Re: The state of the heimdal project

Latest heimdal release is 0.7.2.

This is a list of by me known bugs of 0.7.2 with comments:

A1. 2006-08-08: multiple local privilege escalation vulnerabilities

Patch exists, no release that fixes problem.

Is this a serious problem, in that case I can cut a new tar-ball

but that will take a day of testing.

A2. telnetd does not enforce encryption in all situations

   Patch exists in snapshots, no release exists that fixes the

   problem. In addition, the patch requires you to add an extra option

   to telnetd in all your inetd.conf. This is a bad choice of

   defaults.

I don't agree, telnetd have always behavid this way, telnet is broken

by protocol design and can hardly be fixed without protocol action by ietf,

are you willing to spend the time ?

A3. telnetd does not forward tickets correctly in a mixed endian

environment.

Patch exists in snapshots, no release that fixes the problem.

Is this a real problem, use the 0.7 snapshot that contains the fix.

A4. ftpd (with gssapi) does not forward tickets correctly in a mixed

   endian environment and does not issue tokens correctly because

   of wrong arguments to krb_afslog and wrong order of krb_afslog

   chdir and setuid.

   I did a patch for the first half but the second half is tricky,

   so no patch yet. This bug was introduced between 0.7 and 0.7.2.

The second half have nevered communicated back to me, so I can hardly

be blamed on not fixing it.

Will there be a bugfix release with these issues addressed? I am

astonished that big sites (like su.se) have not run into problems

with the latest release. Or are these sites either running older

or not-yet released code?