keyhole logo

Heimdal releases

Heimdal releases

2016-12-22 - Heimdal 7.1.0

Heimdal 7.1.0

Released 2016-12-22 heimdal-7.1.0.tar.gz

Major changes

  • hcrypto is now thread safe on all platforms and as much as possible hcrypto now uses the operating system's preferred crypto implementation ensuring that optimized hardware assisted implementations of AES-NI are used.
  • RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST).
  • Hierarchical capath support
  • iprop has been revamped to fix a number of race conditions that could lead to inconsistent replication.
  • The KDC process now uses a multi-process model improving resiliency and performance.
  • AES Encryption with HMAC-SHA2 for Kerberos 5 draft-ietf-kitten-aes-cts-hmac-sha2-11
  • Moved kadmin and ktutil to /usr/bin
  • Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
  • Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, telnet, xnlock
2011-10-02 - Heimdal 1.5.1

Heimdal 1.5.1

Released 2011-10-02 heimdal-1.5.1.tar.gz

Major changes

  • Fix building on Solaris, requires c99
  • Fix building on Windows
  • Build system updates

Vulnerabilities

2011-09-20 - Heimdal 1.5

Heimdal 1.5

Released 2011-09-20 heimdal-1.5.tar.gz

Major changes

  • Support GSS name extensions/attributes
  • SHA512 support
  • No Kerberos 4 support
  • Basic support for MIT Admin protocol (SECGSS flavor) in kadmind (extract keytab)
  • Replace editline with libedit
  • Bugfixes

Vulnerabilities

2010-09-14 - Heimdal 1.4

Heimdal 1.4

Released 2010-09-14 and is deprecated heimdal-1.4.tar.gz

Major changes

  • Support for reading MIT database file directly
  • KCM is polished up and now used in production
  • NTLM first class citizen, credentials stored in KCM
  • Table driven ASN.1 compiler, smaller!, not enabled by default
  • Native Windows client support
  • Bugfixes

Vulnerabilities

2010-05-27 - Heimdal 1.3.3

Heimdal 1.3.3

Released 2010-05-27 and is deprecated heimdal-1.3.3.tar.gz

Major changes

  • Check the GSS-API checksum exists before trying to use it
  • kdc: check NULL pointers before dereference them
  • Bugfixes

Vulnerabilities

2010-03-21 - Heimdal 1.3.2

Heimdal 1.3.2

Released 2010-03-21 and is deprecated heimdal-1.3.2.tar.gz

Major changes

  • Don't mix length when clearing hmac (could memset too much)
  • More paranoid underrun checking when decrypting packets
  • Check the password change requests and refuse to answer empty packets
  • Build on OpenSolaris 10
  • Renumber AD-SIGNED-TICKET since it was stolen
  • Don't cache /dev/*random file descriptor, it doesn't get unloaded
  • Make C++ safe
  • Misc warnings

Vulnerabilities

2009-11-20 - Heimdal 1.3.1

Heimdal 1.3.1

Released 2009-11-20 and is deprecated heimdal-1.3.1.tar.gz

Major changes

  • Make work with OpenLDAPs krb5 overlay
2009-11-15 - Heimdal 1.3.0

Heimdal 1.3.0

Released 2009-11-15 and is deprecated heimdal-1.3.0.tar.gz

Major changes

  • Partial support for MIT kadmind rpc protocol in kadmind
  • Better support for finding keytab entries when using SPN aliases in the KDC
  • Support BER in ASN.1 library (needed for CMS)
  • Support decryption in Keychain private keys
  • Support for new sqlite based credential cache
  • Try both KDC referals and the common DNS reverse lookup in GSS-API
  • Fix the KCM to not leak resources on failure
  • Add IPv6 support to iprop
  • Support localization of error strings in
  • kinit/klist/kdestroy and Kerberos library
  • Remove Kerberos 4 support in application (still in KDC)
  • Deprecate DES
  • Support i18n password in windows domains (using UTF-8)
  • More complete API emulation of OpenSSL in hcrypto
  • Support for ECDSA and ECDH when linking with OpenSSL

