krb5 commit [krb5-1.11]: Updates for krb5-1.11.3

Tom Yu tlyu at MIT.EDU
Mon Jun 3 17:37:47 EDT 2013


https://github.com/krb5/krb5/commit/c538c54695ff40952873d6723066c3aa55893f27
commit c538c54695ff40952873d6723066c3aa55893f27
Author: Tom Yu <tlyu at mit.edu>
Date:   Fri May 31 17:50:55 2013 -0400

    Updates for krb5-1.11.3

 README                     |   25 +++++++++++++++++++++++++
 src/man/k5identity.man     |    2 +-
 src/man/k5login.man        |    2 +-
 src/man/k5srvutil.man      |    2 +-
 src/man/kadm5.acl.man      |    2 +-
 src/man/kadmin.man         |   12 +++++++++---
 src/man/kadmind.man        |    2 +-
 src/man/kdb5_ldap_util.man |    2 +-
 src/man/kdb5_util.man      |    2 +-
 src/man/kdc.conf.man       |    6 ++++--
 src/man/kdestroy.man       |    2 +-
 src/man/kinit.man          |    2 +-
 src/man/klist.man          |    2 +-
 src/man/kpasswd.man        |    2 +-
 src/man/kprop.man          |    2 +-
 src/man/kpropd.man         |    2 +-
 src/man/kproplog.man       |    2 +-
 src/man/krb5-config.man    |    2 +-
 src/man/krb5.conf.man      |   14 +++++++-------
 src/man/krb5kdc.man        |    2 +-
 src/man/ksu.man            |    2 +-
 src/man/kswitch.man        |    2 +-
 src/man/ktutil.man         |    2 +-
 src/man/kvno.man           |    2 +-
 src/man/sclient.man        |    2 +-
 src/man/sserver.man        |    2 +-
 src/patchlevel.h           |    6 +++---
 27 files changed, 70 insertions(+), 37 deletions(-)

diff --git a/README b/README
index 118ebc7..9c5704d 100644
--- a/README
+++ b/README
@@ -77,6 +77,30 @@ from using single-DES cryptosystems.  Among these is a configuration
 variable that enables "weak" enctypes, which defaults to "false"
 beginning with krb5-1.8.
 
+Major changes in 1.11.3 (2013-06-03)
+------------------------------------
+
+* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
+  service.  [CVE-2002-2443]
+
+* Improve interoperability with some Windows native PKINIT clients.
+
+krb5-1.11.3 changes by ticket ID
+--------------------------------
+
+7596    PKINIT should allow missing DH param Q
+7602    allow dh_min_bits >= 1024
+7605    Set msg_type when decoding FAST requests
+7626    Rename internal Camellia symbols
+7637    Fix kpasswd UDP ping-pong [CVE-2002-2443]
+7639    Transited realm checks sometimes fail for GSSAPI
+7640    Clarify that kdc.conf and krb5.conf are merged
+7641    Clarify krb5_rd_req documentation
+7644    Sphinx doc build leaves python bytecode (.pyc) in release tarball
+7653    Document preauth flags for service principals
+7654    Clarify retiring-des based on user feedback
+7655    Clean up dangling antecedent in allow_weak_crypto
+
 Major changes in 1.11.2 (2013-04-12)
 ------------------------------------
 
