{"affected":[{"ecosystem_specific":{"binaries":[{"krb5":"1.19.2-150400.3.18.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.3","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.19.2-150400.3.18.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5":"1.19.2-150400.3.18.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.4","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.19.2-150400.3.18.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for krb5 fixes the following issues:\n\n- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using\n  RC4-HMAC-MD5 (bsc#1241219).\n\nKrb5 as very old protocol supported quite a number of ciphers\nthat are not longer up to current cryptographic standards.\n\nTo avoid problems with those, SUSE has by default now disabled\nthose alorithms.\n\nThe following algorithms have been removed from valid krb5 enctypes:\n\n- des3-cbc-sha1\n- arcfour-hmac-md5\n\nTo reenable those algorithms, you can use allow options in krb5.conf:\n\n[libdefaults]\nallow_des3 = true\nallow_rc4 = true\n\nto reenable them.\n","id":"SUSE-SU-2025:3729-1","modified":"2025-10-22T13:19:35Z","published":"2025-10-22T13:19:35Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20253729-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241219"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-3576"}],"related":["CVE-2025-3576"],"summary":"Security update for krb5","upstream":["CVE-2025-3576"]}