46590 2004-04-02 05:41 0000 <=app-crypt/heimdal-0.6 - Cross-realm trust vulnerability 2005-04-10 08:46:08 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All Linux RESOLVED FIXED P1 blocker --- 1 lha@kth.se security@gentoo.org agriffis@gentoo.org base-system@gentoo.org lha@kth.se 2004-04-02 05:41:11 0000 app-crypt/heimdal needs to be update to heimdal 0.6.1 see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ Reproducible: Always Steps to Reproduce: 1. see http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ aescriva@gentoo.org 2004-04-02 07:55:19 0000 Aron - would you create an ebuild for 0.6.1? Thanks. solar@gentoo.org 2004-04-07 11:43:41 0000 heimdal-0.6.1 added to portage as KEYWORDS="~x86 ~sparc ~ppc ~alpha ~ia64 ~amd64 ~hppa ~mips" Every version below 0.6(currently stable) has been removed from the tree. I don't have krb setup so I have no way of verifying if this package runtime environment works. One patch conflicted and seemed unneeded for gcc-3.3.x and was thus commented out. From reading the .ebuild I fail to understand what this sed statement is doing other than wasting a few cpu cycles. (Maybe it should be sed -i -e) sed -i "s:LIB_crypt = @LIB_crypt@:LIB_crypt = -lssl @LIB_crypt@:g" Makefile.in || die Arch maintainers please test and mark stable if/when ready. Please try test/verify the rumtime as well if you can. mr_bones_@gentoo.org 2004-04-07 12:35:18 0000 From the sed info page: "If no `-e', `-f', `--expression', or `--file' options are given on the command-line, then the first non-option argument on the command line is taken to be the SCRIPT to be executed." I prefer to see the -e there myself, but the sed line probably works as intended without the -e. kumba@gentoo.org 2004-04-07 22:09:17 0000 Marked stable on mips. klieber@gentoo.org 2004-04-08 01:54:32 0000 arches. plztest. kloeri@gentoo.org 2004-04-08 07:11:02 0000 Marked stable on Alpha. avenj@gentoo.org 2004-04-08 07:33:59 0000 Stable on amd64 lu_zero@gentoo.org 2004-04-08 09:10:55 0000 Stable on ppc weeve@gentoo.org 2004-04-08 10:17:25 0000 Stable on sparc solar@gentoo.org 2004-04-09 01:39:25 0000 Mr Bones (thanks) Still waiting on x86 and a report that the runtime has been tested. klieber@gentoo.org 2004-04-09 02:33:09 0000 I don't think we're going to get a report on the runtime -- not many individual devs use kerberos for authentication. Also, agriffis hasn't been responsive at all regarding this issue, so I recommend we bump to stable on x86. We've given folks the opportunity to test -- we need to get this security fix out. solar@gentoo.org 2004-04-09 03:00:15 0000 pushed to stable on x86. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371 klieber@gentoo.org 2004-04-09 03:52:07 0000 GLSA 200404-09 agriffis@gentoo.org 2004-04-09 07:23:54 0000 "agriffis hasn't been responsive at all regarding this issue, so I recommend we bump to stable on x86" klieber, I don't use or maintain heimdal. You asked me about it on IRC, I said, yeah, go ahead and bump it since we don't know anybody to test... so I don't understand your comment. :-( klieber@gentoo.org 2004-04-09 07:56:20 0000 sorry -- came across wrong. that's what I get for trying to respond to bugs too quickly. my apologies. vapier@gentoo.org 2004-09-22 21:13:17 0000 ia64 stable