Skip to content

[v25.3.x] build/deps: patch krb5 1.21.3 for CVE-2026-40355, CVE-2026-40356#30571

Open
vbotbuildovich wants to merge 1 commit into
redpanda-data:v25.3.xfrom
vbotbuildovich:ai-backport-pr-30537-v25.3.x-1779372964
Open

[v25.3.x] build/deps: patch krb5 1.21.3 for CVE-2026-40355, CVE-2026-40356#30571
vbotbuildovich wants to merge 1 commit into
redpanda-data:v25.3.xfrom
vbotbuildovich:ai-backport-pr-30537-v25.3.x-1779372964

Conversation

@vbotbuildovich
Copy link
Copy Markdown
Collaborator

@vbotbuildovich vbotbuildovich commented May 21, 2026

Backport of PR #30537

  • Command: git cherry-pick -x b0014ea
  • Commits backported: 1
  • Conflicts resolved: 1
  • Commits skipped (already on target): 0
  • Backport branch: ai-backport-pr-30537-v25.3.x-1779372964

Conflict details

  • b0014ea (MODULE.bazel.lock): generated lockfile diverged between dev and v25.3.x; accepted theirs from the cherry-picked commit so the krb5 patch entry is recorded, and will need regeneration on the target branch.

⚠️ Generated files

The following files were cherry-picked and may need regeneration:

  • MODULE.bazel.lock

These files were accepted as-is from the source branch. Before merging,
regenerate them on the target branch to ensure they're correct. For example:

  • MODULE.bazel.lock: run bazel mod deps --lockfile_mode=update

@tyson-redpanda @vbotbuildovich
build/deps: patch krb5 1.21.3 for CVE-2026-40355, CVE-2026-40356
29d51d4 
Apply upstream fix (krb5/krb5@2e75f0d) as a Bazel patch to address two
high-severity (CVSS 8.7) unauthenticated NegoEx parsing vulnerabilities:

- CVE-2026-40355: null pointer dereference in parse_nego_message()
- CVE-2026-40356: integer underflow in parse_message()

Both allow a remote attacker to crash the process via a malformed
gss_accept_sec_context() call when a NegoEx mechanism is registered.

(cherry picked from commit b0014ea)
@vbotbuildovich vbotbuildovich added this to the v25.3.x-next milestone May 21, 2026
@vbotbuildovich vbotbuildovich added the kind/backport PRs targeting a stable branch label May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tyson-redpanda tyson-redpanda Awaiting requested review from tyson-redpanda

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/build kind/backport PRs targeting a stable branch

Projects

None yet

Milestone

v25.3.x-next

Development

Successfully merging this pull request may close these issues.

2 participants

@vbotbuildovich @tyson-redpanda