github heimdal/heimdal heimdal-7.6.0
Heimdal 7.6.0 - Security Release

latest releases: heimdal-7.8.0, heimdal-7.7.1, heimdal-7.7.0...
4 years ago

Release Notes - Heimdal - Version Heimdal 7.6

Security (#555)

  • CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

    When the Heimdal KDC checks the checksum that is placed on the
    S4U2Self packet by the server to protect the requested principal
    against modification, it does not confirm that the checksum
    algorithm that protects the user name (principal) in the request
    is keyed. This allows a man-in-the-middle attacker who can
    intercept the request to the KDC to modify the packet by replacing
    the user name (principal) in the request with any desired user
    name (principal) that exists in the KDC and replace the checksum
    protecting that name with a CRC32 checksum (which requires no
    prior knowledge to compute).

    This would allow a S4U2Self ticket requested on behalf of user
    name (principal) user@EXAMPLE.COM to any service to be changed
    to a S4U2Self ticket with a user name (principal) of
    Administrator@EXAMPLE.COM. This ticket would then contain the
    PAC of the modified user name (principal).

  • CVE-2019-12098, client-only:

    RFC8062 Section 7 requires verification of the PA-PKINIT-KX key exchange
    when anonymous PKINIT is used. Failure to do so can permit an active
    attacker to become a man-in-the-middle.

Bug fixes

  • Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
  • kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
  • kinit:
    . cleanup temporary ccaches
    . see man page for "kinit --anonymous" command line syntax change
  • kdc: Make anonymous AS-requests more RFC8062-compliant.
  • Updated expired test certificates
  • Solaris:
    . PKCS#11 hcrypto backend broken since 7.0.1
    . Building with Sun Pro C


  • kuser: support authenticated anonymous AS-REQs in kinit
  • kdc: support for anonymous TGS-REQs
  • kgetcred support for anonymous service tickets
  • Support builds with OpenSSL 1.1.1

Building from source:

heimdal-7.6.0.tar.gz and its matching PGP signature file (heimdal-7.6.0.tar.gz) should be downloaded in preference to the GitHub generated "source" archives. The heimdal-7.6.0.tar.gz archive contains the required build products necessary to "configure" and "make".

SHA1(heimdal-7.6.0.tar.gz)= 41a036db3458f9f1957174f9860c0d7491dc173a
SHA256(heimdal-7.6.0.tar.gz)= afb996e27e722f51bf4d9e8d1d51e47cd10bfa1a41a84106af926e5639a52e4d

The GitHub generated "source" archives contain a raw copy of the repository contents for the "heimdal-7.6.0" tag.

Don't miss a new heimdal release

NewReleases is sending notifications on new releases.