krb5-1.11.3 is released

Tom Yu tlyu at MIT.EDU
Mon Jun 3 23:27:33 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.11.3.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.11.3
====================================

You may retrieve the Kerberos 5 Release 1.11.3 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.11.3 release is:

        http://web.mit.edu/kerberos/krb5-1.11/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.11.3 (2013-06-03)
====================================

This is a bugfix release.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

Major changes in 1.11.2 (2013-04-12)
====================================

This is a bugfix release.

* Incremental propagation could erroneously act as if a slave's
  database were current after the slave received a full dump that
  failed to load.

* gss_import_sec_context incorrectly set internal state that
  identifies whether an imported context is from an interposer
  mechanism or from the underlying mechanism.

Major changes in 1.11.1 (2013-02-21)
====================================

This is a bugfix release.

* Restore capability for multi-hop SAM-2 preauth exchanges, which
  krb5-1.11 had inadvertently removed.

* Fix a null pointer dereference in the KDC PKINIT code
  [CVE-2013-1415].

Major changes in 1.11 (2012-12-17)
==================================

Additional background information on these changes may be found at

    http://k5wiki.kerberos.org/wiki/Release_1.11

and

    http://k5wiki.kerberos.org/wiki/Category:Release_1.11_projects

Code quality:

* Improve ASN.1 support code, making it table-driven for decoding as
  well as encoding

* Refactor parts of KDC

Developer experience:

* Documentation consolidation

* Add a new API krb5_kt_have_content() to determine whether a keytab
  exists and contains any entries.

* Add a new API krb5_cccol_have_content() to determine whether the
  ccache collection contains any credentials.

* Add a new API krb5_kt_client_default() to resolve the default client
  keytab.

* Add new APIs gss_export_cred and gss_import_cred to serialize and
  unserialize GSSAPI credentials.

* Add a krb5_get_init_creds_opt_set_in_ccache() option.

* Add get_cc_config() and set_cc_config() clpreauth callbacks for
  getting string attribute values from an in_ccache and storing them
  in an out_ccache, respectively.

* Add a plugin interface for GSSAPI interposer mechanisms.

* Add an optional responder callback to the krb5_get_init_creds
  functions. The responder callback can consider and answer all
  preauth-related questions at once, and can process more complicated
  questions than the prompter.

* Add a method to the clpreauth interface to allow modules to supply
  response items for consideration by the responder callback.

* Projects/Password_response_item

* Add GSSAPI extensions to allow callers to specify credential store
  locations when acquiring or storing credentials

* Add a new API krb5_kt_client_default() to resolve the default client
  keytab.

Administrator experience:

* Documentation consolidation

* Add parameter expansion for default_keytab_name and
  default_client_keytab_name profile variables.

* Add new default_ccache_name profile variable to override the
  built-in default credential cache name.

* Add configure-time support for changing the built-in ccache and
  keytab names.

* Add krb5-config options for displaying the built-in ccache and
  keytab names.

* In the default build, use the system's built-in ccache and keytab
  names if they can be discovered using krb5-config.

* Add support for a "default client keytab". Its location is
  determined by the KRB5_CLIENT_KTNAME environment variable, the
  default_client_keytab profile relation, or a hardcoded path (TBD).

* GSSAPI initiator applications can now acquire credentials
  automatically from the default client keytab, if one is available.

* Add client support for FAST OTP (RFC 6560)

End-user experience:

* Documentation consolidation

* Store metadata in the ccache about how a credential was acquired, to
  improve the user's experience when reacquiring

* Projects/Extensible_Policy

Performance:

* Improve KDC lookaside cache performance

Protocol evolution:

* Add client support for FAST OTP (RFC 6560)

* Build Camellia encryption support by default
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (SunOS)

iQEVAwUBUa1eqRUCTNN0nXiJAQJanAf+Maxf/Ezzg3s2uVHbOh8UmBkGshv1AoCj
2bWS7VmrF+3rW7dibXm6yCJbQD2sdaL5lhgqKsN7bPa2cPY0Dhl+r2cjnRzyqaXA
PZE/QARFKSwSnJLiT+ZKKHL4OO55ELc0ChgNxcMiGdUL3ZicaiCe1Fkq2Ys9+mwh
tx3SV0SM92g/Y4w9oUqvVflbr2nWJ010Dc747HIZBRHblvkyoS2EA+uC6rZbn1tK
6EJ1ms2mj0i+LUK966m1/Lisppf5XWQE60L6W4aPMW2DvRIfFBz892bI9u27VsyJ
5/UeauRKcFXKQrzs9wx3ZVec8CFJTACNLdSKlYOtCw09/x8YCbvHiw==
=7SYJ
-----END PGP SIGNATURE-----



More information about the kerberos-announce mailing list