krb5 commit: Update features list for 1.22

ghudson at mit.edu ghudson at mit.edu
Tue Aug 20 17:20:43 EDT 2024 

https://github.com/krb5/krb5/commit/6cbd45486eb0b7814377a3864aaa298d171b3134
commit 6cbd45486eb0b7814377a3864aaa298d171b3134
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Aug 20 16:43:07 2024 -0400

    Update features list for 1.22

 doc/mitK5features.rst | 49 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 2 deletions(-)

diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 10effcf17..a3679354f 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/
-    - Supported: https://web.mit.edu/kerberos/krb5-1.19/
+    - Latest stable: https://web.mit.edu/kerberos/krb5-1.22/
+    - Supported: https://web.mit.edu/kerberos/krb5-1.21/
     - Release cycle: approximately 12 months
 
 Supported platforms \/ OS distributions:
@@ -685,6 +685,51 @@ Release 1.21
   - Improved the test framework's detection of memory errors in daemon
     processes when used with asan.
 
+Release 1.21
+
+* User experience:
+
+  - The libdefaults configuration variable "request_timeout" can be
+    set to limit the total timeout for KDC requests.  When making a
+    KDC request, the client will now wait indefinitely (or until the
+    request timeout has elapsed) on a KDC which accepts a TCP
+    connection, without contacting any additional KDCs.  Clients will
+    make fewer DNS queries in some configurations.
+
+  - The realm configuration variable "sitename" can be set to cause
+    the client look for site-specific DNS records when making KDC
+    requests.
+
+* Developer experience:
+
+  - The profile library supports the modification of empty profiles
+    and the copying of modified profiles, making it possible to
+    construct an in-memory profile and pass it to
+    krb5_init_context_profile().
+
+  - GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
+    gss_init_sec_context() to request strict enforcement of channel
+    bindings by the acceptor.
+
+* Protocol evolution:
+
+  - PKINIT has support for elliptic curve client certificates and for
+    ECDH key exchange.
+
+  - The IAKERB implementation has been changed to comply with the
+    standard.
+
+* Code quality:
+
+  - Old-style function declarations have been removed, to accomodate
+    compilers removing support for them.
+
+  - OSS-Fuzz support has been added to the project's continuous
+    integration infrastructure.
+
+  - GSS per-message token parsing code has been rewritten for improved
+    safety.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`

More information about the cvs-krb5 mailing list