keyhole logo

Heimdal releases

Heimdal releases

2017-04-13 - Heimdal 7.3.0

Heimdal 7.3.0

Released 2017-04-13 heimdal-7.3.0.tar.gz

Major changes

  • Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (CVE-2017-6594)
2017-03-16 - Heimdal 7.2.0

Heimdal 7.2.0

Released 2017-03-16 heimdal-7.2.0.tar.gz

Major changes

  • Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
  • hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
  • Fix signature of hdb_generate_key_set_password()
  • iprop: handle case where master sends nothing new
  • Do not detect x32 as 64-bit platform.

Vulnerabilities

2016-12-22 - Heimdal 7.1.0

Heimdal 7.1.0

Released 2016-12-22 heimdal-7.1.0.tar.gz

Major changes

  • hcrypto is now thread safe on all platforms and as much as possible hcrypto now uses the operating system's preferred crypto implementation ensuring that optimized hardware assisted implementations of AES-NI are used.
  • RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST).
  • Hierarchical capath support
  • iprop has been revamped to fix a number of race conditions that could lead to inconsistent replication.
  • The KDC process now uses a multi-process model improving resiliency and performance.
  • AES Encryption with HMAC-SHA2 for Kerberos 5 draft-ietf-kitten-aes-cts-hmac-sha2-11
  • Moved kadmin and ktutil to /usr/bin
  • Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
  • Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, telnet, xnlock

Vulnerabilities

2011-10-02 - Heimdal 1.5.1

Heimdal 1.5.1

Released 2011-10-02 heimdal-1.5.1.tar.gz

Major changes

  • Fix building on Solaris, requires c99
  • Fix building on Windows
  • Build system updates

Vulnerabilities

2011-09-20 - Heimdal 1.5

Heimdal 1.5

Released 2011-09-20 heimdal-1.5.tar.gz

Major changes

  • Support GSS name extensions/attributes
  • SHA512 support
  • No Kerberos 4 support
  • Basic support for MIT Admin protocol (SECGSS flavor) in kadmind (extract keytab)
  • Replace editline with libedit
  • Bugfixes

Vulnerabilities

2010-09-14 - Heimdal 1.4

Heimdal 1.4

Released 2010-09-14 and is deprecated heimdal-1.4.tar.gz

Major changes

  • Support for reading MIT database file directly
  • KCM is polished up and now used in production
  • NTLM first class citizen, credentials stored in KCM
  • Table driven ASN.1 compiler, smaller!, not enabled by default
  • Native Windows client support
  • Bugfixes

Vulnerabilities

2010-05-27 - Heimdal 1.3.3

Heimdal 1.3.3

Released 2010-05-27 and is deprecated heimdal-1.3.3.tar.gz

Major changes

  • Check the GSS-API checksum exists before trying to use it
  • kdc: check NULL pointers before dereference them
  • Bugfixes

Vulnerabilities

2010-03-21 - Heimdal 1.3.2

Heimdal 1.3.2

Released 2010-03-21 and is deprecated heimdal-1.3.2.tar.gz

Major changes

  • Don't mix length when clearing hmac (could memset too much)
  • More paranoid underrun checking when decrypting packets
  • Check the password change requests and refuse to answer empty packets
  • Build on OpenSolaris 10
  • Renumber AD-SIGNED-TICKET since it was stolen
  • Don't cache /dev/*random file descriptor, it doesn't get unloaded
  • Make C++ safe
  • Misc warnings

Vulnerabilities

2009-11-20 - Heimdal 1.3.1

Heimdal 1.3.1

Released 2009-11-20 and is deprecated heimdal-1.3.1.tar.gz

Major changes

  • Make work with OpenLDAPs krb5 overlay
2009-11-15 - Heimdal 1.3.0

Heimdal 1.3.0

Released 2009-11-15 and is deprecated heimdal-1.3.0.tar.gz

Major changes

  • Partial support for MIT kadmind rpc protocol in kadmind
  • Better support for finding keytab entries when using SPN aliases in the KDC
  • Support BER in ASN.1 library (needed for CMS)
  • Support decryption in Keychain private keys
  • Support for new sqlite based credential cache
  • Try both KDC referals and the common DNS reverse lookup in GSS-API
  • Fix the KCM to not leak resources on failure
  • Add IPv6 support to iprop
  • Support localization of error strings in
  • kinit/klist/kdestroy and Kerberos library
  • Remove Kerberos 4 support in application (still in KDC)
  • Deprecate DES
  • Support i18n password in windows domains (using UTF-8)
  • More complete API emulation of OpenSSL in hcrypto
  • Support for ECDSA and ECDH when linking with OpenSSL

