Heimdal 1.2.1

Released 2008-08-19 heimdal-1.2.1.tar.gz

Major changes

• [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
• [HEIMDAL-151] - Make canned tests work again after cert expired
• [HEIMDAL-152] - iprop test: use full hostname to avoid realm resolving errors
• [HEIMDAL-153] - ftp: Use the correct length for unmap, msync

Heimdal 1.2

Released 2008-05-22 heimdal-1.2.tar.gz

Major changes

• [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in gss_display_name/gss_export_name when using SPNEGO
• [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
• [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
• [HEIMDAL-52] - hdb overwrite aliases for db databases
• [HEIMDAL-54] - Two issues which affect credentials delegation
• [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
• [HEIMDAL-62] - Fix printing of sig_atomic_t
• [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
• [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
• [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
• [HEIMDAL-67] - Fix locking and store credential in atomic writes in the FILE credential cache
• [HEIMDAL-106] - make compile on cygwin again
• [HEIMDAL-107] - Replace old random key generation in des module and use it with RAND_ function instead
• [HEIMDAL-115] - Better documentation and compatibility in hcrypto in regards to OpenSSL
• [HEIMDAL-3] - pkinit alg agility PRF test vectors
• [HEIMDAL-14] - Add libwind to Heimdal
• [HEIMDAL-16] - Use libwind in hx509
• [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
• [HEIMDAL-74] - Add support to report extended error message back in AS-REQ to support windows clients
• [HEIMDAL-116] - test pty based application (using rkpty)
• [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
• [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. This drop compatibility with pre 0.3d KDCs.
• [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
• [HEIMDAL-65] - Failed to compile with --disable-pk-init
• [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some wraparound checks doesn't apply to Heimdal

Heimdal 1.1

Released 2008-01-24 heimdal-1.1.tar.gz

Major changes

• Read-only PKCS11 provider built-in to hx509.
• Documentation for hx509, hcrypto and ntlm libraries improved.
• Better compatibilty with Windows 2008 Server pre-releases and Vista.
• Mac OS X 10.5 support for native credential cache.
• Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
• Bug fixes.

Heimdal 1.0.2

Released 2007-12-15 heimdal-1.0.2.tar.gz

Major changes

• Many bugfixes.
• Ubuntu packages.

Heimdal 1.0.1

Released 2007-08-08 heimdal-1.0.1.tar.gz

Major changes

• Serveral bug fixes to iprop.
• Make work on platforms without dlopen.
• Bug fixes.
• Add RFC3526 modp group14 as default.
• Handle [kdc] database = { } entries without realm = stanzas.
• Make krb5_get_renewed_creds work.
• Make kaserver preauth work again.
• Bug fixes.

Heimdal 1.0

Released 2007-07-17 heimdal-1.0.tar.gz

Major changes

• Add gss_pseudo_random() for mechglue and krb5.
• Make session key for the krbtgt be selected by the best encryption type of the client.
• Better interoperability with other PK-INIT implementations.
• Inital support for Mac OS X Keychain for hx509.
• Alias support for inital ticket requests.
• Add symbol versioning to selected libraries on platforms that uses GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
• New version of imath included in hcrypto.
• Fix memory leaks.
• Bug fixes.

Heimdal 0.8

Released 2007-04-13 heimdal-0.8.tar.gz

Major changes

• PK-INIT support.
• HDB extensions support, used by PK-INIT.
• New ASN.1 compiler.
• GSS-API mechglue from FreeBSD.
• Updated SPNEGO to support RFC4178.
• Support for Cryptosystem Negotiation Extension (RFC 4537).
• A new X.509 library (hx509) and related crypto functions.
• A new ntlm library (heimntlm) and related crypto functions.
• Updated the built-in crypto library with bignum support using imath, support for RSA and DH and renamed it to libhcrypto.
• Subsystem in the KDC, digest, that will perform the digest operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL DIGEST-MD5 NTLMv1 and NTLMv2.
• KDC will return the "response too big" error to force TCP retries for large (default 1400 bytes) UDP replies. This is common for PK-INIT requests.
• Libkafs defaults to use 2b tokens.
• Default to use the API cache on Mac OS X.
• krb5_kuserok() also checks ~/.k5login.d directory for acl files, see manpage for krb5_kuserok for description.
• Many, many, other update to code and info manual and manual pages.
• Bug fixes.

