[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal 0.6.1 + 0.5.3
Always nice to see new releases. Now the questions. ;-)
At 6:51 PM +0200 4/1/04, Johan Danielsson wrote:
>This double release of Heimdal 0.6.1 and 0.5.3 can now be found at the
>The main reason for this release is a vulnerability in the cross-realm
>trust handling in the KDC. This allows an administrator of a realm you
>share keys with to impersonate anyone in your realm. If you are
>sharing keys with anyone, we strongly advise you to upgrade as soon as
>possible. Heimdal 0.6.1 also includes a bunch of other changes, while
>0.5.3 only includes security fixes.
>See also http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
>Changes in release 0.6.1
> * Fixed ARCFOUR suppport
arcfour == rc4 == Windows encryption == Luke Howard's rc4 patch?
> * Fixed cross realm vulnerability
This sounds a lot like the Kerb 4 cross-realm vulnerability. Is it?
Or is it a new relative of it that applies to Kerb 5?
> * kdc: fix denial of service attack
> * kdc: stop clients from renewing tickets into the future
Been meaning to check this: if you expire the password, expire the
principal, or delete the principal does it prevent renewal? I hope
at least one of those does.
> * bug fixes
>Assar, Jacques, Johan, and Love
Four cheers instead of the usual three!
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com