[Bug 784255] Re: Lucid/Maverick heimdal packages have broken allow_weak_crypto implementation

2011-05-18 Thread Ray Link 
** Description changed:

  The allow_weak_crypto krb5.conf option was added to Heimdal during the
  1.2 release, but was implemented incorrectly.  The check for desired
  enctypes was performed before the check to see if allow_weak_crypto is
  true.
  
  This has the unfortunate effect of resulting in a completely empty
  enctypes list if the configured list of desired enctypes contains only
  enctypes classified as "weak", since the "weak" enctypes are not valid
  choices (and are thus kicked out of contention) until after the
  filtering of the desired enctypes list is performed.
  
  This feature was implemented during the 1.2 release of Heimdal, on 2008-08-17:
  
https://github.com/heimdal/heimdal/commit/aa3cf9664515246bb8a9674ef270ba9433e0f25c
  
  And the logic was corrected to the proper behavior after the release of 1.4, 
on 2010-10-02:
  
https://github.com/heimdal/heimdal/commit/799956e9b7ebdeecd2df202638f7656a25664ed9
  
- - Lucid provides Heimdal packages from the 1.2 branch 
(1.2.e1.dfsg.1-1ubuntu1) that contain the mis-implemented version.
- - Maverick provides Heimdal packages from the 1.4 branch 
(1.4.0~git20100605.dfsg.1-2) that pre-date the fix.
- - Natty contains Heimdal packages from the 1.4 branch (1.4.0+git20110124) 
that post-date the fix.
+ - Lucid provides Heimdal packages from the 1.2 branch 
(1.2.e1.dfsg.1-1ubuntu1) that pre-date the implementation of allow_weak_crypto.
+ - Maverick provides Heimdal packages from the 1.4 branch 
(1.4.0~git20100605.dfsg.1-2) that contain the mis-implemented version of the 
feature.
+ - Natty contains Heimdal packages from the 1.4 branch (1.4.0+git20110124) 
that contain the corrected version of the feature.
  
  In addition to being fixed upstream and released in Natty, a new enough
  version has also been released in Debian Experimental
  (1.4.0+git20110411.dfsg.1-1).

** Summary changed:

- Lucid/Maverick heimdal packages have broken allow_weak_crypto implementation
+ Lucid/Maverick heimdal packages have missing/broken allow_weak_crypto 
implementation

** Description changed:

  The allow_weak_crypto krb5.conf option was added to Heimdal during the
  1.2 release, but was implemented incorrectly.  The check for desired
  enctypes was performed before the check to see if allow_weak_crypto is
  true.
  
  This has the unfortunate effect of resulting in a completely empty
  enctypes list if the configured list of desired enctypes contains only
  enctypes classified as "weak", since the "weak" enctypes are not valid
  choices (and are thus kicked out of contention) until after the
  filtering of the desired enctypes list is performed.
  
  This feature was implemented during the 1.2 release of Heimdal, on 2008-08-17:
  
https://github.com/heimdal/heimdal/commit/aa3cf9664515246bb8a9674ef270ba9433e0f25c
  
  And the logic was corrected to the proper behavior after the release of 1.4, 
on 2010-10-02:
  
https://github.com/heimdal/heimdal/commit/799956e9b7ebdeecd2df202638f7656a25664ed9
  
- - Lucid provides Heimdal packages from the 1.2 branch 
(1.2.e1.dfsg.1-1ubuntu1) that pre-date the implementation of allow_weak_crypto.
+ - Lucid provides Heimdal packages from the 1.2 branch 
(1.2.e1.dfsg.1-1ubuntu1) but do not contain any implementation of 
allow_weak_crypto.
  - Maverick provides Heimdal packages from the 1.4 branch 
(1.4.0~git20100605.dfsg.1-2) that contain the mis-implemented version of the 
feature.
  - Natty contains Heimdal packages from the 1.4 branch (1.4.0+git20110124) 
that contain the corrected version of the feature.
  
  In addition to being fixed upstream and released in Natty, a new enough
  version has also been released in Debian Experimental
  (1.4.0+git20110411.dfsg.1-1).

** Description changed:

  The allow_weak_crypto krb5.conf option was added to Heimdal during the
  1.2 release, but was implemented incorrectly.  The check for desired
  enctypes was performed before the check to see if allow_weak_crypto is
  true.
  
  This has the unfortunate effect of resulting in a completely empty
  enctypes list if the configured list of desired enctypes contains only
  enctypes classified as "weak", since the "weak" enctypes are not valid
  choices (and are thus kicked out of contention) until after the
  filtering of the desired enctypes list is performed.
  
  This feature was implemented during the 1.2 release of Heimdal, on 2008-08-17:
  
https://github.com/heimdal/heimdal/commit/aa3cf9664515246bb8a9674ef270ba9433e0f25c
  
  And the logic was corrected to the proper behavior after the release of 1.4, 
on 2010-10-02:
  
https://github.com/heimdal/heimdal/commit/799956e9b7ebdeecd2df202638f7656a25664ed9
  
  - Lucid provides Heimdal packages from the 1.2 branch 
(1.2.e1.dfsg.1-1ubuntu1) but do not contain any implementation of 
allow_weak_crypto.
  - Maverick provides Heimdal packages from the 1.4 branch 
(1.4.0~git20100605.dfsg.1-2) that contain the mis-implemented version of the 
feature.
- - Natty contains Heimdal packages from the 1

[Bug 784255] Re: Lucid/Maverick heimdal packages have broken allow_weak_crypto implementation

2011-05-18 Thread Ray Link 
Note that just rebuilding a newer version of heimdal that contains the
allow_weak_crypto fix will introduce the following Maverick/Natty bug
into Lucid:

https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/663319

It will also not actually fix any existing Lucid binaries, as they
depend on libkrb5.so.25, while a Heimdal new enough to contain the
allow_weak_crypto fix provides libkrb5.so.26.

Both problems should probably be addressed simultaneously.

Alternatively, as a short-term solution, backporting the
allow_weak_crypto fix into the 1.2.e1.dfsg.1 release in Lucid will
address this bug without introducing the libasn1 bug from
Maverick/Natty, at the expense of missing out on all the other updates.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/784255

Title:
  Lucid/Maverick heimdal packages have broken allow_weak_crypto
  implementation

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs