Dear Heimdal Community,
A team consisting of staff from Two Sigma Open Source and AuriStor are pleased to announce the release of Heimdal 7.6. The release download page is: https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0 The source tarball can be downloaded from: https://github.com/heimdal/heimdal/releases/download/heimdal-7.6.0/heimdal-7.6.0.tar.gz https://github.com/heimdal/heimdal/releases/download/heimdal-7.6.0/heimdal-7.6.0.tar.gz.asc SHA256(heimdal-7.6.0.tar.gz)= afb996e27e722f51bf4d9e8d1d51e47cd10bfa1a41a84106af926e5639a52e4d SHA1(heimdal-7.6.0.tar.gz)= 41a036db3458f9f1957174f9860c0d7491dc173a The signature key fingerprint is: E659 41B7 1CF3 C459 A34F A89C 45E7 572A 28CD 8CC8 Changes in Heimdal 7.6: Security - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum When the Heimdal KDC checks the checksum that is placed on the S4U2Self packet by the server to protect the requested principal against modification, it does not confirm that the checksum algorithm that protects the user name (principal) in the request is keyed. This allows a man-in-the-middle attacker who can intercept the request to the KDC to modify the packet by replacing the user name (principal) in the request with any desired user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32 checksum (which requires no prior knowledge to compute). This would allow a S4U2Self ticket requested on behalf of user name (principal) [hidden email] to any service to be changed to a S4U2Self ticket with a user name (principal) of [hidden email]. This ticket would then contain the PAC of the modified user name (principal). - CVE-2019-12098, client-only: RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge when anonymous PKINIT is used. Failure to do so can permit an active attacker to become a man-in-the-middle. Bug fixes - Happy eyeballs: Don't wait for responses from known-unreachable KDCs. - kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey - kinit: . cleanup temporary ccaches . see man page for "kinit --anonymous" command line syntax change - kdc: Make anonymous AS-requests more RFC8062-compliant. - Updated expired test certificates - Solaris: . PKCS#11 hcrypto backend broken since 7.0.1 . Building with Sun Pro C Features - kuser: support authenticated anonymous AS-REQs in kinit - kdc: support for anonymous TGS-REQs - kgetcred support for anonymous service tickets - Support builds with OpenSSL 1.1.1 -- The Heimdal Release Team. |
Free forum by Nabble | Edit this page |