@@ -590,6 +614,7 @@ reports, suggestions, and valuable resources:
     Joel Johnson
     W. Trevor King
     Mikkel Kruse
+    Reinhard Kugler
     Volker Lendecke
     Jan iankko Lieskovsky
     Oliver Loch
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index 387355f..b14fd09 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,4 @@
-.TH "K5IDENTITY" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index 913f696..f3c634a 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,4 @@
-.TH "K5LOGIN" "5" " " "1.11.2" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index d076541..8845053 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,4 @@
-.TH "K5SRVUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index d8a3d13..607653c 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,4 @@
-.TH "KADM5.ACL" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index 307a913..df75fae 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,4 @@
-.TH "KADMIN" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
@@ -250,12 +250,18 @@ key for another user.  \fB+allow_dup_skey\fP clears this flag.
 .B {\-|+}\fBrequires_preauth\fP
 \fB+requires_preauth\fP requires this principal to preauthenticate
 before being allowed to kinit.  \fB\-requires_preauth\fP clears this
-flag.
+flag.  When \fB+requires_preauth\fP is set on a service principal,
+the KDC will only issue service tickets for that service principal
+if the client\(aqs initial authentication was performed using
+preauthentication.
 .TP
 .B {\-|+}\fBrequires_hwauth\fP
 \fB+requires_hwauth\fP requires this principal to preauthenticate
 using a hardware device before being allowed to kinit.
-\fB\-requires_hwauth\fP clears this flag.
+\fB\-requires_hwauth\fP clears this flag.  When \fB+requires_hwauth\fP is
+set on a service principal, the KDC will only issue service tickets
+for that service principal if the client\(aqs initial authentication was
+performed using a hardware device to preauthenticate.
 .TP
 .B {\-|+}\fBok_as_delegate\fP
 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 6e3561f..e348fc0 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,4 @@
-.TH "KADMIND" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index b26557f..6bb8697 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index c9f4bbe..8aa8241 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_UTIL" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index ae15b56..d98198a 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,4 @@
-.TH "KDC.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
@@ -34,7 +34,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which
 are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and
 \fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program.
-Relations documented here may also be specified in krb5.conf.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.
 .sp
 Normally, the kdc.conf file is found in the KDC state directory,
 \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP.  You can override the default location by setting the
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 828724c..c647ec0 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,4 @@
-.TH "KDESTROY" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 4c9ee1e..6a8f32b 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,4 @@
-.TH "KINIT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index 1a7a4cf..598c779 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,4 @@
-.TH "KLIST" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 45b8c28..c890562 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,4 @@
-.TH "KPASSWD" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 597d80a..389fd61 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,4 @@
-.TH "KPROP" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 7a108d4..a244f49 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,4 @@
-.TH "KPROPD" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
 .
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 212419f..34dc812 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,4 @@
-.TH "KPROPLOG" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
 .
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 53f03dc..74e5cfb 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,4 @@
-.TH "KRB5-CONFIG" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index f672594..bdf3585 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,4 @@
-.TH "KRB5.CONF" "5" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
@@ -178,12 +178,12 @@ The libdefaults section may contain any of the following relations:
 .INDENT 0.0
 .TP
 .B \fBallow_weak_crypto\fP
-If this flag is set to false, then weak encryption types will be
-filtered out of the previous three lists (as noted in
-\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP).  The
-default value for this tag is false, which may cause
-authentication failures in existing Kerberos infrastructures that
-do not support strong crypto.  Users in affected environments
+If this flag is set to false, then weak encryption types (as noted in
+\fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP) will be filtered
+out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and
+\fBpermitted_enctypes\fP.  The default value for this tag is false, which
+may cause authentication failures in existing Kerberos infrastructures
+that do not support strong crypto.  Users in affected environments
 should set this tag to true until their infrastructure adopts
 stronger ciphers.
 .TP
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index 3a052cb..f8fdc60 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,4 @@
-.TH "KRB5KDC" "8" " " "1.11.2" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 72a0f92..02318b9 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,4 @@
-.TH "KSU" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSU" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 0b1ca2a..20e0190 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,4 @@
-.TH "KSWITCH" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 86aa4d6..064c506 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,4 @@
-.TH "KTUTIL" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
 .
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 8186a2b..df3d279 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,4 @@
-.TH "KVNO" "1" " " "1.11.2" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 3d3936a..6684b28 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,4 @@
-.TH "SCLIENT" "1" " " "1.11.2" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 8acb191..325ace6 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,4 @@
-.TH "SSERVER" "8" " " "1.11.2" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
 .
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 949ff76..b6ed140 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -51,7 +51,7 @@
  */
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 11
-#define KRB5_PATCHLEVEL 2
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 3
+/* #undef KRB5_RELTAIL */
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.11"
+#define KRB5_RELTAG "krb5-1.11.3-final"


More information about the cvs-krb5 mailing list