krb5-1.14.6 is released
Greg Hudson
ghudson at mit.edu
Mon Sep 25 13:47:26 EDT 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.14.6. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.14.6
====================================
You may retrieve the Kerberos 5 Release 1.14.6 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.14.6 release is:
http://web.mit.edu/kerberos/krb5-1.14/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
http://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.14.6 (2017-09-25)
====================================
This is a bug fix release.
* Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]
* Fix kadm5 setkey operation with LDAP KDB module
* Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
* Fix client null dereference when KDC offers encrypted challenge
without FAST
Major changes in 1.14.5 (2017-03-02)
====================================
This is a bug fix release.
* Fix udp_preference_limit when the KDC location is configured with
SRV records
* Fix the processing of PKINIT certificate matching rules which have
two components and no explicit relation
* More reliably scrub secret data from memory when it is no longer
needed
* Fix a bug which could cause KDC handling of OTP requests to fail
until the KDC is restarted
* Fix PKINIT client with certain PKCS#11 middleware
* Improve documentation
Major changes in 1.14.4 (2016-09-13)
====================================
This is a bug fix release.
* Fix some rare btree data corruption bugs
* Fix numerous minor memory leaks
* Improve portability (Linux-ppc64el, FreeBSD)
* Improve some error messages
* Improve documentation
Major changes in 1.14.3 (2016-07-20)
====================================
This is a bug fix release.
* Improve some error messages
* Improve documentation
* Allow a principal with nonexistent policy to bypass the minimum
password lifetime check, consistent with other aspects of
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
Major changes in 1.14.2 (2016-04-18)
====================================
This is a bug fix release.
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
could be exploited by a privileged kadmin user [CVE-2016-3119]
* Improve documentation
* Fix some interactions with GSSAPI interposer mechanisms
Major changes in 1.14.1 (2016-02-29)
====================================
* Fix some moderate-severity vulnerabilities [CVE-2015-8629,
CVE-2015-8630, CVE-2015-8631] in kadmind.
* Improve behavior on hosts with long hostnames.
* Avoid spurious failures when doing normal kprop to heavily loaded
slave KDCs.
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
of password guessing attacks.
* Add support for directory names in the KRB5_CONFIG and
KRB5_KDC_PROFILE environment variables.
* Add support for authentication indicators, which are ticket
annotations to indicate the strength of the initial authentication.
Add support for the "require_auth" string attribute, which can be
set on server principal entries to require an indicator when
authenticating to the server.
* Add support for key version numbers larger than 255 in keytab files,
and for version numbers up to 65535 in KDC databases.
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
during pre-authentication, corresponding to the client's most
preferred encryption type.
* Add support for server name identification (SNI) when proxying KDC
requests over HTTPS.
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
Code quality:
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
[CVE-2015-2698]
* Fix build_principal memory bug that could cause a KDC
crash. [CVE-2015-2697]
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
a private memory credential cache. Applications can use
gss_store_cred() to make the resulting credentials visible to other
processes.
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
IAKERB or for non-standard variants of the krb5 mechanism OID unless
explicitly requested. (SPNEGO will still accept the Microsoft
variant of the krb5 mechanism OID during negotiation.)
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
for non-standard variants of the krb5 mechanism OID unless an
acceptor credential is acquired for those mechanisms.
* Change gss_acquire_cred() to immediately resolve credentials if the
time_rec parameter is not NULL, so that a correct expiration time
can be returned. Normally credential resolution is delayed until
the target name is known.
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
which can be used by plugin modules or applications to add prefixes
to existing detailed error messages.
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
* Add support for pre-authentication mechanisms which use multiple
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
interface; these callbacks can be used to save marshalled state
information in an encrypted cookie for the next request.
* Add a client_key() callback to the kdcpreauth interface to retrieve
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
by the KDC.
* Add an add_auth_indicator() callback to the kdcpreauth interface,
allowing pre-authentication modules to assert authentication
indicators.
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
suppress sending the confidentiality and integrity flags in GSS
initiator tokens unless they are requested by the caller. These
flags control the negotiated SASL security layer for the Microsoft
GSS-SPNEGO SASL mechanism.
* Make the FILE credential cache implementation less prone to
corruption issues in multi-threaded programs, especially on
platforms with support for open file description locks.
Performance:
* On slave KDCs, poll the master KDC immediately after processing a
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
User experience:
* Make gss_accept_sec_context() accept tickets near their expiration
but within clock skew tolerances, rather than rejecting them
immediately after the server's view of the ticket expiration time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBWclA3Qy6CFdfg3LfAQIPuA/9HfNdt7GV3PYVvSwwTGIvePN20PkEZtBz
y607/JNuMbx8S6xgouN80S2c/8mdA/e4Yj2+Np0Z/u3/1c+cJHUaQAev9nKUcrsM
oVlHLfx3257CZKEie6ebpeQ/jJV5bXgVFgAu8Zwok0osvsZrGkAPGaVcYjI0q+PM
pS/X0WU6ZtXK/YsPR7OzJLo53dzcq5QeVcBuoToCM3lkqQawWDyBWlHyNinCYpTo
7qLMVEye/aYGmZPyW+geRk790lNh65dYKluv3bbGybzEGmC+RAfvhqoyft34Cywn
z10wrwW9QMzxlAYTFVd9EX39Nhl1Udlu2lq5dkXGNlMR/PvZREI8zpI2JdYOrc13
qjca7412am8xGdU0ua2+LSStcf0cBq46YAmhyWeaC/6avQAhdRHwbVgi4zkW7xLF
AWerYDqG7iLnNIoZhjjKePRCdgE1Y9zsWfFSiebEEeDNEnP3H/d7T7iREiqfx4EY
/TJo1Yrxb8oKRhJLFPk0U3wPYu5WM16nqpjcM1S2f/lPZ0ljlAsmeVo5RYjCCIby
ILvqdbtxMXQkJzmTLhjMzaNewMmqCCxqI23aXZnlmcnCDzMTSVddKzePYALrYopa
XIvWDjdOOlaexibchXV0HolTmkgDbLwD53vKHrwKVKBl1ptJpJa1laZrNCm7TAxD
d8WQ4o8HgeY=
=l2Yl
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list