOS-GCE-2025-3729,Image SLES15-SP4-SAP-GCE-2025-3729,Image SLES15-SP4-SAP-Hardened-2025-3729,Image SLES15-SP4-SAP-Hardened-BYOS-2025-3729,Image SLES15-SP4-SAP-Hardened-BYOS-GCE-2025-3729,Image SLES15-SP4-SAP-Hardened-GCE-2025-3729,Image SLES15-SP4-SAPCAL-2025-3729,Image SLES15-SP4-SAPCAL-GCE-2025-3729,SUSE-2025-3729,SUSE-SLE-Micro-5.3-2025-3729,SUSE-SLE-Micro-5.4-2025-3729 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20253729-1/ Link for SUSE-SU-2025:3729-1 https://lists.suse.com/pipermail/sle-updates/2025-October/042259.html E-Mail link for SUSE-SU-2025:3729-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241219 SUSE Bug 1241219 https://www.suse.com/security/cve/CVE-2025-3576/ SUSE CVE CVE-2025-3576 page Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:latest Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure-LI-BYOS Image SLES15-SP4-SAP-Azure-LI-BYOS-Production Image SLES15-SP4-SAP-Azure-VLI-BYOS Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production Image SLES15-SP4-SAP-BYOS Image SLES15-SP4-SAP-BYOS-GCE Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAP-Hardened Image SLES15-SP4-SAP-Hardened-BYOS Image SLES15-SP4-SAP-Hardened-BYOS-GCE Image SLES15-SP4-SAP-Hardened-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-GCE SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 krb5-1.19.2-150400.3.18.1 krb5-client-1.19.2-150400.3.18.1 krb5-32bit-1.19.2-150400.3.18.1 krb5-devel-1.19.2-150400.3.18.1 krb5-64bit-1.19.2-150400.3.18.1 krb5-devel-32bit-1.19.2-150400.3.18.1 krb5-devel-64bit-1.19.2-150400.3.18.1 krb5-mini-1.19.2-150400.3.18.1 krb5-mini-devel-1.19.2-150400.3.18.1 krb5-plugin-kdb-ldap-1.19.2-150400.3.18.1 krb5-plugin-preauth-otp-1.19.2-150400.3.18.1 krb5-plugin-preauth-pkinit-1.19.2-150400.3.18.1 krb5-plugin-preauth-spake-1.19.2-150400.3.18.1 krb5-server-1.19.2-150400.3.18.1 krb5-1.19.2-150400.3.18.1 as a component of Container suse/sle-micro-rancher/5.3:latest krb5-1.19.2-150400.3.18.1 as a component of Container suse/sle-micro-rancher/5.4:latest krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-BYOS-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-BYOS-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-Hardened-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-Hardened-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-Hardened-BYOS-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-Hardened-BYOS-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP krb5-devel-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS-Production krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS-Production krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-LI-BYOS-Production krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-BYOS-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-BYOS-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-GCE krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-GCE krb5-devel-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-BYOS krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-BYOS krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-BYOS-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-BYOS-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAP-Hardened-GCE krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL krb5-devel-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL krb5-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL-GCE krb5-32bit-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL-GCE krb5-client-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL-GCE krb5-devel-1.19.2-150400.3.18.1 as a component of Image SLES15-SP4-SAPCAL-GCE krb5-1.19.2-150400.3.18.1 as a component of SUSE Linux Enterprise Micro 5.3 krb5-1.19.2-150400.3.18.1 as a component of SUSE Linux Enterprise Micro 5.4 A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. CVE-2025-3576 Container suse/sle-micro-rancher/5.3:latest:krb5-1.19.2-150400.3.18.1 Container suse/sle-micro-rancher/5.4:latest:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-BYOS-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-BYOS-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-Hardened-BYOS-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-Hardened-BYOS-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-Hardened-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-Hardened-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS-Production:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS-Production:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS-Production:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-LI-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Azure-VLI-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-BYOS-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-BYOS-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-GCE:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-GCE:krb5-devel-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-BYOS-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-BYOS-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-BYOS:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-BYOS:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP-Hardened:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAP:krb5-devel-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL-GCE:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL-GCE:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL-GCE:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL-GCE:krb5-devel-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL:krb5-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL:krb5-32bit-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL:krb5-client-1.19.2-150400.3.18.1 Image SLES15-SP4-SAPCAL:krb5-devel-1.19.2-150400.3.18.1 SUSE Linux Enterprise Micro 5.3:krb5-1.19.2-150400.3.18.1 SUSE Linux Enterprise Micro 5.4:krb5-1.19.2-150400.3.18.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253729-1/ https://www.suse.com/security/cve/CVE-2025-3576.html CVE-2025-3576 https://bugzilla.suse.com/1241218 SUSE Bug 1241218