+++ This bug was initially created as a clone of Bug #2165827 +++ A paper by Tom Tervoort[1] noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks. In response, Microsoft has added a second KDC checksum over the full contents of the PAC[2]. This change will be required for PAC signatures to be accepted by AD from the 2023-07-11[3]. [1] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf [2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-20221212-diff.pdf [3] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb --- Additional comment from Julien Rische on 2023-01-31 08:50:37 UTC --- The fix is available upstream: https://github.com/krb5/krb5/pull/1284
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
FEDORA-2023-43f5d964df has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-43f5d964df
FEDORA-2023-43f5d964df has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
This update will be backported to Fedora 38, 37, and 36.
Fedora pull request: https://src.fedoraproject.org/rpms/krb5/pull-request/36
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.