notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.
New feature planned: get notified when the package is available. Now is the time to contribute ideas/suggestions.
non port: security/heimdal/distinfo

Number of commits found: 27

Tuesday, 15 Nov 2022
22:09 Cy Schubert (cy) search for other commits by this committer
security/heimdal: Update to 7.8.0

This upgrade fixes multiple security vulnerabilities.

The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Reported by:	so (philip)
Approved by:	so (philip)
MFH:		2022Q4
Security:	Many, see above
Sponsored by:	so (philip)
commit hash: 83f79ba0e0caa8abed52887a693b7ab8074a590e commit hash: 83f79ba0e0caa8abed52887a693b7ab8074a590e commit hash: 83f79ba0e0caa8abed52887a693b7ab8074a590e commit hash: 83f79ba0e0caa8abed52887a693b7ab8074a590e 83f79ba
Wednesday, 19 Feb 2020
06:20 hrs search for other commits by this committer
Update to 7.7.0.
Original commitRevision:526484 
Tuesday, 23 Jan 2018
10:35 hrs search for other commits by this committer
Update to 7.5.0:

- In Heimdal 7.1 through 7.4, remote unauthenticated
  attackers are able to crash the KDC by sending a crafted UDP packet
  containing empty data fields for client name or realm.

Security:	CVE-2017-17439
PR:		224191
Original commitRevision:459739 
Tuesday, 11 Jul 2017
17:56 hrs search for other commits by this committer
Update to 7.4.0.  This release fixes a critical vulnerability named
"Orpheus' Lyre".

Security:	CVE-2017-11103
Secuirty:	https://www.orpheus-lyre.info/
Original commitRevision:445539 
Saturday, 10 Jun 2017
19:32 hrs search for other commits by this committer
Update to 7.3.0.
Original commitRevision:443115 
Tuesday, 3 Jan 2017
13:52 hrs search for other commits by this committer
Update to 7.1.0.  Changes include:

- hcrypto is now thread safe on all platforms and as much as possible
  hcrypto now uses the operating system's preferred crypto
  implementation ensuring that optimized hardware assisted
  implementations of AES-NI are used.

- RFC 6113 Generalized Framework for Kerberos Pre-Authentication
  (FAST).

- Hierarchical capath support

- iprop has been revamped to fix a number of race conditions that
  could lead to inconsistent replication.

- The KDC process now uses a multi-process model improving resiliency
  and performance.

- AES Encryption with HMAC-SHA2 for Kerberos 5
  draft-ietf-kitten-aes-cts-hmac-sha2-11

- Moved kadmin and ktutil to /usr/bin

- Stricter fcache checks (see fcache_strict_checking krb5.conf setting)

- Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
  telnet, xnlock
Original commitRevision:430468 
Saturday, 22 Nov 2014
23:22 hrs search for other commits by this committer
Update to 1.5.3.  Changes include:

 - Fix leaking file descriptors in KDC
 - Better socket/timeout handling in libkrb5
 - General bug fixes
Original commitRevision:373116 
Saturday, 5 May 2012
19:54 wxs search for other commits by this committer
Update to 1.5.2

PR:             ports/166320
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de> (maintainer)
Original commit
Sunday, 14 Nov 2010
15:35 rene search for other commits by this committer
Add the 'gss_pname_to_uid' function to libgssapi.
This function is obtained from the FreeBSD base libgssapi code.

Whith this function added to the port, it is possible to buildworld
FreeBSD fully against the port.
FYI: Patches for CURRENT and 8-STABLE src/ are here:
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/CURRENT_use_kerberos_port.patch
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/8-STABLE_use_kerberos_port.patch

PR:             ports/152030
Submitted by:   maintainer
Original commit
Sunday, 31 Oct 2010
17:02 wxs search for other commits by this committer
Update to 1.4

PR:             ports/151506
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de>
Original commit
Thursday, 27 Sep 2007
00:16 shaun search for other commits by this committer
Upgrade to 1.0.1.

PR:             ports/115589
Submitted by:   Rasmus Kaj <kaj@kth.se>
Original commit
Thursday, 5 Oct 2006
16:07 shaun search for other commits by this committer
- Update to 0.7.2.
- Improve pkg-descr, etc.
- Take maintainership.
Original commit
Monday, 20 Mar 2006
15:21 mnag search for other commits by this committer
- Update to 0.6.6
- Remove extra TABs and portlint(1)
- Update pkg-descr from page

Approved by:    secteam (simon)
Security:       CAN-2005-0469, CAN-2005-2040, CAN-2006-0582, CVE-2006-0677,
                VUXML: b62c80c2-b81a-11da-bec5-00123ffe8333
Original commit
Tuesday, 24 Jan 2006
01:03 edwin search for other commits by this committer
SHA256ify

Approved by: krion@
Original commit
Monday, 10 Jan 2005
14:26 nectar search for other commits by this committer
Upgrade 0.6.1 -> 0.6.3

PR:     ports/74113
Submitted by:   Petr Holub <hopet@ics.muni.cz>
Original commit
Friday, 2 Apr 2004
23:06 nectar search for other commits by this committer
Update 0.6 -> 0.6.1
Use OPTIONS
Use USE_OPENLDAP
Original commit
Monday, 8 Mar 2004
12:12 nectar search for other commits by this committer
Add size.
Original commit
Tuesday, 19 Aug 2003
23:24 nectar search for other commits by this committer
Update 0.5.1 -> 0.6.

Switch to using `INFO' while we are at it.
Original commit
Thursday, 24 Oct 2002
15:01 assar search for other commits by this committer
update to heimdal 1.5.1 (fixes kadmind buffer overflow)

Approved by:    security-officer
Original commit
Thursday, 19 Sep 2002
13:04 nectar search for other commits by this committer
Update 0.4e -> 0.5
Original commit
Friday, 7 Sep 2001
20:45 nectar search for other commits by this committer
Update 0.4d -> 0.4e    
Original commit
Tuesday, 14 Aug 2001
17:51 nectar search for other commits by this committer
Update 0.4c -> 0.4d    
Original commit
Thursday, 19 Jul 2001
23:54 nectar search for other commits by this committer
Update 0.4b -> 0.4c    
Original commit
Friday, 6 Jul 2001
23:55 nectar search for other commits by this committer
Update 0.3f -> 0.4b    
Original commit
Monday, 11 Jun 2001
19:37 nectar search for other commits by this committer
Update 0.3e -> 0.3f.  From the announcement:    * change default keytab to
ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,      the new keytab type that tries
both of these in order (SRVTAB is      also an alias for krb4:)    * improve
error reporting and error handling (error messages should      be more detailed
and more useful)    * improve building with openssl    * add kadmin -K, rcp -F  
 * fix two incorrect weak DES keys    * fix building of kaserver compat in KDC  
 * the API is closer to what MIT krb5 is using    * more compatible with windows
2000    * removed some memory leaks    * bug fixes    
Original commit
Monday, 5 Feb 2001
15:50 nectar search for other commits by this committer
Update 0.3d -> 0.3e.    
Original commit
Thursday, 14 Dec 2000
16:13 nectar search for other commits by this committer
Update 0.3c -> 0.3d    
Original commit

Number of commits found: 27