krb5-1.11.6 is released
Tom Yu
tlyu at mit.edu
Wed Feb 25 18:48:15 EST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.11.6. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.11.6
====================================
You may retrieve the Kerberos 5 Release 1.11.6 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.11.6 release is:
http://web.mit.edu/kerberos/krb5-1.11/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
http://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.11.6 (2015-02-24)
====================================
This is a bugfix release. The krb5-1.11 release series has reached
the end of its maintenance period, and krb5-1.11.6 is the last planned
release in the krb5-1.11 series. For new deployments, installers
should prefer the krb5-1.13 release series or later.
* Work around a gcc optimizer bug that could cause DB2 KDC database
operations to spin in an infinite loop
* Fix a backward compatibility problem with the LDAP KDB schema that
could prevent krb5-1.11 and later from decoding entries created by
krb5-1.6.
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341
CVE-2014-4342]
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
* Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
* Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354 CVE-2014-5353]
* Fix multiple kadmind vulnerabilities, some of which are based in the
gssrpc library. [CVE-2014-5352 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423]
Major changes in 1.11.5 (2014-01-21)
====================================
* Make KDC log service principal names more consistently during some
error conditions, instead of "<unknown server>"
* Fix some GSSAPI bugs.
* Improve documentation.
Major changes in 1.11.4 (2013-11-04)
====================================
This is a bugfix release.
* Fix a KDC null pointer dereference [CVE-2013-1417] that could affect
realms with an uncommon configuration.
* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect
KDCs that serve multiple realms.
* Fix a number of bugs related to KDC master key rollover.
Major changes in 1.11.3 (2013-06-03)
====================================
This is a bugfix release.
* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
service. [CVE-2002-2443]
* Improve interoperability with some Windows native PKINIT clients.
Major changes in 1.11.2 (2013-04-12)
====================================
This is a bugfix release.
* Incremental propagation could erroneously act as if a slave's
database were current after the slave received a full dump that
failed to load.
* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
Major changes in 1.11.1 (2013-02-21)
====================================
This is a bugfix release.
* Restore capability for multi-hop SAM-2 preauth exchanges, which
krb5-1.11 had inadvertently removed.
* Fix a null pointer dereference in the KDC PKINIT code
[CVE-2013-1415].
Major changes in 1.11 (2012-12-17)
==================================
Additional background information on these changes may be found at
http://k5wiki.kerberos.org/wiki/Release_1.11
and
http://k5wiki.kerberos.org/wiki/Category:Release_1.11_projects
Code quality:
* Improve ASN.1 support code, making it table-driven for decoding as
well as encoding
* Refactor parts of KDC
Developer experience:
* Documentation consolidation
* Add a new API krb5_kt_have_content() to determine whether a keytab
exists and contains any entries.
* Add a new API krb5_cccol_have_content() to determine whether the
ccache collection contains any credentials.
* Add a new API krb5_kt_client_default() to resolve the default client
keytab.
* Add new APIs gss_export_cred and gss_import_cred to serialize and
unserialize GSSAPI credentials.
* Add a krb5_get_init_creds_opt_set_in_ccache() option.
* Add get_cc_config() and set_cc_config() clpreauth callbacks for
getting string attribute values from an in_ccache and storing them
in an out_ccache, respectively.
* Add a plugin interface for GSSAPI interposer mechanisms.
* Add an optional responder callback to the krb5_get_init_creds
functions. The responder callback can consider and answer all
preauth-related questions at once, and can process more complicated
questions than the prompter.
* Add a method to the clpreauth interface to allow modules to supply
response items for consideration by the responder callback.
* Projects/Password_response_item
* Add GSSAPI extensions to allow callers to specify credential store
locations when acquiring or storing credentials
* Add a new API krb5_kt_client_default() to resolve the default client
keytab.
Administrator experience:
* Documentation consolidation
* Add parameter expansion for default_keytab_name and
default_client_keytab_name profile variables.
* Add new default_ccache_name profile variable to override the
built-in default credential cache name.
* Add configure-time support for changing the built-in ccache and
keytab names.
* Add krb5-config options for displaying the built-in ccache and
keytab names.
* In the default build, use the system's built-in ccache and keytab
names if they can be discovered using krb5-config.
* Add support for a "default client keytab". Its location is
determined by the KRB5_CLIENT_KTNAME environment variable, the
default_client_keytab profile relation, or a hardcoded path (TBD).
* GSSAPI initiator applications can now acquire credentials
automatically from the default client keytab, if one is available.
* Add client support for FAST OTP (RFC 6560)
End-user experience:
* Documentation consolidation
* Store metadata in the ccache about how a credential was acquired, to
improve the user's experience when reacquiring
* Projects/Extensible_Policy
Performance:
* Improve KDC lookaside cache performance
Protocol evolution:
* Add client support for FAST OTP (RFC 6560)
* Build Camellia encryption support by default
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVO5fPxUCTNN0nXiJAQIhugf/aFntJtqifEZUNIb0z0z3oX89t5e7rehY
fEfzxSBL1QO9XBZxB8ypoo3/kK6MerLrvpX7lxdha6Xy8Fed+iK7Na3Q5djSMjVC
H9WEzGeBi61yPs19szG2z/oQsLOzfyMRZDJtK36qJyLoq4bwa5OpNjHgvcat84zw
hUh6D/XBqnL+XjAou0RU4l+48GNQ6i4j/JhIJnBnoHiOcivt5rz41a2zWoYQHkod
RJOqSOQOZb96gnxmmdmUR0uyTgehs+7t7obCTWXDeKQ73cur7o+XgGBGzPrVhOA3
CCKU8Y64C630cd9hRkj4YGqaM/KhnIvTboUS/xjbEiCicib1sR+jRw==
=duBj
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list