krb5-1.16.4 is released

Greg Hudson ghudson at mit.edu
Thu Dec 12 00:24:51 EST 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.16.4.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.16.4
====================================

You may retrieve the Kerberos 5 Release 1.16.4 source from the
following URL:

        https://kerberos.org/dist/

The homepage for the krb5-1.16.4 release is:

        http://web.mit.edu/kerberos/krb5-1.16/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        https://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.16.4 (2019-12-11)
====================================

This is a bug fix release.

* Fix a bug preventing "addprinc -randkey -kvno" from working in
  kadmin.
  
Major changes in 1.16.3 (2019-01-07)
====================================

This is a bug fix release.

* Fix a regression in the MEMORY credential cache type which could
  cause client programs to crash.

* MEMORY credential caches will not be listed in the global
  collection, with the exception of the default credential cache if it
  is of type MEMORY.

* Remove an incorrect assertion in the KDC which could be used to
  cause a crash [CVE-2018-20217].

Major changes in 1.16.2 (2018-11-01)
====================================

This is a bug fix release.

* Fix bugs with concurrent use of MEMORY ccache handles.

* Fix a KDC crash when falling back between multiple OTP tokens
  configured for a principal entry.

* Fix memory bugs when gss_add_cred() is used to create a new
  credential, and fix a bug where it ignores the desired_name.

* Fix the behavior of gss_inquire_cred_by_mech() when the credential
  does not contain an element of the requested mechanism.

* Make cross-realm S4U2Self requests work on the client when no
  default_realm is configured.

* Add a kerberos(7) man page containing documentation of the
  environment variables that affect Kerberos programs.

Major changes in 1.16.1 (2018-05-03)
====================================

This is a bug fix release.

* Fix flaws in LDAP DN checking, including a null dereference KDC
  crash which could be triggered by kadmin clients with administrative
  privileges [CVE-2018-5729, CVE-2018-5730].

* Fix a KDC PKINIT memory leak.

* Fix a small KDC memory leak on transited or authdata errors when
  processing TGS requests.

* Fix a regression in pkinit_cert_match matching of client
  certificates containing Microsoft UPN SANs.

* Fix a null dereference when the KDC sends a large TGS reply.

* Fix "kdestroy -A" with the KCM credential cache type.

* Allow validation of Microsoft PACs containing enterprise names.

* Fix the handling of capaths "." values.

* Fix handling of repeated subsection specifications in profile files
  (such as when multiple included files specify relations in the same
  subsection).

Major changes in 1.16 (2017-12-05)
==================================

Administrator experience:

* The KDC can match PKINIT client certificates against the
  "pkinit_cert_match" string attribute on the client principal entry,
  using the same syntax as the existing "pkinit_cert_match" profile
  option.

* The ktutil addent command supports the "-k 0" option to ignore the
  key version, and the "-s" option to use a non-default salt string.

* kpropd supports a --pid-file option to write a pid file at startup,
  when it is run in standalone mode.

* The "encrypted_challenge_indicator" realm option can be used to
  attach an authentication indicator to tickets obtained using FAST
  encrypted challenge pre-authentication.

* Localization support can be disabled at build time with the
  --disable-nls configure option.

Developer experience:

* The kdcpolicy pluggable interface allows modules control whether
  tickets are issued by the KDC.

* The kadm5_auth pluggable interface allows modules to control whether
  kadmind grants access to a kadmin request.

* The certauth pluggable interface allows modules to control which
  PKINIT client certificates can authenticate to which client
  principals.

* KDB modules can use the client and KDC interface IP addresses to
  determine whether to allow an AS request.

* GSS applications can query the bit strength of a krb5 GSS context
  using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
  gss_inquire_sec_context_by_oid().

* GSS applications can query the impersonator name of a krb5 GSS
  credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
  gss_inquire_cred_by_oid().

* kdcpreauth modules can query the KDC for the canonicalized requested
  client principal name, or match a principal name against the
  requested client principal name with canonicalization.

Protocol evolution:

* The client library will continue to try pre-authentication
  mechanisms after most failure conditions.

* The KDC will issue trivially renewable tickets (where the renewable
  lifetime is equal to or less than the ticket lifetime) if requested
  by the client, to be friendlier to scripts.

* The client library will use a random nonce for TGS requests instead
  of the current system time.

* For the RC4 string-to-key or PAC operations, UTF-16 is supported
  (previously only UCS-2 was supported).

* When matching PKINIT client certificates, UPN SANs will be matched
  correctly as UPNs, with canonicalization.

User experience:

* Dates after the year 2038 are accepted (provided that the platform
  time facilities support them), through the year 2106.

* Automatic credential cache selection based on the client realm will
  take into account the fallback realm and the service hostname.

* Referral and alternate cross-realm TGTs will not be cached, avoiding
  some scenarios where they can be added to the credential cache
  multiple times.

* A German translation has been added.

Code quality:

* The build is warning-clean under clang with the configured warning
  options.

* The automated test suite runs cleanly under AddressSanitizer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJd8c6kAAoJEAy6CFdfg3LfsEAQAMyCboreo/neZDY0TDWyWZ+9
LmhSGy6YhJNgKbWupqhqqvfTGX/4M02pv5A1z/t6DGcZNf+/OfOpqGQ+9s+YF3PD
rhR0WF5qaQzuGrzdpa2NROGcLnrJj5fqEz8DokQ6WlCfFwCQ6PRw3AeCU3tMKvWX
09gXdxFL0JmWyfdkluCRAV+edGmiMaUQSXCZz9KubRxeBzS2FqN3YyzksGiRx2kE
gQ1VckWoZPy51ahvXkZS5Nlm9QKBAXFw4pnrCX4IAqXWJFVIdzaHMMEdNtRcT5uU
e5Gi2uZ6OetzywhKj7yMy8X0T0lcTH7/wnsGuXafDGT59yrw0PZYWvucSiTEUTpI
JymkcOmpmaKc8t6lsBOh51053KzhBvJy7T8tm7SkaI4YS1sy7bCqvar+j/PA+i/S
zOONxpq9FHVb4BeQh6kKlAs495UuG8budnVsBITgqeFogI66vLVLQcxZUHlb8DA2
+jpPpW2lWWbFcz0A2z4JAwUf4LzwO0EFTaI0vxoIvdIalrZtcTCLuf3+GJuHWPvu
UkIJc1uoej2izSA2Uv4eIRZh0lUC15JfVrBGOe2PkzAO/ULUSqSbpc+NhrpgsRrt
tIAApnY63VBPBSzbGjG03JhRmiiT9CFOFcFZ+yIeKzZFV5lZH56i6vc1kh5ixNjG
7HBn4+70YQ7HX2Gto27F
=O3h1
-----END PGP SIGNATURE-----

More information about the kerberos-announce mailing list