OpenBSD Journal

Security Fix for kdc

Contributed by grey on from the we need a patch logo dept.

A flaw in the Kerberos V kdc(8) server could result in the administrator of a Kerberos realm having the ability to impersonate any principal in any other realm which has established a cross-realm trust with their realm. The flaw is due to inadequate checking of the "transited" field in a Kerberos request. For more details see Heimdal's announcement.

Patches are available for 3.5 and 3.4, and have been commited to the corresponding -stable branches. As always, you can also check the errata page.

(Comments are closed)

  1. By Simon ( on

    The Heimdal announcement is dated 2004-04-01, is the Heimdal version that comes with OpenBSD radically different from the one ditributed by kth or is there some other reason as to way the patch shows up two months later?

    Just wondering.

    1. By Anonymous Coward ( on

      The people who deal with this have been very busy with personal matters.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]