krb5 commit: Updates for krb5-1.22-prerelease
ghudson at mit.edu
ghudson at mit.edu
Fri Apr 14 01:17:26 EDT 2023
https://github.com/krb5/krb5/commit/e806d1223329fe4b6d9738237893dda27b616bb6
commit e806d1223329fe4b6d9738237893dda27b616bb6
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Apr 13 18:49:35 2023 -0400
Updates for krb5-1.22-prerelease
README | 45 +++++++++++++++++++++++++++++----------------
src/patchlevel.h | 2 +-
2 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/README b/README
index eea7446ed..35acf033e 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
- Kerberos Version 5, Release 1.21
+ Kerberos Version 5, Release 1.22
Release Notes
The MIT Kerberos Team
@@ -64,31 +64,43 @@ and using the "Guest Login" button. Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.
-PAC transition
---------------
+PAC transitions
+---------------
Beginning with release 1.20, the KDC will include minimal PACs in
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
transition and constrained delegation) must now contain valid PACs in
-the incoming tickets. If only some KDCs in a realm have been upgraded
-across version 1.20, the upgraded KDCs will reject S4U requests
-containing tickets from non-upgraded KDCs and vice versa.
+the incoming tickets. Beginning with release 1.21, service ticket
+PACs will contain a new KDC checksum buffer, to mitigate a hash
+collision attack against the old KDC checksum. If only some KDCs in a
+realm have been upgraded across versions 1.20 or 1.21, the upgraded
+KDCs will reject S4U requests containing tickets from non-upgraded
+KDCs and vice versa.
+
+Triple-DES and RC4 transitions
+------------------------------
-Triple-DES transition
----------------------
+Beginning with the krb5-1.21 release, the KDC will not issue tickets
+with triple-DES or RC4 session keys unless explicitly configured using
+the new allow_des3 and allow_rc4 variables in [libdefaults]. To
+facilitate the negotiation of session keys, the KDC will assume that
+all services can handle aes256-sha1 session keys unless the service
+principal has a session_enctypes string attribute.
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
-type. In future releases, this encryption type will be disabled by
-default and eventually removed.
+type. Beginning with the krb5-1.21 release, a warning will also be
+issued for the arcfour-hmac encryption type. In future releases,
+these encryption types will be disabled by default and eventually
+removed.
-Beginning with the krb5-1.18 release, single-DES encryption types have
-been removed.
+Beginning with the krb5-1.18 release, all support for single-DES
+encryption types has been removed.
-Major changes in 1.21
+Major changes in 1.22
---------------------
-krb5-1.21 changes by ticket ID
+krb5-1.22 changes by ticket ID
------------------------------
Acknowledgements
@@ -253,6 +265,7 @@ reports, suggestions, and valuable resources:
Peter Eriksson
Juha Erkkilä
Gilles Espinasse
+ Sergey Fedorov
Ronni Feldt
Bill Fellows
JC Ferguson
@@ -300,6 +313,7 @@ reports, suggestions, and valuable resources:
Brian Johannesmeyer
Joel Johnson
Lutz Justen
+ Ganesh Kamath
Alexander Karaivanov
Anders Kaseorg
Bar Katz
@@ -433,10 +447,9 @@ reports, suggestions, and valuable resources:
Tianjiao Yin
Nickolai Zeldovich
Bean Zhang
+ ChenChen Zhou
Hanz van Zijst
Gertjan Zwartjes
The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
-Other acknowledgments (for bug reports and patches) are in the
-doc/CHANGES file.
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 6dc08ab15..8e80715a5 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -50,7 +50,7 @@
* organization.
*/
#define KRB5_MAJOR_RELEASE 1
-#define KRB5_MINOR_RELEASE 21
+#define KRB5_MINOR_RELEASE 22
#define KRB5_PATCHLEVEL 0
#define KRB5_RELTAIL "prerelease"
/* #undef KRB5_RELDATE */
More information about the cvs-krb5
mailing list