Dear Heimdal Community, A team consisting of staff from Two Sigma Open Source and AuriStor are pleased to announce the release of Heimdal 7.4.
The release download page is: https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0 The source tarball can be downloaded from: https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig SHA256(heimdal-7.4.0.tar.gz)= 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5 The signature key fingerprint is: E659 41B7 1CF3 C459 A34F A89C 45E7 572A 28CD 8CC8 Changes in Heimdal 7.4: Security - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. See https://www.orpheus-lyre.info/ for more details. -- The Heimdal Release Team.