On Tue, 2017-07-11 at 14:34 -0400, viktor.dukho...@twosigma.com wrote: > Dear Heimdal Community, > > A team consisting of staff from Two Sigma Open Source and AuriStor are > pleased to announce the release of Heimdal 7.4. > > The release download page is: > > https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0 > > The source tarball can be downloaded from: > > > https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz > > https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig > > SHA256(heimdal-7.4.0.tar.gz)= > 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad > SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5 > > The signature key fingerprint is: E659 41B7 1CF3 C459 A34F A89C 45E7 572A > 28CD 8CC8 > > Changes in Heimdal 7.4: > > Security > > - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation > > This is a critical vulnerability. > > In _krb5_extract_ticket() the KDC-REP service name must be obtained from > encrypted version stored in 'enc_part' instead of the unencrypted version > stored in 'ticket'. Use of the unecrypted version provides an > opportunity for successful server impersonation and other attacks. > > Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. > > See https://www.orpheus-lyre.info/ for more details.
Are there any tests for this yet? I need to port this to a much older release of Samba, and while it appears to cleanly apply, we have some custom code setting some of the flags on: /* * HACK: * this is really a ugly hack, to support using the Netbios Domain Name * as realm against windows KDC's, they always return the full realm * based on the DNS Name. */ flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; I plan to write some tests in Samba's test framework, which allows manipulation of the 'wire' packets via the send_to_kdc handler. Our bug for this is https://bugzilla.samba.org/show_bug.cgi?id=12894 Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba