Bug 224191 - security/heimdal: update to 7.5.0 (security update, fixes remote DoS)
Summary: security/heimdal: update to 7.5.0 (security update, fixes remote DoS)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Hiroki Sato
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2017-12-08 23:29 UTC by Vidar Karlsen
Modified: 2018-02-28 06:15 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (hrs)
vidar: merge-quarterly?


Attachments
Proposed patch (1.17 KB, patch)
2017-12-08 23:29 UTC, Vidar Karlsen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vidar Karlsen 2017-12-08 23:29:01 UTC
Created attachment 188636 [details]
Proposed patch

Builds fine on 11.1-RELEASE (poudriere testport).
Portlint throws some warnings but they were there before also.
Fixed a space-instead-of-tab while I was editing the Makefile.

Snipped from release notes:

This is a security release of Heimdal

This release patches a remote denial of service

CVE-2017-17439: In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm.
Comment 1 Vidar Karlsen 2017-12-18 16:08:41 UTC
poudriere testport done successfully on:
* 10.3-RELEASE amd64
* 10.3-RELEASE i386
* 10.4-RELEASE amd64
* 10.4-RELEASE i386
* 11.1-RELEASE amd64
* 11.1-RELEASE i386
Comment 2 VK freebsd_triage 2018-01-22 20:21:39 UTC
Maintainer timeout, back to the pool. Ping ports-secteam@
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-01-23 10:36:03 UTC
A commit references this bug:

Author: hrs
Date: Tue Jan 23 10:35:25 UTC 2018
New revision: 459739
URL: https://svnweb.freebsd.org/changeset/ports/459739

Log:
  Update to 7.5.0:

  - In Heimdal 7.1 through 7.4, remote unauthenticated
    attackers are able to crash the KDC by sending a crafted UDP packet
    containing empty data fields for client name or realm.

  Security:	CVE-2017-17439
  PR:		224191

Changes:
  head/security/heimdal/Makefile
  head/security/heimdal/distinfo