Re: Remote vulnerability in kadmind

[joda@pdc.kth.se (Johan Danielsson)]

Dave Love <d.love@dl.ac.uk> writes:

> Where should I have seen that?

There were some text in the 0.5.1 announcement, and this thread
follows a notice I sent here about it. Do you have suggestions on how
to improve the information flow?

We did contact {Free,Net,Open}BSD, Debian and Suse (the ones we knew
about) prior to release. The time was short, but that was for a
reason.

> I think it would be useful if announcements were copied to
> heimdal-discuss, which is what I'd expect.

I think this is wrong, but I'm not religious about it.

> The web site implies I can fix the configuration without rebuilding
> -- is that false?

Yes, do you mean this:

  If you are running a version older than 0.5.1 AND have Kerberos 4
  support enabled in kadmind you should disable it until you have time
  to upgrade.

I think the last "it" refers to kadmind, but I guess it (no pun
intended) could be misinterpreted. I just changed "it" to "kadmind".

/Johan