Any objections to applying the latest patch in 5924?
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Jun 18 13:28:18 EDT 2008
Tom Yu wrote:
> Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>
>> Please review the replay collision reduction patch in 5924.
>> The original contribution was from Nik Conwell at Boston University.
>> I've revised it to make it easier to read. I believe it should
>> be committed and will do so after someone on the Consortium team
>> reviews it.
>
> The patch adds a special meaning to a microseconds argument of -1
> passed to krb5_set_real_time(). This is an API change. Who is
> calling this API, and will this cause problems for them?
A brief Google search reveals that krb5_set_real_time() is used
internally to
the krb5 libraries and was exported so that it can be called by Samba so
that
the real time can be set to the CIFS server time specified in an
authentication
failure response.
Given its purpose I cannot imagine a use case in which a negative
microseconds
value would actually be valid? Are there any real world systems in
which time is
reported as S seconds U microseconds where U is negative?
This bug is serious and is widely causing problems. At a minimum for
Cornell,
many users of modauthkerb, and my clients. I believe it should be
fixed.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080618/22f629f7/attachment.bin
More information about the krbdev
mailing list