A security update for the Kerberos (krb5) authentication system is now available for Fedora Linux 42. The update, identified as krb5-1.21.3-6.fc42, was released on June 9, 2025, and addresses several important security issues.
- Name: krb5
- Version: 1.21.3
- Release: 6.fc42
- URL: [Kerberos Website](https://web.mit.edu/kerberos/www/)
- The update disallows the use of the arcfour-hmac(-md5) encryption type for session keys, which is important for preventing potential vulnerabilities associated with this encryption method.
- It introduces support for the PKINIT paChecksum2 sequence, facilitating better interoperability with Active Directory on Windows Server 2025.
- It fixes the generation of the RADIUS Message-Authenticator when operating in FIPS mode, enhancing compliance with security standards.
2. Changelog Highlights:
- The blocking of HMAC-MD4/5 in FIPS mode has been removed.
- The paChecksum2 implementation is added as per the Microsoft PKCA specifications.
- Default settings now disallow RC4 HMAC-MD5 session keys due to a vulnerability (CVE-2025-3576) that could enable message spoofing through MD5 collisions.
Update Details:
- Release Information:- Name: krb5
- Version: 1.21.3
- Release: 6.fc42
- URL: [Kerberos Website](https://web.mit.edu/kerberos/www/)
Key Changes:
1. Security Enhancements:- The update disallows the use of the arcfour-hmac(-md5) encryption type for session keys, which is important for preventing potential vulnerabilities associated with this encryption method.
- It introduces support for the PKINIT paChecksum2 sequence, facilitating better interoperability with Active Directory on Windows Server 2025.
- It fixes the generation of the RADIUS Message-Authenticator when operating in FIPS mode, enhancing compliance with security standards.
2. Changelog Highlights:
- The blocking of HMAC-MD4/5 in FIPS mode has been removed.
- The paChecksum2 implementation is added as per the Microsoft PKCA specifications.
- Default settings now disallow RC4 HMAC-MD5 session keys due to a vulnerability (CVE-2025-3576) that could enable message spoofing through MD5 collisions.
Installation Instructions:
Users can easily install this update using the `dnf` package manager with the following command:bashsu -c 'dnf upgrade --advisory FEDORA-2025-3de9fe91ff'For further details on the `dnf` commands, users can refer to the official [dnf documentation](http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label).
Security Assurance:
All packages associated with this update are signed with the Fedora Project GPG key, ensuring their authenticity and integrity. More information about the GPG keys used by Fedora can be found on the [Fedora Project Keys page](https://fedoraproject.org/keys).Conclusion:
This krb5 update is crucial for enhancing the security posture of Fedora 42 systems, particularly in environments that require robust authentication mechanisms. Users are encouraged to apply this update promptly to mitigate potential security risksKRB5 update for Fedora 42
A krb5 security update is available for Fedora Linux 42:
Fedora 42 Update: krb5-1.21.3-6.fc42
