[Heimdal-announce] Heimdal 7.5 security release announcement.

Viktor.Dukhovni at twosigma.com Viktor.Dukhovni at twosigma.com
Fri Dec 29 21:05:20 CET 2017

Dear Heimdal Community,

A team consisting of staff from Two Sigma Open Source and AuriStor are
pleased to announce the release of Heimdal 7.5.

The release download page is:


The source tarball can be downloaded from:


    SHA256(heimdal-7.5.0.tar.gz)= c5a2a0030fcc728022fa2332bad85569084d1c3b9a59587b7ebe141b0532acad
    SHA1(heimdal-7.5.0.tar.gz)= 6c891e7ac0c39de10f894a1680a52fb219453e2f

The signature key fingerprint is: E659 41B7 1CF3 C459 A34F  A89C 45E7 572A 28CD 8CC8

Changes in Heimdal 7.5:


 - Fix CVE-2017-17439, which is a remote denial of service

     In Heimdal 7.1 through 7.4, remote unauthenticated attackers
     are able to crash the KDC by sending a crafted request
     containing empty data fields for client name or realm.

 Bug fixes

 - Handle long input lines when reloading database dumps.

 - In pre-forked mode (default on Unix), correctly clear the
   process ids of exited children, allowing new child processes
   to replace the old.

 - Fixed incorrect KDC response when no-cross realm TGT exists,
   allowing client requests to fail quickly rather than time
   out after trying to get a correct answer from each KDC.

   The Heimdal Release Team.

More information about the Heimdal-announce mailing list