Releases: himmelblau-idm/himmelblau
0.8.6
What's Changed
- Fix libutf8proc dependency issue on Ubuntu 22.04 - stable-0.8.x by @dmulder in #349
- Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d - Stable 0.8.x by @dmulder in #354
- Only the himmelblau-sso package should conflict with intune-portal by @dmulder in #364
Full Changelog: 0.8.3...0.8.6
Contributors
Assets 47
- 4.71 MB
2025-02-12T16:28:28Z - 4.71 MB
2025-02-12T16:28:30Z - 4.67 MB
2025-02-12T16:28:31Z - 4.67 MB
2025-02-12T16:28:32Z - 4.7 MB
2025-02-12T16:28:34Z - 4.7 MB
2025-02-12T16:28:35Z - 2.04 KB
2025-02-12T16:28:40Z - 2.04 KB
2025-02-12T16:28:41Z - 2.04 KB
2025-02-12T16:28:41Z - 2.04 KB
2025-02-12T16:28:41Z -
2025-02-12T16:03:13Z -
2025-02-12T16:03:13Z - Loading
0.8.3
Impact
Two vulnerabilities were identified in Himmelblau versions 0.7.0 through 0.8.2:
- Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.
- Kerberos CCache Issue: Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled.
Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Both issues are caused by the same underlying issue, and are resolve with a single patch.
Patches
The vulnerabilities have been addressed in Himmelblau version 0.8.3. All users are strongly encouraged to update to this version.
Workarounds
Users unable to update immediately can apply the following mitigations:
-
For the logon compliance script issue, disable the
logon_scriptoption in/etc/himmelblau/himmelblau.conf:logon_script =Ensure the
debugoption in the same configuration file is set tofalse:debug = falseAdditionally, avoid using the
-dflag when starting thehimmelblauddaemon. -
For the Kerberos CCache issue, disable debug logging globally by:
- Setting the
debugoption in/etc/himmelblau/himmelblau.conftofalse. - Avoiding the
-dparameter when startinghimmelblaud.
- Setting the
References
- Himmelblau Configuration Documentation
- himmelblau.conf man page
- Himmelblau Daemon man page
- Official Himmelblau Release Notes and Updates
Package filtering
To download the latest packages for your distro, you can filter them here.
0.7.15
Impact
A vulnerability was identified in Himmelblau versions 0.7.0 through 0.8.2:
- Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.
The issue poses a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled.
Patches
The vulnerability has been addressed in Himmelblau version 0.7.15. All users are strongly encouraged to update to this version.
Workarounds
Users unable to update immediately can apply the following mitigations:
- For the logon compliance script issue, disable the
logon_scriptoption in/etc/himmelblau/himmelblau.conf:Ensure thelogon_script =debugoption in the same configuration file is set tofalse:Additionally, avoid using thedebug = false-dflag when starting thehimmelblauddaemon.
References
0.8.2
0.8.1
0.8.0
Contributors
Assets 47
0.7.14
0.7.12
0.7.9
0.7.7
What's Changed
- Remove the org.samba.himmelblau dbus service by @dmulder in #302
- Enable module for utf8proc-devel in Rocky8 by @dmulder in #303
- Fix CVE-2024-11738: rustls network-reachable panic in
Acceptor::acceptby @dmulder in #307
This version addresses a vulnerability described in GHSA-8339-5m7v-j33j
Full Changelog: 0.7.4...0.7.7