Amazon Linux 2 Security Advisory: ALAS2-2025-2985
Advisory Released Date: 2025-09-04
Advisory Updated Date: 2025-09-04
Severity:
Medium
Issue Overview:
krb5: overflow when calculating ulog block size (CVE-2025-24528)
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. (CVE-2025-3576)
Affected Packages:
krb5
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update krb5 or yum update --advisory ALAS2-2025-2985 to update your system.
New Packages:
aarch64:
krb5-devel-1.15.1-55.amzn2.2.9.aarch64
krb5-libs-1.15.1-55.amzn2.2.9.aarch64
krb5-server-1.15.1-55.amzn2.2.9.aarch64
krb5-server-ldap-1.15.1-55.amzn2.2.9.aarch64
krb5-workstation-1.15.1-55.amzn2.2.9.aarch64
krb5-pkinit-1.15.1-55.amzn2.2.9.aarch64
libkadm5-1.15.1-55.amzn2.2.9.aarch64
krb5-debuginfo-1.15.1-55.amzn2.2.9.aarch64
i686:
krb5-devel-1.15.1-55.amzn2.2.9.i686
krb5-libs-1.15.1-55.amzn2.2.9.i686
krb5-server-1.15.1-55.amzn2.2.9.i686
krb5-server-ldap-1.15.1-55.amzn2.2.9.i686
krb5-workstation-1.15.1-55.amzn2.2.9.i686
krb5-pkinit-1.15.1-55.amzn2.2.9.i686
libkadm5-1.15.1-55.amzn2.2.9.i686
krb5-debuginfo-1.15.1-55.amzn2.2.9.i686
src:
krb5-1.15.1-55.amzn2.2.9.src
x86_64:
krb5-devel-1.15.1-55.amzn2.2.9.x86_64
krb5-libs-1.15.1-55.amzn2.2.9.x86_64
krb5-server-1.15.1-55.amzn2.2.9.x86_64
krb5-server-ldap-1.15.1-55.amzn2.2.9.x86_64
krb5-workstation-1.15.1-55.amzn2.2.9.x86_64
krb5-pkinit-1.15.1-55.amzn2.2.9.x86_64
libkadm5-1.15.1-55.amzn2.2.9.x86_64
krb5-debuginfo-1.15.1-55.amzn2.2.9.x86_64