Vulnerabilities

2008-08-19 - Heimdal 1.2.1

Heimdal 1.2.1

Released 2008-08-19 and is deprecated heimdal-1.2.1.tar.gz

Major changes

  • [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
  • [HEIMDAL-151] - Make canned tests work again after cert expired
  • [HEIMDAL-152] - iprop test: use full hostname to avoid realm resolving errors
  • [HEIMDAL-153] - ftp: Use the correct length for unmap, msync

Vulnerabilities

2008-05-22 - Heimdal 1.2

Heimdal 1.2

Released 2008-05-22 and is deprecated heimdal-1.2.tar.gz

Major changes

  • [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in gss_display_name/gss_export_name when using SPNEGO
  • [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
  • [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
  • [HEIMDAL-52] - hdb overwrite aliases for db databases
  • [HEIMDAL-54] - Two issues which affect credentials delegation
  • [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
  • [HEIMDAL-62] - Fix printing of sig_atomic_t
  • [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
  • [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
  • [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
  • [HEIMDAL-67] - Fix locking and store credential in atomic writes in the FILE credential cache
  • [HEIMDAL-106] - make compile on cygwin again
  • [HEIMDAL-107] - Replace old random key generation in des module and use it with RAND_ function instead
  • [HEIMDAL-115] - Better documentation and compatibility in hcrypto in regards to OpenSSL
  • [HEIMDAL-3] - pkinit alg agility PRF test vectors
  • [HEIMDAL-14] - Add libwind to Heimdal
  • [HEIMDAL-16] - Use libwind in hx509
  • [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
  • [HEIMDAL-74] - Add support to report extended error message back in AS-REQ to support windows clients
  • [HEIMDAL-116] - test pty based application (using rkpty)
  • [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
  • [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. This drop compatibility with pre 0.3d KDCs.
  • [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
  • [HEIMDAL-65] - Failed to compile with --disable-pk-init
  • [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some wraparound checks doesn't apply to Heimdal

Vulnerabilities

2008-01-24 - Heimdal 1.1

Heimdal 1.1

Released 2008-01-24 and is deprecated heimdal-1.1.tar.gz

Major changes

  • Read-only PKCS11 provider built-in to hx509.
  • Documentation for hx509, hcrypto and ntlm libraries improved.
  • Better compatibilty with Windows 2008 Server pre-releases and Vista.
  • Mac OS X 10.5 support for native credential cache.
  • Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
  • Bug fixes.

Vulnerabilities

2007-08-08 - Heimdal 1.0.1

Heimdal 1.0.1

Released 2007-08-08 and is deprecated heimdal-1.0.1.tar.gz

Major changes

  • Serveral bug fixes to iprop.
  • Make work on platforms without dlopen.
  • Bug fixes.
  • Add RFC3526 modp group14 as default.
  • Handle [kdc] database = { } entries without realm = stanzas.
  • Make krb5_get_renewed_creds work.
  • Make kaserver preauth work again.
  • Bug fixes.

Vulnerabilities

2007-07-17 - Heimdal 1.0

Heimdal 1.0

Released 2007-07-17 and is deprecated heimdal-1.0.tar.gz

Major changes

  • Add gss_pseudo_random() for mechglue and krb5.
  • Make session key for the krbtgt be selected by the best encryption type of the client.
  • Better interoperability with other PK-INIT implementations.
  • Inital support for Mac OS X Keychain for hx509.
  • Alias support for inital ticket requests.
  • Add symbol versioning to selected libraries on platforms that uses GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
  • New version of imath included in hcrypto.
  • Fix memory leaks.
  • Bug fixes.