Vulnerabilities

2008-08-19 - Heimdal 1.2.1

Heimdal 1.2.1

Released 2008-08-19 and is deprecated heimdal-1.2.1.tar.gz

Major changes

  • [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
  • [HEIMDAL-151] - Make canned tests work again after cert expired
  • [HEIMDAL-152] - iprop test: use full hostname to avoid realm resolving errors
  • [HEIMDAL-153] - ftp: Use the correct length for unmap, msync

Vulnerabilities

2008-05-22 - Heimdal 1.2

Heimdal 1.2

Released 2008-05-22 and is deprecated heimdal-1.2.tar.gz

Major changes

  • [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in gss_display_name/gss_export_name when using SPNEGO
  • [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
  • [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
  • [HEIMDAL-52] - hdb overwrite aliases for db databases
  • [HEIMDAL-54] - Two issues which affect credentials delegation
  • [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
  • [HEIMDAL-62] - Fix printing of sig_atomic_t
  • [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
  • [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
  • [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
  • [HEIMDAL-67] - Fix locking and store credential in atomic writes in the FILE credential cache
  • [HEIMDAL-106] - make compile on cygwin again
  • [HEIMDAL-107] - Replace old random key generation in des module and use it with RAND_ function instead
  • [HEIMDAL-115] - Better documentation and compatibility in hcrypto in regards to OpenSSL
  • [HEIMDAL-3] - pkinit alg agility PRF test vectors
  • [HEIMDAL-14] - Add libwind to Heimdal
  • [HEIMDAL-16] - Use libwind in hx509
  • [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
  • [HEIMDAL-74] - Add support to report extended error message back in AS-REQ to support windows clients
  • [HEIMDAL-116] - test pty based application (using rkpty)
  • [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
  • [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. This drop compatibility with pre 0.3d KDCs.
  • [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
  • [HEIMDAL-65] - Failed to compile with --disable-pk-init
  • [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some wraparound checks doesn't apply to Heimdal

Vulnerabilities

2008-01-24 - Heimdal 1.1

Heimdal 1.1

Released 2008-01-24 and is deprecated heimdal-1.1.tar.gz

Major changes

  • Read-only PKCS11 provider built-in to hx509.
  • Documentation for hx509, hcrypto and ntlm libraries improved.
  • Better compatibilty with Windows 2008 Server pre-releases and Vista.
  • Mac OS X 10.5 support for native credential cache.
  • Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
  • Bug fixes.

Vulnerabilities

2007-08-08 - Heimdal 1.0.1

Heimdal 1.0.1

Released 2007-08-08 and is deprecated heimdal-1.0.1.tar.gz

Major changes

  • Serveral bug fixes to iprop.
  • Make work on platforms without dlopen.
  • Bug fixes.
  • Add RFC3526 modp group14 as default.
  • Handle [kdc] database = { } entries without realm = stanzas.
  • Make krb5_get_renewed_creds work.
  • Make kaserver preauth work again.
  • Bug fixes.

Vulnerabilities

2007-07-17 - Heimdal 1.0

Heimdal 1.0

Released 2007-07-17 and is deprecated heimdal-1.0.tar.gz

Major changes

  • Add gss_pseudo_random() for mechglue and krb5.
  • Make session key for the krbtgt be selected by the best encryption type of the client.
  • Better interoperability with other PK-INIT implementations.
  • Inital support for Mac OS X Keychain for hx509.
  • Alias support for inital ticket requests.
  • Add symbol versioning to selected libraries on platforms that uses GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
  • New version of imath included in hcrypto.
  • Fix memory leaks.
  • Bug fixes.

