debian-edu-config (2.11.56+deb10u8) buster-security; urgency=medium

    CVE-2021-20001: For mitigating potential privilege escalations that
    could be caused by malicious PHP scripts in Apache2-accessible user
    directories (i.e. PHP files placed into ~/public_html) on the Debian
    Edu mainserver, the PHP engine is now disabled for Apache2 user
    directories (see /etc/apache2/mods-enabled/debian-edu-userdir.conf).

    However, if PHP functionality is required for Apache2 user directories
    for educational purposes, an alternative configuration approach is provided
    in:

    /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md

 -- Mike Gabriel <sunweaver@debian.org>  Fri, 04 Feb 2022 12:14:05 +0100

debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high

    The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure
    setting allowing all authenticated users in the network to change the
    credentials of everyone else, thus impersonating other users and gaining
    their privileges.

    If you never changed these ACLs, the package update fixes the issue
    automatically. If you did, please double-check that no unexpected
    principal has the c ACL (lower-case!) set.

 -- Dominik George <natureshadow@debian.org>  Mon, 16 Dec 2019 16:29:19 +0100