On 5/22/2019 6:25 PM, Brian May wrote: > To me it really sounds like Heimdal is dropping support for 32 bit > architectures then. > > However Debian doesn't have the luxury of being able to drop the 32 bit > version of Heimdal, just for the sake of a faulty test. Particularly > when existing versions have known security issues.
Heimdal isn't dropping support for 32-bit architectures; Debian is failing to support timestamps past 19 Jan 2038 03:14:07 UTC using the standard integer type for time: time_t. Heimdal uses time_t in its public api. Therefore, we cannot simply change from 32-bit time_t or (time_t *) in a public api and replace it with int64_t and (int64_t *) without breaking the API and ABI contracts. We certainly are not going to do so in a minor release. Even if we did Debian wouldn't accept the change in its stable distributions because doing so would break the API and ABI contracts. > Does this problem affect Heimdal versions < 7.5.0? It sounds like > these version should be fine (thinking of Jessie and Stretch security > updates here). I'm not sure if you are asking about the 32-bit time limitation on platforms that provide 32-bit time_t or the security vulnerabilities. The range of affected Heimdal versions was published as part of the CVE-2018-16860 announcement. Quoting from that text: == CVE ID#: CVE-2018-16860 == == Versions: All Samba versions since Samba 4.0 == All releases of Heimdal from 0.8 including 7.5.0 == and any products that ship a KDC derived from one of == those Heimdal releases. Since Jessie and Stretch distribute vulnerable versions of Heimdal, Debian should update them. The 32-bit time limitation imposed by OS platforms whose time_t is 32-bit affects all versions of Heimdal. Our advice to Debian is to replace the certificate with one that has an expiration date before 19 Jan 2038 03:14:07 UTC. Otherwise, Debian will fail to detect failures of the certificate validation code caused by patches that might be applied to OpenSSL. Changes to the API and ABI can occur as part of a major release such as 8.0. These is an open issue to address the problem as part of Heimdal 8.0. Jeffrey Altman Heimdal Project Manager
smime.p7s
Description: S/MIME Cryptographic Signature
