krb5 commit [krb5-1.11]: Updates for krb5-1.11.4
Tom Yu
tlyu at MIT.EDU
Mon Nov 4 19:53:07 EST 2013
https://github.com/krb5/krb5/commit/42f69d022e61dd267a57fadfc5c50cdfd57090ac
commit 42f69d022e61dd267a57fadfc5c50cdfd57090ac
Author: Tom Yu <tlyu at mit.edu>
Date: Mon Nov 4 15:24:40 2013 -0500
Updates for krb5-1.11.4
README | 45 ++++++++++++++++++++++++++++++++++++++++++++
src/man/k5identity.man | 2 +-
src/man/k5login.man | 2 +-
src/man/k5srvutil.man | 2 +-
src/man/kadm5.acl.man | 2 +-
src/man/kadmin.man | 2 +-
src/man/kadmind.man | 2 +-
src/man/kdb5_ldap_util.man | 2 +-
src/man/kdb5_util.man | 6 ++--
src/man/kdc.conf.man | 2 +-
src/man/kdestroy.man | 2 +-
src/man/kinit.man | 2 +-
src/man/klist.man | 2 +-
src/man/kpasswd.man | 2 +-
src/man/kprop.man | 2 +-
src/man/kpropd.man | 29 ++++++++++++---------------
src/man/kproplog.man | 2 +-
src/man/krb5-config.man | 2 +-
src/man/krb5.conf.man | 2 +-
src/man/krb5kdc.man | 2 +-
src/man/ksu.man | 2 +-
src/man/kswitch.man | 2 +-
src/man/ktutil.man | 2 +-
src/man/kvno.man | 2 +-
src/man/sclient.man | 2 +-
src/man/sserver.man | 2 +-
src/patchlevel.h | 6 ++--
27 files changed, 87 insertions(+), 45 deletions(-)
diff --git a/README b/README
index 9c5704d..b3d53f7 100644
--- a/README
+++ b/README
@@ -77,6 +77,42 @@ from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
+Major changes in 1.11.4 (2013-11-04)
+------------------------------------
+
+* Fix a KDC null pointer dereference [CVE-2013-1417] that could affect
+ realms with an uncommon configuration.
+
+* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect
+ KDCs that serve multiple realms.
+
+* Fix a number of bugs related to KDC master key rollover.
+
+krb5-1.11.4 changes by ticket ID
+--------------------------------
+
+7508 Indefinite FD polling
+7650 Issue following client referral from AD
+7664 Build with Visual Studio 2012
+7668 KDC null deref due to referrals [CVE-2013-1417]
+7670 Add test case for CVE-2013-1417
+7671 Install ccselect_plugin.h
+7702 krb5-1.11.3 FTBFS on NetBSD
+7723 Fix GSSAPI krb5 cred ccache import
+7724 Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
+7726 Use protocol error for PKINIT cert expiry
+7727 Discuss cert expiry, no-key princs in PKINIT docs
+7734 Fix typos in kdb5_util master key command outputs
+7735 Use active master key in update_princ_encryption
+7737 Correctly activate master keys in pre-1.7 KDBs
+7742 Reset key-generation parameters for each enctype
+7746 Fix decoding of mkey kvno in mkey_aux tl-data
+7747 Improve LDAP KDB initialization error messages
+7748 Document master key rollover
+7752 Clarify kpropd standalone mode documentation
+7756 Multi-realm KDC null deref [CVE-2013-1418]
+7758 Fix reference for trace logging
+
Major changes in 1.11.3 (2013-06-03)
------------------------------------
@@ -556,6 +592,7 @@ reports, suggestions, and valuable resources:
Mark Bannister
David Bantz
Alex Baule
+ David Benjamin
Adam Bernstein
Arlene Berry
Jeff Blaine
@@ -576,14 +613,18 @@ reports, suggestions, and valuable resources:
Nalin Dahyabhai
Mark Davies
Dennis Davis
+ Alex Dehnert
Mark Deneen
+ Günther Deschner
Roland Dowdeswell
+ Viktor Dukhovni
Jason Edgecombe
Mark Eichin
Shawn M. Emery
Douglas E. Engert
Peter Eriksson
Juha Erkkilä
+ Gilles Espinasse
Ronni Feldt
Bill Fellows
JC Ferguson
@@ -596,6 +637,7 @@ reports, suggestions, and valuable resources:
Steve Grubb
Philip Guenther
Dominic Hargreaves
+ Robbie Harwood
Jakob Haufe
Matthieu Hautreux
Paul B. Henson
@@ -619,6 +661,7 @@ reports, suggestions, and valuable resources:
Jan iankko Lieskovsky
Oliver Loch
Kevin Longfellow
+ Nuno Lopes
Ryan Lynch
Nathaniel McCallum
Greg McClement
@@ -648,6 +691,7 @@ reports, suggestions, and valuable resources:
Mike Roszkowski
Guillaume Rousse
Tom Shaw
+ Jim Shi
Peter Shoults
Simo Sorce
Michael Spang
@@ -668,6 +712,7 @@ reports, suggestions, and valuable resources:
Simon Wilkinson
Nicolas Williams
Ross Wilper
+ Augustin Wolf
Xu Qiang
Nickolai Zeldovich
Hanz van Zijst
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index b14fd09..04baa86 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,4 @@
-.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.11.4" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
diff --git a/src/man/k5login.man b/src/man/k5login.man
index f3c634a..5fd516c 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,4 @@
-.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.11.4" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 8845053..5e2c748 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,4 @@
-.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 607653c..570cd96 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,4 @@
-.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.11.4" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index df75fae..a3f29d4 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,4 @@
-.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index e348fc0..a49acf8 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,4 @@
-.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 6bb8697..aec70c7 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 8aa8241..f0063d6 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
@@ -349,8 +349,8 @@ gives more verbose output.
