Dear Heimdal Community,
A team consisting of staff from Two Sigma Open Source and AuriStor are
pleased to announce the release of Heimdal 7.4.
The release download page is:
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
The source tarball can be downloaded from:
https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz
https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig
SHA256(heimdal-7.4.0.tar.gz)=
3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad
SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5
The signature key fingerprint is: E659 41B7 1CF3 C459 A34F A89C 45E7 572A 28CD
8CC8
Changes in Heimdal 7.4:
Security
- Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/ for more details.
--
The Heimdal Release Team.
