krb5-1.10.5 is released
Tom Yu
tlyu at MIT.EDU
Thu Apr 18 16:55:10 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.10.5. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.10.5
====================================
You may retrieve the Kerberos 5 Release 1.10.5 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.10.5 release is:
http://web.mit.edu/kerberos/krb5-1.10/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
http://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in krb5-1.10.5 (2013-04-17)
=========================================
This is a bugfix release. The krb5-1.10 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.11 release series or later.
* Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416]
* Incremental propagation could erroneously act as if a slave's
database were current after the slave received a full dump that
failed to load.
Major changes in krb5-1.10.4 (2013-03-01)
=========================================
This is a bugfix release.
* Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016,
CVE-2013-1415]
* Prevent the KDC from returning a host-based service principal
referral to the local realm.
Major changes in 1.10.3 (2012-08-08)
====================================
This is a bugfix release.
* Fix KDC uninitialized pointer vulnerabilities that could lead to a
denial of service [CVE-2012-1014] or remote code execution
[CVE-2012-1015].
* Correctly use default_tgs_enctypes instead of default_tkt_enctypes
for TGS requests.
Major changes in 1.10.2 (2012-05-31)
====================================
This is a bugfix release.
* Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
* Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
* Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the "create"
privilege. [CVE-2012-1013]
Major changes in 1.10.1 (2012-03-08)
====================================
This is a bugfix release.
* Fix access controls for KDB string attributes [CVE-2012-1012]
* Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
* Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time.
Major changes in 1.10 (2012-01-27)
==================================
Additional background information on these changes may be found at
http://k5wiki.kerberos.org/wiki/Release_1.10
and
http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects
Code quality:
* Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC denial of
service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
CVE-2011-1530].
* Update the Fortuna implementation to more accurately implement the
description in _Cryptography Engineering_, and make it the default
PRNG.
* Add an alternative PRNG that relies on the OS native PRNG.
Developer experience:
* Add the ability for GSSAPI servers to use any keytab key for a
specified service, if the server specifies a host-based name with no
hostname component.
* In the build system, identify the source files needed for
per-message processing within a kernel and ensure that they remain
independent.
* Allow rd_safe and rd_priv to ignore the remote address.
* Rework KDC and kadmind networking code to use an event loop
architecture.
* Add a plugin interface for providing configuration information.
Administrator experience:
* Add more complete support for renaming principals.
* Add the profile variable ignore_acceptor_hostname in libdefaults. If
set, GSSAPI will ignore the hostname component of acceptor names
supplied by the server, allowing any keytab key matching the service
to be used.
* Add support for string attributes on principal entries.
* Allow password changes to work over NATs.
End-user experience:
* Add the DIR credential cache type, which can hold a collection of
credential caches.
* Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
* Add the kswitch command, which changes the selected default cache
within a collection.
* Add heuristic support for choosing client credentials based on the
service realm.
* Add support for $HOME/.k5identity, which allows credential choice
based on configured rules.
* Add support for localization. (No translations are provided in this
release, but the infrastructure is present for redistributors to
supply them.)
Protocol evolution:
* Make PKINIT work with FAST in the client library.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (SunOS)
iQEVAwUBUXBdsRUCTNN0nXiJAQKEDwf/e12AWppxEgl9fuYJ4HOhkrlVjPSPRQBs
2XsaA5ZkMAnyfa3GePWbl4JwTCyXOgmq6QalM+RNJ8UOTfGiKCkyqLoza0IODcqm
jRBGWtYWFIKYjSS5oXG67Z53FC9IAVOH0vlC9F5MDaT+lZtrQAzN0BCN+fcg7MDG
zW29nXtaXZNjgEwlAeSv5fZweBUdDY5sq3TZDbXIa1G9Fn5slkz2TvXuHhE4vsWM
QItKtAMzdumtoDvsNpRWG+w6n8sCAx/bgM4tFV087FNrPIJZhMUuStrn/tAIoNX9
oeHG1TEcY7SD8+Ge25b2nwmz5+JVJhZc5Cnrza8dXGKTWg2Uw9ZYEA==
=xqnW
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list