[3698] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1202] KDC rejects unknown flags
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Mon Dec 16 14:43:18 2002
Mail-Followup-To: rt@krbdev.mit.edu
Message-Id: <rt-1202-3775.9.17560159675261@krbdev.mit.edu>
In-Reply-To: <rt-1202@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
Mail-Copies-To: never
To: kenh@mit.edu
Cc: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Mon, 16 Dec 2002 14:42:42 -0500 (EST)
>>>>> "Ken" == Ken Raeburn via RT <rt-comment@krbdev.mit.edu> writes:
Ken> [hartmans - Thu Dec 12 17:22:45 2002]:
>> Love points out that our KDC also rejects the disabled
>> transited check option which it does understand.
Ken> Yes, that's part of the protection against exploitation of
Ken> the old chk_trans.c bug. We shouldn't make the KDC obey this
Ken> flag unconditionally without warning admins that they'll need
Ken> to upgrade servers that are too old. (Not obeying but not
Ken> rejecting would probably be okay.)
I think that doing so for 1.3 would be fine, particularly if we get
our act together and document it and publish the CERT advisory.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