.sp
Update all principal records (or only those matching the
\fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the
-active database master key, if they are encrypted using older
-versions, and give a count at the end of the number of principals
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
updated. If the \fB\-f\fP option is not given, ask for confirmation
before starting to make changes. The \fB\-v\fP option causes each
principal processed to be listed, with an indication as to whether it
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index d98198a..04e47f9 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,4 @@
-.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.11.4" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index c647ec0..b4512f7 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,4 @@
-.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 6a8f32b..fc44aac 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,4 @@
-.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
diff --git a/src/man/klist.man b/src/man/klist.man
index 598c779..f581e67 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,4 @@
-.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index c890562..82e2fd8 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,4 @@
-.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 389fd61..f072ff7 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,4 @@
-.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index a244f49..02f91bc 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,4 @@
-.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
@@ -69,9 +69,14 @@ kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
.UNINDENT
.UNINDENT
.sp
-kpropd can also run as a standalone daemon. This is required for
-incremental propagation. But this is also useful for debugging
-purposes.
+kpropd can also run as a standalone daemon, backgrounding itself and
+waiting for connections on port 754 (or the port specified with the
+\fB\-P\fP option if given). Standalone mode is required for incremental
+propagation. Starting in release 1.11, kpropd automatically detects
+whether it was run from inetd and runs in standalone mode if it is
+not. Prior to release 1.11, the \fB\-S\fP option is required to run
+kpropd in standalone mode; this option is now accepted for backward
+compatibility but does nothing.
.sp
Incremental propagation may be enabled with the \fBiprop_enable\fP
variable in \fIkdc.conf(5)\fP. If incremental propagation is
@@ -101,19 +106,11 @@ to be stored; by default the dumped database file is \fB at LOCALSTATEDIR@\fP\fB/kr
Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
program; by default the pathname used is \fB at SBINDIR@\fP\fB/kdb5_util\fP.
.TP
-.B \fB\-S\fP
-[DEPRECATED] Enable standalone mode. Normally kpropd is invoked by
-inetd(8) so it expects a network connection to be passed to it
-from inetd(8). If the \fB\-S\fP option is specified, or if standard
-input is not a socket, kpropd will put itself into the background,
-and wait for connections on port 754 (or the port specified with the
-\fB\-P\fP option if given).
-.TP
.B \fB\-d\fP
-Turn on debug mode. In this mode, if the \fB\-S\fP option is
-selected, kpropd will not detach itself from the current job and
-run in the background. Instead, it will run in the foreground and
-print out debugging messages during the database propagation.
+Turn on debug mode. In this mode, kpropd will not detach
+itself from the current job and run in the background. Instead,
+it will run in the foreground and print out debugging messages
+during the database propagation.
.TP
.B \fB\-P\fP
Allow for an alternate port number for kpropd to listen on. This
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 34dc812..d9184cc 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,4 @@
-.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 74e5cfb..2be370a 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,4 @@
-.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index bdf3585..4ffe03e 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,4 @@
-.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.11.4" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index f8fdc60..21b7814 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,4 @@
-.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 02318b9..1d099c0 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,4 @@
-.TH "KSU" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KSU" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 20e0190..9190a7a 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,4 @@
-.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 064c506..36211ae 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,4 @@
-.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
diff --git a/src/man/kvno.man b/src/man/kvno.man
index df3d279..47bdda8 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,4 @@
-.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 6684b28..6d80a00 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,4 @@
-.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.11.4" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 325ace6..1f7cc5f 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,4 @@
-.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.11.4" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
diff --git a/src/patchlevel.h b/src/patchlevel.h
index eb6cf94..9674800 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -51,7 +51,7 @@
*/
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 11
-#define KRB5_PATCHLEVEL 3
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 4
+/* #undef KRB5_RELTAIL */
/* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.11"
+#define KRB5_RELTAG "krb5-1.11.4-final"
More information about the cvs-krb5
mailing list