[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The state of the heimdal project

To: heimdal-discuss@sics.se
Subject: The state of the heimdal project
From: Harald Barth <haba@pdc.kth.se>
Date: Tue, 03 Oct 2006 17:33:59 +0200 (MEST)
Sender: owner-heimdal-discuss@sics.se


Latest heimdal release is 0.7.2.

This is a list of by me known bugs of 0.7.2 with comments:

A1. 2006-08-08: multiple local privilege escalation vulnerabilities

   Patch exists, no release that fixes problem.

A2. telnetd does not enforce encryption in all situations

   Patch exists in snapshots, no release exists that fixes the
   problem. In addition, the patch requires you to add an extra option
   to telnetd in all your inetd.conf. This is a bad choice of
   defaults.

A3. telnetd does not forward tickets correctly in a mixed endian
   environment.

   Patch exists in snapshots, no release that fixes the problem.

A4. ftpd (with gssapi) does not forward tickets correctly in a mixed
   endian environment and does not issue tokens correctly because
   of wrong arguments to krb_afslog and wrong order of krb_afslog
   chdir and setuid.

   I did a patch for the first half but the second half is tricky, 
   so no patch yet. This bug was introduced between 0.7 and 0.7.2.

Will there be a bugfix release with these issues addressed? I am
astonished that big sites (like su.se) have not run into problems
with the latest release. Or are these sites either running older
or not-yet released code?

Then I tried a late snapshot of current (20060929). That code did
not compile well on Solaris 10 and needed several adjustmens:

B1. heimdal build needs bigger table space than lex's default

B2. ^M in some files make cc barf

B3. Compile flag -pthread makes cc barf at some points

B4. Include files that do not exist on Solaris 10

B5. ftpd segfaults

All of the above have been reported to heimdal-bugs.

Security announcements are not followed up with new release(s) (A1).

Security problems are not tightened without configuration change (A2).

Testing is not sufficient (A3, A4, B5).

Development does not consider portability to other compilers than the
GNU compile environment important (B1, B2, B3).

Development does not consider portability to other platforms than the
GNU and BSD important (B1, B4).

So how is the future of this project? If chores are bigger than
available resources, how should this be reflected in the project?

What parts should be focused on?

What parts should be dumped?

Are there good parts that should be saved and transfered to another
projects?

After that, is there anything left?

Lately, I have had serious difficulties to plan future software deployment
of heimdal as _the_ kerberos platform of choice due to the uncertainty of 
its future. Some indication of the amount of commitment would be useful,
preferably with some time plan.

Harald.

Follow-Ups:
- Re: The state of the heimdal project
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: The state of the heimdal project
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: The state of the heimdal project
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: The state of the heimdal project
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: KDC refuses to give des-cbc-crc keys
Next by Date: No Subject
Prev by thread: Romanian PHP & .NET Software Outsourcing
Next by thread: Re: The state of the heimdal project
Index(es):
- Date
- Thread