On 2017-08-30 09:53:50, Jeffrey Altman wrote:
> On 8/30/2017 4:38 AM, Sergio Gelato wrote:
> > * Andreas Haupt [2017-08-30 09:01:08 +0200]:
> >> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x
> >> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ.
> >> Looks like an evil bug to me. Anybody else seeing this?
> > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs
> > the next day with the attached patch. No reaction. Not to my status query
> > the other day either.
> I diagnosed this problem as well and there is a patch waiting to be
> included in a subsequent release.
Looking at the patch published by Sergio it appears to me that the
offending variables were introduced 2015-02-13
(a873e21d7c06f22943a90a41dc733ae76799390d). I guess this means releases
prior to this date are safe from this specific DoS while it effects
Do you have any idea when a new release fixing this will be made
available? I am just asking because it appears no official 7.x release
is suitable for use as a public facing KDC at this time.