Vulnerabilities

2007-04-13 - Heimdal 0.8

Heimdal 0.8

Released 2007-04-13 and is deprecated heimdal-0.8.tar.gz

Major changes

  • PK-INIT support.
  • HDB extensions support, used by PK-INIT.
  • New ASN.1 compiler.
  • GSS-API mechglue from FreeBSD.
  • Updated SPNEGO to support RFC4178.
  • Support for Cryptosystem Negotiation Extension (RFC 4537).
  • A new X.509 library (hx509) and related crypto functions.
  • A new ntlm library (heimntlm) and related crypto functions.
  • Updated the built-in crypto library with bignum support using imath, support for RSA and DH and renamed it to libhcrypto.
  • Subsystem in the KDC, digest, that will perform the digest operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL DIGEST-MD5 NTLMv1 and NTLMv2.
  • KDC will return the "response too big" error to force TCP retries for large (default 1400 bytes) UDP replies. This is common for PK-INIT requests.
  • Libkafs defaults to use 2b tokens.
  • Default to use the API cache on Mac OS X.
  • krb5_kuserok() also checks ~/.k5login.d directory for acl files, see manpage for krb5_kuserok for description.
  • Many, many, other update to code and info manual and manual pages.
  • Bug fixes.
2006-02-06 - Heimdal 0.6.6

Heimdal 0.6.6

Released 2006-02-06 and is deprecated heimdal-0.6.6.tar.gz

Major changes

  • Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
  • Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.

Vulnerabilities

2006-02-06 - Heimdal 0.7.2

Heimdal 0.7.2

Released 2006-02-06 and is deprecated heimdal-0.7.2.tar.gz

Major changes

  • Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write.
  • Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.
  • Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI.
  • Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8.
  • telnetd, login and rshd are now more verbose in logging failed and successful logins.

Vulnerabilities

2005-04-20 - Heimdal 0.6.4

Heimdal 0.6.4

Released 2005-04-20 and is deprecated heimdal-0.6.4.tar.gz

Major changes

  • fix vulnerabilities in telnet
  • rshd: encryption without a separate error socket should now work
  • telnet now uses appdefaults for the encrypt and forward/forwardable settings

Vulnerabilities

2005-04-20 - Heimdal 0.6.5

Heimdal 0.6.5

Released 2005-04-20 and is deprecated heimdal-0.6.5.tar.gz

Major changes

  • fix vulnerabilities in telnetd
  • unbreak Kerberos 4 and kaserver

Vulnerabilities

2005-04-20 - Heimdal 0.7

Heimdal 0.7

Released 2005-04-20 and is deprecated heimdal-0.7.tar.gz

Major changes

  • Support for KCM, a process based credential cache
  • Support CCAPI credential cache
  • SPNEGO support
  • AES (and the GSS-API conterpart, CFX) support
  • Adding new and improve old documentation

Vulnerabilities

2004-09-13 - Heimdal 0.6.3

Heimdal 0.6.3

Released 2004-09-13 and is deprecated heimdal-0.6.3.tar.gz

Major changes

  • fix vulnerabilities in ftpd
  • support for linux AFS /proc "syscalls"
  • support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd
  • fix possible KDC denial of service
  • bug fixes

Vulnerabilities

2004-04-01 - Heimdal 0.6.1

Heimdal 0.6.1

Released 2004-04-01 and is deprecated heimdal-0.6.1.tar.gz

Major changes

  • Fixed ARCFOUR suppport
  • Cross realm vulnerability
  • kdc: fix denial of service attack
  • kdc: stop clients from renewing tickets into the future
  • bug fixes

Vulnerabilities

2003-05-12 - Heimdal 0.6

Heimdal 0.6

Released 2003-05-12 and is deprecated heimdal-0.6.tar.gz

Major changes

  • The DES3 GSS-API mechanism has been changed to inter-operate with other GSSAPI implementations. See man page for gssapi(3) how to turn on generation of correct MIC messages. Next major release of heimdal will generate correct MIC by default.
  • More complete GSS-API support
  • Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS support in applications no longer requires Kerberos 4 libs
  • Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
  • Other bug fixes

Vulnerabilities

1997-07-17 - Heimdal 0.0a

Heimdal 0.0a

Released 1997-07-17 and is deprecated heimdal-0.0a.tar.gz

Major changes

  • First public release of Heimdal. First commit was done 1996, March 17.