[Heimdal-announce] Heimdal 7.4 security release announcement.
abartlet at samba.org
Wed Jul 12 09:41:14 CEST 2017
On Tue, 2017-07-11 at 14:34 -0400, Viktor.Dukhovni at twosigma.com wrote:
> Dear Heimdal Community,
> A team consisting of staff from Two Sigma Open Source and AuriStor are
> pleased to announce the release of Heimdal 7.4.
> The release download page is:
> The source tarball can be downloaded from:
> SHA256(heimdal-7.4.0.tar.gz)= 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad
> SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5
> The signature key fingerprint is: E659 41B7 1CF3 C459 A34F A89C 45E7 572A 28CD 8CC8
> Changes in Heimdal 7.4:
> - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
> This is a critical vulnerability.
> In _krb5_extract_ticket() the KDC-REP service name must be obtained from
> encrypted version stored in 'enc_part' instead of the unencrypted version
> stored in 'ticket'. Use of the unecrypted version provides an
> opportunity for successful server impersonation and other attacks.
> Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
> See https://www.orpheus-lyre.info/ for more details.
Are there any tests for this yet?
I need to port this to a much older release of Samba, and while it
appears to cleanly apply, we have some custom code setting some of the
* this is really a ugly hack, to support using the Netbios Domain
* as realm against windows KDC's, they always return the full
* based on the DNS Name.
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
I plan to write some tests in Samba's test framework, which allows
manipulation of the 'wire' packets via the send_to_kdc handler.
Our bug for this is https://bugzilla.samba.org/show_bug.cgi?id=12894
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the Heimdal-discuss