[Heimdal-announce] Heimdal 7.3 security release announcement.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Heimdal-announce] Heimdal 7.3 security release announcement.

Viktor.Dukhovni
Dear Heimdal Community,

A team consisting of staff from Two Sigma Open Source and AuriStor are
pleased to announce the release of Heimdal 7.3.

The release download page is:

    https://github.com/heimdal/heimdal/releases/tag/heimdal-7.3.0

The source tarball can be downloaded from:

    https://github.com/heimdal/heimdal/releases/download/heimdal-7.3.0/heimdal-7.3.0.tar.gz
    https://github.com/heimdal/heimdal/releases/download/heimdal-7.3.0/heimdal-7.3.0.tar.gz.sig

    SHA256(heimdal-7.3.0.tar.gz)= 351df17c11f723681a4eab832e880af4a28693d1ed6996b02671d676dcb3b7b5
    SHA1(heimdal-7.3.0.tar.gz)= e1871eacef5dd8a7ccc10cfc9cc92a7376e27872

The signature key fingerprint is: E659 41B7 1CF3 C459 A34F  A89C 45E7 572A 28CD 8CC8

Changes in Heimdal 7.3.0:

 Security

 - Fix transit path validation.  Commit f469fc6 (2010-10-02) inadvertently
   caused the previous hop realm to not be added to the transit path
   of issued tickets.  This may, in some cases, enable bypass of capath
   policy in Heimdal versions 1.5 through 7.2.

   Note, this may break sites that rely on the bug.  With the bug some
   incomplete [capaths] worked, that should not have.  These may now break
   authentication in some cross-realm configurations.
   (CVE-2017-6594)

For a more complete change history please see:

    https://github.com/heimdal/heimdal/blob/master/NEWS

--
   The Heimdal Release Team.
_______________________________________________
Heimdal-announce mailing list
[hidden email]
https://www.h5l.org/mailman/listinfo/heimdal-announce