Heimdal 0.6.6

Released 2006-02-06 heimdal-0.6.6.tar.gz

Major changes

• Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
• Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities

Heimdal 0.7.2

Released 2006-02-06 heimdal-0.7.2.tar.gz

Major changes

• Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
• Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.
• Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI.
• Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8.
• telnetd, login and rshd are now more verbose in logging failed and successful logins.

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities

Heimdal 0.7.1

Released 2005-08-14 heimdal-0.7.1.tar.gz

Major changes

• Bugfixes

Vulnerabilities

• 2006-02-06 - rshd privilege escalation vulnerability
• 2006-08-08 - multiple local privilege escalation vulnerabilities

Heimdal 0.6.4

Released 2005-04-20 heimdal-0.6.4.tar.gz

Major changes

• fix vulnerabilities in telnet
• rshd: encryption without a separate error socket should now work
• telnet now uses appdefaults for the encrypt and forward/forwardable settings

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability
• 2005-06-20 - telnetd vulnerabilities
• 2005-04-20 - telnet vulnerabilities

Heimdal 0.6.5

Released 2005-04-20 heimdal-0.6.5.tar.gz

Major changes

• fix vulnerabilities in telnetd
• unbreak Kerberos 4 and kaserver

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability

Heimdal 0.7

Released 2005-04-20 heimdal-0.7.tar.gz

Major changes

• Support for KCM, a process based credential cache
• Support CCAPI credential cache
• SPNEGO support
• AES (and the GSS-API conterpart, CFX) support
• Adding new and improve old documentation

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability

Heimdal 0.6.3

Released 2004-09-13 heimdal-0.6.3.tar.gz

Major changes

• fix vulnerabilities in ftpd
• support for linux AFS /proc "syscalls"
• support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd
• fix possible KDC denial of service
• bug fixes

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability
• 2005-06-20 - telnetd vulnerabilities
• 2005-04-20 - telnet vulnerabilities

Heimdal 0.6.2

Released 2004-05-06 heimdal-0.6.2.tar.gz

Major changes

• Fix possible buffer overrun in v4 kadmin (which now defaults to off)

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability
• 2005-06-20 - telnetd vulnerabilities
• 2005-04-20 - telnet vulnerabilities
• 2004-09-13 - ftpd root escalation

Heimdal 0.6.1

Released 2004-04-01 heimdal-0.6.1.tar.gz

Major changes

• Fixed ARCFOUR suppport
• Cross realm vulnerability
• kdc: fix denial of service attack
• kdc: stop clients from renewing tickets into the future
• bug fixes

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability
• 2005-06-20 - telnetd vulnerabilities
• 2005-04-20 - telnet vulnerabilities
• 2004-09-13 - ftpd root escalation
• 2004-05-06 - Kerberos 4 buffer overrun in Heimdal kadmin

Heimdal 0.6

Released 2003-05-12 heimdal-0.6.tar.gz

Major changes

• The DES3 GSS-API mechanism has been changed to inter-operate with other GSSAPI implementations. See man page for gssapi(3) how to turn on generation of correct MIC messages. Next major release of heimdal will generate correct MIC by default.
• More complete GSS-API support
• Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS support in applications no longer requires Kerberos 4 libs
• Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
• Other bug fixes

Vulnerabilities

• 2006-08-08 - multiple local privilege escalation vulnerabilities
• 2006-02-06 - rshd privilege escalation vulnerability
• 2005-06-20 - telnetd vulnerabilities
• 2005-04-20 - telnet vulnerabilities
• 2004-09-13 - ftpd root escalation
• 2004-05-06 - Kerberos 4 buffer overrun in Heimdal kadmin
• 2004-04-01 - Cross-realm trust vulnerability in Heimdal

Heimdal 0.0a

Released 1997-07-17 heimdal-0.0a.tar.gz

Major changes

• First public release of Heimdal. First commit was done 1996, March 17.