[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
The state of the heimdal project
Latest heimdal release is 0.7.2.
This is a list of by me known bugs of 0.7.2 with comments:
A1. 2006-08-08: multiple local privilege escalation vulnerabilities
Patch exists, no release that fixes problem.
A2. telnetd does not enforce encryption in all situations
Patch exists in snapshots, no release exists that fixes the
problem. In addition, the patch requires you to add an extra option
to telnetd in all your inetd.conf. This is a bad choice of
defaults.
A3. telnetd does not forward tickets correctly in a mixed endian
environment.
Patch exists in snapshots, no release that fixes the problem.
A4. ftpd (with gssapi) does not forward tickets correctly in a mixed
endian environment and does not issue tokens correctly because
of wrong arguments to krb_afslog and wrong order of krb_afslog
chdir and setuid.
I did a patch for the first half but the second half is tricky,
so no patch yet. This bug was introduced between 0.7 and 0.7.2.
Will there be a bugfix release with these issues addressed? I am
astonished that big sites (like su.se) have not run into problems
with the latest release. Or are these sites either running older
or not-yet released code?
Then I tried a late snapshot of current (20060929). That code did
not compile well on Solaris 10 and needed several adjustmens:
B1. heimdal build needs bigger table space than lex's default
B2. ^M in some files make cc barf
B3. Compile flag -pthread makes cc barf at some points
B4. Include files that do not exist on Solaris 10
B5. ftpd segfaults
All of the above have been reported to heimdal-bugs.
Security announcements are not followed up with new release(s) (A1).
Security problems are not tightened without configuration change (A2).
Testing is not sufficient (A3, A4, B5).
Development does not consider portability to other compilers than the
GNU compile environment important (B1, B2, B3).
Development does not consider portability to other platforms than the
GNU and BSD important (B1, B4).
So how is the future of this project? If chores are bigger than
available resources, how should this be reflected in the project?
What parts should be focused on?
What parts should be dumped?
Are there good parts that should be saved and transfered to another
projects?
After that, is there anything left?
Lately, I have had serious difficulties to plan future software deployment
of heimdal as _the_ kerberos platform of choice due to the uncertainty of
its future. Some indication of the amount of commitment would be useful,
preferably with some time plan.
Harald.