Re: Heimdal 0.6.1 + 0.5.3

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Always nice to see new releases.  Now the questions.  ;-)

At 6:51 PM +0200 4/1/04, Johan Danielsson wrote:
>This double release of Heimdal 0.6.1 and 0.5.3 can now be found at the
>usual place:
>   ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.6.1.tar.gz
>and
>   ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5.3.tar.gz
>respectively.
>
>The main reason for this release is a vulnerability in the cross-realm
>trust handling in the KDC. This allows an administrator of a realm you
>share keys with to impersonate anyone in your realm. If you are
>sharing keys with anyone, we strongly advise you to upgrade as soon as
>possible. Heimdal 0.6.1 also includes a bunch of other changes, while
>0.5.3 only includes security fixes.
>
>See also http://www.pdc.kth.se/heimdal/advisory/2004-04-01/
>
>Changes in release 0.6.1
>
>  * Fixed ARCFOUR suppport

arcfour == rc4 == Windows encryption == Luke Howard's rc4 patch?

>  * Fixed cross realm vulnerability

This sounds a lot like the Kerb 4 cross-realm vulnerability.  Is it? 
Or is it a new relative of it that applies to Kerb 5?

>  * kdc: fix denial of service attack
>
>  * kdc: stop clients from renewing tickets into the future

Been meaning to check this:  if you expire the password, expire the 
principal, or delete the principal does it prevent renewal?  I hope 
at least one of those does.

>  * bug fixes
>
>Drive carefully.
>
>Assar, Jacques, Johan, and Love

Four cheers instead of the usual three!
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu