[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The state of the heimdal project

I don't like long complicated with semi-related issues, so I'll try to
split this up. If I my english is weird, I blame the excelent gueze I just had.

Latest heimdal release is 0.7.2.

This is a list of by me known bugs of 0.7.2 with comments:

A1. 2006-08-08: multiple local privilege escalation vulnerabilities

   Patch exists, no release that fixes problem.

Is this a serious problem, in that case I can cut a new tar-ball
but that will take a day of testing.

A2. telnetd does not enforce encryption in all situations

   Patch exists in snapshots, no release exists that fixes the

   problem. In addition, the patch requires you to add an extra option

   to telnetd in all your inetd.conf. This is a bad choice of


I don't agree, telnetd have always behavid this way, telnet is broken
by protocol design and can hardly be fixed without protocol action by ietf,
are you willing to spend the time ?

A3. telnetd does not forward tickets correctly in a mixed endian


   Patch exists in snapshots, no release that fixes the problem.

Is this a real problem, use the 0.7 snapshot that contains the fix.

A4. ftpd (with gssapi) does not forward tickets correctly in a mixed

   endian environment and does not issue tokens correctly because

   of wrong arguments to krb_afslog and wrong order of krb_afslog

   chdir and setuid.

   I did a patch for the first half but the second half is tricky, 

   so no patch yet. This bug was introduced between 0.7 and 0.7.2.

The second half have nevered communicated back to me, so I can hardly
be blamed on not fixing it.

Will there be a bugfix release with these issues addressed? I am

astonished that big sites (like su.se) have not run into problems

with the latest release. Or are these sites either running older

or not-yet released code?

We (su.se) are running on even older code and not running into (serious) problems.

If you commit testing resources I'll happily coordinate a release.

I've only got bug-reports A1-A4 from you from what I can remember
(but I'm sure the abby-ale have something to do with that) I I can't say its a problem.

I got more questions when I'm going to release 0.8, so that is what I've been
spending my time on.