View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0018367||CentOS-7||krb5||public||2021-12-02 04:37||2021-12-02 23:55|
|Summary||0018367: krb-1.15.1-50 packages reuploaded to centos7-updates with different checksum than centos7-base|
|Description||Earlier today (Dec. 1), several of the krb5 packages were updated in the centos7-updates repository with the same version as exists in centos7-base (1.15.1-50) but with different contents, or at least different checksums. Are these new RPMs valid? The difference is causing some confusion for our internal package mirror, and we're not sure whether this newer package is safe to install.|
Was this supposed to be a release of 1.15.1-51? There was a recent errata about CVE-2021-37750 affecting krb5 packages (https://access.redhat.com/errata/RHSA-2021:4788), and the fix appears to have been imported recently (https://git.centos.org/rpms/krb5/c/6e573ef8e22c16ed11a2794cafd62e56c7d1f270?branch=c7).
This is definitely affecting krb5-devel-1.15.1-50.el7.x86_64.rpm, krb5-libs-1.15.1-50.el7.x86_64.rpm, and libkadm5-1.15.1-50.el7.x86_64.rpm; I did not check the other krb5 RPMs.
|Additional Information||For example:|
"krb5-libs-1.15.1-50.el7.x86_64.rpm" in the updates repository (http://mirror.centos.org/centos/7/updates/x86_64/Packages/krb5-libs-1.15.1-50.el7.x86_64.rpm) has a sha256 of f89d39e2f15a5f9de6ac154edd1ca68886b384c0e12ef5657eb722c92e9c0788
"krb5-libs-1.15.1-50.el7.x86_64.rpm" (http://mirror.centos.org/centos/7/os/x86_64/Packages/krb5-libs-1.15.1-50.el7.x86_64.rpm) has a sha256 of f8b7e899cef4d4a8516654046fad0fdcfca40432fef004f8ce351a647b592b0f
|Tags||No tags attached.|