Date: Wed, 14 Sep 2016 15:21:46 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org Subject: Heimdal in base Message-ID: <alpine.GSO.1.10.1609141511530.5272@multics.mit.edu> In-Reply-To: <86egfu9z0j.fsf@desk.des.no> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> <CAGnMC6rMaY2a_F4qpxX4rB6n6n-tvijH74jxf8j94-2V8r_V8g@mail.gmail.com> <alpine.GSO.1.10.1511122120050.26829@multics.mit.edu> <86egfu9z0j.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
(was Re: OpenSSH HPN) [See https://lists.freebsd.org/pipermail/freebsd-security/2015-November/008747.h= tml for the bits that Dag-Erling skipped] On Fri, 13 Nov 2015, Dag-Erling Sm=F8rgrav wrote: > Benjamin Kaduk <kaduk@MIT.EDU> writes: > > Things seem to have slowed down a lot since the lead Heimdal developer > > got hired for Apple. [...] MIT employs developers whose job > > descriptions include being the krb5 release manager [...] Heimdal has > > changed plans to a 1.7 release [...] and since the developers in > > question are being paid to work on other things, there is no real > > timeline for the release. > > Given this state of affairs, it might not be unreasonable to consider > switching back for 11. There should be enough time, provided our > Kerberos maintainers have some spare cycles. Well, it's definitely too late for 11, now. But, Debian is preparing to remove their heimdal package entirely, imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D837728 I also can't find an archive of heimdal-discuss@sics.se that still works (now that gmane is gone), so I'll quote the relevant message from there, below. Maybe we should consider dropping heimdal for 12. -Ben %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: Wed, 14 Sep 2016 14:58:27 -0400 From: Andrew Bartlett <abartlet@samba.org> To: heimdal-discuss@sics.se Subject: Heimdal to be removed from Debian shortly FYI: I'm sorry to say that per: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D834654 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D837728 Heimdal will shortly be removed from Debian. It is the view of those of us involved that inclusion of sensitive security software in the next stable release of Debian needs the normal pattern of maintained upstream releases, not just a git tree to take snapshots from. It is also being eased out of Samba, we will make further decisions once we get a build against MIT krb5 working. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.orgSamba Developer, Catalyst IT http://catalyst.net.nz/services/samba From owner-freebsd-security@freebsd.org Wed Sep 14 19:49:14 2016 Return-Path: <owner-freebsd-security@freebsd.org> Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF523BDAC6A for <freebsd-security@mailman.ysv.freebsd.org>; Wed, 14 Sep 2016 19:49:14 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp10.server.rpi.edu (gateway.canit.rpi.edu [128.113.2.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9600D1226 for <freebsd-security@freebsd.org>; Wed, 14 Sep 2016 19:49:13 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth2.server.rpi.edu (route.canit.rpi.edu [128.113.2.232]) by smtp10.server.rpi.edu (8.14.4/8.14.4/Debian-8) with ESMTP id u8EJk2DW026872 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Sep 2016 15:46:02 -0400 Received: from smtp-auth2.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth2.server.rpi.edu (Postfix) with ESMTP id 41DB018112; Wed, 14 Sep 2016 15:46:02 -0400 (EDT) Received: from [128.113.24.47] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth2.server.rpi.edu (Postfix) with ESMTPSA id 369041811F; Wed, 14 Sep 2016 15:46:02 -0400 (EDT) From: "Garance A Drosehn" <drosih@rpi.edu> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: ftpd leaks info which might be useful to an attacker Date: Wed, 14 Sep 2016 15:46:01 -0400 Message-ID: <3B1B7AA4-5342-4682-ADB6-16C40F3A97E1@rpi.edu> In-Reply-To: <68595.1473800829@segfault.tristatelogic.com> References: <68595.1473800829@segfault.tristatelogic.com> MIME-Version: 1.0 X-Mailer: MailMate (1.9.5r5260) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 10.10] X-CanIt-Incident-Id: 03RHvK2qe X-CanIt-Geo: ip=128.113.124.17; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>; List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 14 Sep 2016 19:49:14 -0000 On 13 Sep 2016, at 17:07, Ronald F. Guilmette wrote: > > One set of such decisions has to do with the following files: > > ~ftp/etc/group > ~ftp/etc/pwd.db > > Thinking about how the contents of these files affects the behavior of > the ftp DIR command caused me to realize that I actually would prefer > it if there were some some option available for ftpd which would cause > it to display only something like ---- where it currently attempts to > print either a user ID name or number or a group ID name or number. Those files completely under the control of the sysadmin (aka "you"), so you can put whatever you want in those files. In my case, I think I wrote a script which generates those two files from the real system files, but it changes the userid and group names. In my case I went with fake userid's which were the first-and-last letters of the real userid, followed by the UID. That way there's some helpful information there for the people who *do* have access to the passwd info for that machine, but there isn't much info for others. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1609141511530.5272>