krb5 commit [krb5-1.11]: Updates for krb5-1.11.3
Tom Yu
tlyu at MIT.EDU
Mon Jun 3 17:37:47 EDT 2013
https://github.com/krb5/krb5/commit/c538c54695ff40952873d6723066c3aa55893f27
commit c538c54695ff40952873d6723066c3aa55893f27
Author: Tom Yu <tlyu at mit.edu>
Date: Fri May 31 17:50:55 2013 -0400
Updates for krb5-1.11.3
README | 25 +++++++++++++++++++++++++
src/man/k5identity.man | 2 +-
src/man/k5login.man | 2 +-
src/man/k5srvutil.man | 2 +-
src/man/kadm5.acl.man | 2 +-
src/man/kadmin.man | 12 +++++++++---
src/man/kadmind.man | 2 +-
src/man/kdb5_ldap_util.man | 2 +-
src/man/kdb5_util.man | 2 +-
src/man/kdc.conf.man | 6 ++++--
src/man/kdestroy.man | 2 +-
src/man/kinit.man | 2 +-
src/man/klist.man | 2 +-
src/man/kpasswd.man | 2 +-
src/man/kprop.man | 2 +-
src/man/kpropd.man | 2 +-
src/man/kproplog.man | 2 +-
src/man/krb5-config.man | 2 +-
src/man/krb5.conf.man | 14 +++++++-------
src/man/krb5kdc.man | 2 +-
src/man/ksu.man | 2 +-
src/man/kswitch.man | 2 +-
src/man/ktutil.man | 2 +-
src/man/kvno.man | 2 +-
src/man/sclient.man | 2 +-
src/man/sserver.man | 2 +-
src/patchlevel.h | 6 +++---
27 files changed, 70 insertions(+), 37 deletions(-)
diff --git a/README b/README
index 118ebc7..9c5704d 100644
--- a/README
+++ b/README
@@ -77,6 +77,30 @@ from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
+Major changes in 1.11.3 (2013-06-03)
+------------------------------------
+
+* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
+ service. [CVE-2002-2443]
+
+* Improve interoperability with some Windows native PKINIT clients.
+
+krb5-1.11.3 changes by ticket ID
+--------------------------------
+
+7596 PKINIT should allow missing DH param Q
+7602 allow dh_min_bits >= 1024
+7605 Set msg_type when decoding FAST requests
+7626 Rename internal Camellia symbols
+7637 Fix kpasswd UDP ping-pong [CVE-2002-2443]
+7639 Transited realm checks sometimes fail for GSSAPI
+7640 Clarify that kdc.conf and krb5.conf are merged
+7641 Clarify krb5_rd_req documentation
+7644 Sphinx doc build leaves python bytecode (.pyc) in release tarball
+7653 Document preauth flags for service principals
+7654 Clarify retiring-des based on user feedback
+7655 Clean up dangling antecedent in allow_weak_crypto
+
Major changes in 1.11.2 (2013-04-12)
------------------------------------
@@ -590,6 +614,7 @@ reports, suggestions, and valuable resources:
Joel Johnson
W. Trevor King
Mikkel Kruse
+ Reinhard Kugler
Volker Lendecke
Jan iankko Lieskovsky
Oliver Loch
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 387355f..b14fd09 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,4 @@
-.TH "K5IDENTITY" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 913f696..f3c634a 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,4 @@
-.TH "K5LOGIN" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index d076541..8845053 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,4 @@
-.TH "K5SRVUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index d8a3d13..607653c 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,4 @@
-.TH "KADM5.ACL" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 307a913..df75fae 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,4 @@
-.TH "KADMIN" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
@@ -250,12 +250,18 @@ key for another user. \fB+allow_dup_skey\fP clears this flag.
.B {\-|+}\fBrequires_preauth\fP
\fB+requires_preauth\fP requires this principal to preauthenticate
before being allowed to kinit. \fB\-requires_preauth\fP clears this
-flag.
+flag. When \fB+requires_preauth\fP is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client\(aqs initial authentication was performed using
+preauthentication.
.TP
.B {\-|+}\fBrequires_hwauth\fP
\fB+requires_hwauth\fP requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
-\fB\-requires_hwauth\fP clears this flag.
+\fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client\(aqs initial authentication was
+performed using a hardware device to preauthenticate.
.TP
.B {\-|+}\fBok_as_delegate\fP
\fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 6e3561f..e348fc0 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,4 @@
-.TH "KADMIND" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index b26557f..6bb8697 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index c9f4bbe..8aa8241 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index ae15b56..d98198a 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,4 @@
-.TH "KDC.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
@@ -34,7 +34,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
-Relations documented here may also be specified in krb5.conf.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.
.sp
Normally, the kdc.conf file is found in the KDC state directory,
\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP. You can override the default location by setting the
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 828724c..c647ec0 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,4 @@
-.TH "KDESTROY" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 4c9ee1e..6a8f32b 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,4 @@
-.TH "KINIT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
diff --git a/src/man/klist.man b/src/man/klist.man
index 1a7a4cf..598c779 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,4 @@
-.TH "KLIST" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 45b8c28..c890562 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,4 @@
-.TH "KPASSWD" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 597d80a..389fd61 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,4 @@
-.TH "KPROP" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 7a108d4..a244f49 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,4 @@
-.TH "KPROPD" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 212419f..34dc812 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,4 @@
-.TH "KPROPLOG" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 53f03dc..74e5cfb 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,4 @@
-.TH "KRB5-CONFIG" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index f672594..bdf3585 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,4 @@
-.TH "KRB5.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
@@ -178,12 +178,12 @@ The libdefaults section may contain any of the following relations:
.INDENT 0.0
.TP
.B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types will be
-filtered out of the previous three lists (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The
-default value for this tag is false, which may cause
-authentication failures in existing Kerberos infrastructures that
-do not support strong crypto. Users in affected environments
+If this flag is set to false, then weak encryption types (as noted in
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and
+\fBpermitted_enctypes\fP. The default value for this tag is false, which
+may cause authentication failures in existing Kerberos infrastructures
+that do not support strong crypto. Users in affected environments
should set this tag to true until their infrastructure adopts
stronger ciphers.
.TP
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 3a052cb..f8fdc60 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,4 @@
-.TH "KRB5KDC" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 72a0f92..02318b9 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,4 @@
-.TH "KSU" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSU" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 0b1ca2a..20e0190 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,4 @@
-.TH "KSWITCH" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 86aa4d6..064c506 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,4 @@
-.TH "KTUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 8186a2b..df3d279 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,4 @@
-.TH "KVNO" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 3d3936a..6684b28 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,4 @@
-.TH "SCLIENT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 8acb191..325ace6 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,4 @@
-.TH "SSERVER" "8" " " "1.11.2" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 949ff76..b6ed140 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -51,7 +51,7 @@
*/
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 11
-#define KRB5_PATCHLEVEL 2
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 3
+/* #undef KRB5_RELTAIL */
/* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.11"
+#define KRB5_RELTAG "krb5-1.11.3-final"
More information about the cvs-krb5
mailing list