krb5-1.15.1 is released

Greg Hudson ghudson at mit.edu
Fri Mar 3 15:41:02 EST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.15.1.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.15.1
====================================

You may retrieve the Kerberos 5 Release 1.15.1 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.15.1 release is:

        http://web.mit.edu/kerberos/krb5-1.15/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.15.1 (2017-03-01)
====================================

This is a bug fix release.

* Allow KDB modules to determine how the e_data field of principal
  fields is freed

* Fix udp_preference_limit when the KDC location is configured with
  SRV records

* Fix KDC and kadmind startup on some IPv4-only systems

* Fix the processing of PKINIT certificate matching rules which have
  two components and no explicit relation

* Improve documentation

Major changes in 1.15 (2016-12-01)
==================================

Administrator experience:

* Improve support for multihomed Kerberos servers by adding options
  for specifying restricted listening addresses for the KDC and
  kadmind.

* Add support to kadmin for remote extraction of current keys without
  changing them (requires a special kadmin permission that is excluded
  from the wildcard permission), with the exception of highly
  protected keys.

* Add a lockdown_keys principal attribute to prevent retrieval of the
  principal's keys (old or new) via the kadmin protocol.  In newly
  created databases, this attribute is set on the krbtgt and kadmin
  principals.

* Restore recursive dump capability for DB2 back end, so sites can
  more easily recover from database corruption resulting from power
  failure events.

* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
 in addition to SRV records.  URI records can convey TCP and UDP
 servers and master KDC status in a single DNS lookup, and can also
 point to HTTPS proxy servers.

* Add support for password history to the LDAP back end.

* Add support for principal renaming to the LDAP back end.

* Use the getrandom system call on supported Linux kernels to avoid
  blocking problems when getting entropy from the operating system.

* In the PKINIT client, use the correct DigestInfo encoding for PKCS
  #1 signatures, so that some especially strict smart cards will work.

Code quality:

* Clean up numerous compilation warnings.

* Remove various infrequently built modules, including some preauth
  modules that were not built by default.

Developer experience:

* Add support for building with OpenSSL 1.1.

* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  authenticators in the replay cache.  This helps sites that must
  build with FIPS 140 conformant libraries that lack MD5.

* Eliminate util/reconf and allow the use of autoreconf alone to
  regenerate the configure script.

Protocol evolution:

* Add support for the AES-SHA2 enctypes, which allows sites to conform
  to Suite B crypto requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWLnUkAy6CFdfg3LfAQKGYg//YGsdAcdu980OzPV529/YqLsY9A0Xy6HX
XmuAovexBzxkt0XSJwN85XU4DgxVik0wpaWLY9uQGPDUvR7Ib0JsxRG8B8JKF+b3
yROX0NUBpCZFc/QBodEL4T41wY73+yrfSpmIbqsSfUBQTYB9oNDyFmtuAKXlWlDp
kt+OlbySe02USDWBLad+NKQ/YmkFnpBnynXka4RtL5Gjgon13hMDKgxqaQurV3qi
sQ7BFWvME9hmaNogFp7a9I32pV9DG/y4U5ft9Ck6dL3MCgzSKObMYsQWHIPDKQky
6deav+9qSPDq5Tn87v/DSodkCCHu5Sr+OZ7zmoVu1LpM52nQr0SXYq/aCSwKOujk
h5M5rOtPI5DsEcDpfufsDYiPFFJXQRVlPAgsldsK7xuk3OFfgKXoPBQ5qxzZuMsU
G6NQwu/NLzBBj2FpBozNk2i7QmCqb1/0hHs31XsXgYgmSBmaoj7YEHH/ywi5WRNK
GRX4NWGRsdMMD6KQLR9uoDKNXYJge09sXTvMdQ08ANPTaX8ftv5o6S+1MZ8vdnSV
2QCa0T7FXF4uXF9swSnyhvHO8+LBBgIWkagnimScArRmDwUYLYYmXcC9ad0C/zNt
QzSIBW6LfbQRjiSs/EbjpqnpVo/RpjtgZfRwIHSS2o4ROSj7O0hFLu4/SNX/PS41
I+SUbsowH8c=
=U5k5
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce


More information about the Kerberos mailing list