On Tue, 2017-07-11 at 14:34 -0400, viktor.dukho...@twosigma.com wrote:
> Dear Heimdal Community,
> A team consisting of staff from Two Sigma Open Source and AuriStor are
> pleased to announce the release of Heimdal 7.4.
> The release download page is:
>     https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
> The source tarball can be downloaded from:
> https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz
> https://github.com/heimdal/heimdal/releases/download/heimdal-7.4.0/heimdal-7.4.0.tar.gz.sig
>     SHA256(heimdal-7.4.0.tar.gz)= 
> 3de14ecd36ad21c1694a13da347512b047f4010d176fe412820664cb5d1429ad
>     SHA1(heimdal-7.4.0.tar.gz)= e496db36f8a232c3b1aa87a1e08f299b6f8f57a5
> The signature key fingerprint is: E659 41B7 1CF3 C459 A34F  A89C 45E7 572A 
> 28CD 8CC8
> Changes in Heimdal 7.4:
>  Security
>  - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
>    This is a critical vulnerability.
>    In _krb5_extract_ticket() the KDC-REP service name must be obtained from
>    encrypted version stored in 'enc_part' instead of the unencrypted version
>    stored in 'ticket'.  Use of the unecrypted version provides an
>    opportunity for successful server impersonation and other attacks.
>    Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
>    See https://www.orpheus-lyre.info/ for more details.

Are there any tests for this yet?

I need to port this to a much older release of Samba, and while it
appears to cleanly apply, we have some custom code setting some of the
flags on:
     * HACK:
     * this is really a ugly hack, to support using the Netbios Domain
     * as realm against windows KDC's, they always return the full
     * based on the DNS Name.

I plan to write some tests in Samba's test framework, which allows
manipulation of the 'wire' packets via the send_to_kdc handler. 

Our bug for this is https://bugzilla.samba.org/show_bug.cgi?id=12894


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Reply via email to