On 2017-08-30 09:53:50, Jeffrey Altman wrote: > On 8/30/2017 4:38 AM, Sergio Gelato wrote: > > * Andreas Haupt [2017-08-30 09:01:08 +0200]: > >> we are running KDCs on Heimdal version 7.4. Since the update to version 7.x > >> a few weeks ago we observe KDC segfaults after receiving invalid AS-REQ. > >> Looks like an evil bug to me. Anybody else seeing this? > > > > Yes. Saw in on 2017-06-14, filed an encrypted bug report to heimdal-bugs > > the next day with the attached patch. No reaction. Not to my status query > > the other day either. > > I diagnosed this problem as well and there is a patch waiting to be > included in a subsequent release. >
Looking at the patch published by Sergio it appears to me that the offending variables were introduced 2015-02-13 (a873e21d7c06f22943a90a41dc733ae76799390d). I guess this means releases prior to this date are safe from this specific DoS while it effects everything since. Do you have any idea when a new release fixing this will be made available? I am just asking because it appears no official 7.x release is suitable for use as a public facing KDC at this time. Regards, Patrik Lundin