search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: e9b12d2) | patch
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
commitf7d6826afeafaae83a0164e8713c672e297eab6a
authorViktor Dukhovni <viktor@twosigma.com>
Wed, 10 Aug 2016 23:31:14 +0000 (10 23:31 +0000)
committerStefan Metzmacher <metze@samba.org>
Wed, 27 Oct 2021 22:37:10 +0000 (27 22:37 +0000)
tree0f398b1e0ed9a217f0753c0aa256a86e8cde3538tree | snapshot (tar.gz zip)
parente9b12d2def935050fb8be3f1d3e0ab6713807f32commit | diff
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594

Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets.  This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.

Note, this may break sites that rely on the bug.  With the bug some
incomplete [capaths] worked, that should not have.  These may now break
authentication in some cross-realm configurations.

(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184

(cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
source4/heimdal/kdc/krb5tgs.c diff | blob | blame | history
Samba GIT mirror