debian/krb5 1.18.3-6+deb11u4 CVE fix for debian:bullseye-slim image

[echristie-bc]

Hi Docker Debian Team,

Could the CVE-2024-37371 and CVE-2024-37370 be fixed for the debian/krb5 on the debian:bullseye-slim image to use the new version of the package with the CVE fix.

Thank You.

[tianon]

Hmm, this is a tricky one -- we just did a base image update, and each one has a very heavy/outsized downstream effect, so we try to minimize their frequency except for urgent/serious issues.

Looking at https://security-tracker.debian.org/tracker/CVE-2024-37370 and https://security-tracker.debian.org/tracker/CVE-2024-37371, I don't think they're very likely to affect container users, as container users wouldn't likely be using Kerberos for local user authentication inside containers, so I'm inclined to suggest that affected users should apply local mitigations (including but not limited to upgrading the four src:krb5 binary packages in their images/containers -- looking at the patch, I think only libgssapi-krb5-2 actually needs to be updated to get the fix, but I'm not 100% sure how all the code interacts so YMMV and the safe answer is updating all four packages if you believe yourself to be affected).

[echristie-bc]

Thank you, for the suggestions. We will wait for the the image update.

[tianon]

https://github.com/docker-library/official-images/pull/17227 :+1: