Release Notes - Heimdal - Version Heimdal 1.5.2
Security fixes
- CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
- Check that key types strictly match - denial of service
Release Notes - Heimdal - Version Heimdal 1.5.1
Bug fixes
- Fix building on Solaris, requires c99
- Fix building on Windows
- Build system updates
Release Notes - Heimdal - Version Heimdal 1.5
New features
- Support GSS name extensions/attributes
- SHA512 support
- No Kerberos 4 support
- Basic support for MIT Admin protocol (SECGSS flavor)
in kadmind (extract keytab)
- Replace editline with libedit
New features
* Support for reading MIT database file directly
* KCM is polished up and now used in production
* NTLM first class citizen, credentials stored in KCM
* Table driven ASN.1 compiler, smaller!, not enabled by default
* Native Windows client support
Notes
* Disabled write support NDBM hdb backend (read still in there) since
it can't handle large records, please migrate to a diffrent backend
(like BDB4)
Changes 1.3.3:
Bug fixes
* Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
* Check NULL pointers before dereference them [kdc]
Changes 1.3.2:
Bug fixes
* Don't mix length when clearing hmac (could memset too much)
* More paranoid underrun checking when decrypting packets
* Check the password change requests and refuse to answer empty packets
* Build on OpenSolaris
* Renumber AD-SIGNED-TICKET since it was stolen from US
* Don't cache /dev/*random file descriptor, it doesn't get unloaded
* Make C++ safe
* Misc warnings
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
into ${PREFIX}/include/krb5/roken instead of ${PREFIX}/include/krb5.
This is good because it reduces the likelihood of a conflict with any
other similarly named headers if you simply add -I${PREFIX}/include/krb5
to the compiler command line.
Patch from PR pkg/38119 by charlie.
* Read-only PKCS11 provider built-in to hx509.
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
* Add RFC3526 modp group14 as default.
* Handle [kdc] database = { } entries without realm = stanzas.
* Add gss_pseudo_random() for mechglue and krb5.
* Make session key for the krbtgt be selected by the best encryption
type of the client.
* Better interoperability with other PK-INIT implementations.
* Alias support for inital ticket requests.
* Make ASN.1 library less paranoid to with regard to NUL in string to
make it inter-operate with MIT Kerberos again.
* PK-INIT support.
* HDB extensions support, used by PK-INIT.
* New ASN.1 compiler.
* GSS-API mechglue from FreeBSD.
* Updated SPNEGO to support RFC4178.
* Support for Cryptosystem Negotiation Extension (RFC 4537).
* A new X.509 library (hx509) and related crypto functions.
* A new ntlm library (heimntlm) and related crypto functions.
* KDC will return the "response too big" error to force TCP retries
for large (default 1400 bytes) UDP replies. This is common for
PK-INIT requests.
* Libkafs defaults to use 2b tokens.
* krb5_kuserok() also checks ~/.k5login.d directory for acl files.
* Fix memory leaks.
* Bugs fixes
* Read-only PKCS11 provider built-in to hx509.
* Better compatibilty with Windows 2008 Server pre-releases and Vista.
* Add RFC3526 modp group14 as default.
* Handle [kdc] database = { } entries without realm = stanzas.
* Add gss_pseudo_random() for mechglue and krb5.
* Make session key for the krbtgt be selected by the best encryption
type of the client.
* Better interoperability with other PK-INIT implementations.
* Alias support for inital ticket requests.
* Make ASN.1 library less paranoid to with regard to NUL in string to
make it inter-operate with MIT Kerberos again.
* PK-INIT support.
* HDB extensions support, used by PK-INIT.
* New ASN.1 compiler.
* GSS-API mechglue from FreeBSD.
* Updated SPNEGO to support RFC4178.
* Support for Cryptosystem Negotiation Extension (RFC 4537).
* A new X.509 library (hx509) and related crypto functions.
* A new ntlm library (heimntlm) and related crypto functions.
* KDC will return the "response too big" error to force TCP retries
for large (default 1400 bytes) UDP replies. This is common for
PK-INIT requests.
* Libkafs defaults to use 2b tokens.
* krb5_kuserok() also checks ~/.k5login.d directory for acl files.
* Fix memory leaks.
* Bugs fixes
"A security issue has been reported in Heimdal, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
The security issue is caused due to missing checks for whether the
"setuid()" call has succeeded in the bundled rcp application. This may
be exploited to perform certain actions with root privileges if the
"setuid()" call fails due to e.g. resource limits."
http://secunia.com/advisories/21436/http://www.pdc.kth.se/heimdal/advisory/2006-08-08/
Bump PKGREVISION.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
Since the heimdal install process will install additional headers in
${PREFIX}/include/krb5 depending on what the configure process detects,
simply query the source Makefile at install-time for the extra headers
that it will install and dynamically add them to the PLIST.
