Skip to content

0.8.3
Compare
Choose a tag to compare
@dmulder dmulder released this 23 Jan 15:25
· 166 commits to main since this release
0.8.3
a5e14f8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Impact

Two vulnerabilities were identified in Himmelblau versions 0.7.0 through 0.8.2:

  1. Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.
  2. Kerberos CCache Issue: Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled.

Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Both issues are caused by the same underlying issue, and are resolve with a single patch.

Patches

The vulnerabilities have been addressed in Himmelblau version 0.8.3. All users are strongly encouraged to update to this version.

Workarounds

Users unable to update immediately can apply the following mitigations:

  1. For the logon compliance script issue, disable the logon_script option in /etc/himmelblau/himmelblau.conf:

    logon_script =

    Ensure the debug option in the same configuration file is set to false:

    debug = false

    Additionally, avoid using the -d flag when starting the himmelblaud daemon.

  2. For the Kerberos CCache issue, disable debug logging globally by:

    • Setting the debug option in /etc/himmelblau/himmelblau.conf to false.
    • Avoiding the -d parameter when starting himmelblaud.

References

Package filtering

To download the latest packages for your distro, you can filter them here.

Assets 47
Loading