Vulnerabilities

2007-04-13 - Heimdal 0.8

Heimdal 0.8

Released 2007-04-13 and is deprecated heimdal-0.8.tar.gz

Major changes

  • PK-INIT support.
  • HDB extensions support, used by PK-INIT.
  • New ASN.1 compiler.
  • GSS-API mechglue from FreeBSD.
  • Updated SPNEGO to support RFC4178.
  • Support for Cryptosystem Negotiation Extension (RFC 4537).
  • A new X.509 library (hx509) and related crypto functions.
  • A new ntlm library (heimntlm) and related crypto functions.
  • Updated the built-in crypto library with bignum support using imath, support for RSA and DH and renamed it to libhcrypto.
  • Subsystem in the KDC, digest, that will perform the digest operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL DIGEST-MD5 NTLMv1 and NTLMv2.
  • KDC will return the "response too big" error to force TCP retries for large (default 1400 bytes) UDP replies. This is common for PK-INIT requests.
  • Libkafs defaults to use 2b tokens.
  • Default to use the API cache on Mac OS X.
  • krb5_kuserok() also checks ~/.k5login.d directory for acl files, see manpage for krb5_kuserok for description.
  • Many, many, other update to code and info manual and manual pages.
  • Bug fixes.
2006-02-06 - Heimdal 0.6.6

Heimdal 0.6.6

Released 2006-02-06 and is deprecated heimdal-0.6.6.tar.gz

Major changes

  • Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
  • Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.

Vulnerabilities

2006-02-06 - Heimdal 0.7.2

Heimdal 0.7.2

Released 2006-02-06 and is deprecated heimdal-0.7.2.tar.gz

Major changes

  • Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
  • Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.
  • Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI.
  • Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8.
  • telnetd, login and rshd are now more verbose in logging failed and successful logins.

Vulnerabilities

2005-04-20 - Heimdal 0.6.4

Heimdal 0.6.4

Released 2005-04-20 and is deprecated heimdal-0.6.4.tar.gz

Major changes

  • fix vulnerabilities in telnet
  • rshd: encryption without a separate error socket should now work
  • telnet now uses appdefaults for the encrypt and forward/forwardable settings

Vulnerabilities

2005-04-20 - Heimdal 0.6.5

Heimdal 0.6.5

Released 2005-04-20 and is deprecated heimdal-0.6.5.tar.gz

Major changes

  • fix vulnerabilities in telnetd
  • unbreak Kerberos 4 and kaserver

Vulnerabilities

2005-04-20 - Heimdal 0.7

Heimdal 0.7

Released 2005-04-20 and is deprecated heimdal-0.7.tar.gz

Major changes

  • Support for KCM, a process based credential cache
  • Support CCAPI credential cache
  • SPNEGO support
  • AES (and the GSS-API conterpart, CFX) support
  • Adding new and improve old documentation

Vulnerabilities

2004-09-13 - Heimdal 0.6.3

Heimdal 0.6.3

Released 2004-09-13 and is deprecated heimdal-0.6.3.tar.gz

Major changes

  • fix vulnerabilities in ftpd
  • support for linux AFS /proc "syscalls"
  • support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd
  • fix possible KDC denial of service
  • bug fixes

Vulnerabilities

2004-04-01 - Heimdal 0.6.1

Heimdal 0.6.1

Released 2004-04-01 and is deprecated heimdal-0.6.1.tar.gz

Major changes

  • Fixed ARCFOUR suppport
  • Cross realm vulnerability
  • kdc: fix denial of service attack
  • kdc: stop clients from renewing tickets into the future
  • bug fixes

Vulnerabilities

2003-05-12 - Heimdal 0.6

Heimdal 0.6

Released 2003-05-12 and is deprecated heimdal-0.6.tar.gz

Major changes

  • The DES3 GSS-API mechanism has been changed to inter-operate with other GSSAPI implementations. See man page for gssapi(3) how to turn on generation of correct MIC messages. Next major release of heimdal will generate correct MIC by default.
  • More complete GSS-API support
  • Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS support in applications no longer requires Kerberos 4 libs
  • Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
  • Other bug fixes

Vulnerabilities

1997-07-17 - Heimdal 0.0a

Heimdal 0.0a

Released 1997-07-17 and is deprecated heimdal-0.0a.tar.gz

Major changes

  • First public release of Heimdal. First commit was done 1996, March 17.