krb5-1.18.2 is released

Greg Hudson ghudson at mit.edu
Fri May 22 12:34:14 EDT 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.18.2.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.18.2
====================================

You may retrieve the Kerberos 5 Release 1.18.2 source from the
following URL:

        https://kerberos.org/dist/

The homepage for the krb5-1.18.2 release is:

        https://web.mit.edu/kerberos/krb5-1.18/

Further information about Kerberos 5 may be found at the following
URL:

        https://web.mit.edu/kerberos/


DES no longer supported
=======================

Beginning with the krb5-1.18 release, single-DES encryption types are
no longer supported.


Major changes in 1.18.2 (2020-05-21)
====================================

This is a bug fix release.

* Fix a SPNEGO regression where an acceptor using the default
  credential would improperly filter mechanisms, causing a negotiation
  failure.

* Fix a bug where the KDC would fail to issue tickets if the local
  krbtgt principal's first key has a single-DES enctype.

* Add stub functions to allow old versions of OpenSSL libcrypto to
  link against libkrb5.

* Fix a NegoEx bug where the client name and delegated credential
  might not be reported.

Major changes in 1.18.1 (2020-04-13)
====================================

This is a bug fix release.

* Fix a crash when qualifying short hostnames when the system has no
  primary DNS domain.

* Fix a regression when an application imports "service@" as a GSS
  host-based name for its acceptor credential handle.

* Fix KDC enforcement of auth indicators when they are modified by the
  KDB module.

* Fix removal of require_auth string attributes when the LDAP KDB
  module is used.

* Fix a compile error when building with musl libc on Linux.

* Fix a compile error when building with gcc 4.x.

* Change the KDC constrained delegation precedence order for
  consistency with Windows KDCs.

Major changes in 1.18 (2020-02-12)
==================================

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.
  Replay cache filenames using the new format end with ".rcache2" by
  default.

* setuid programs will automatically ignore environment variables that
  normally affect krb5 API functions, even if the caller does not use
  krb5_init_secure_context().

* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
  credential forwarding during GSSAPI authentication unless the KDC
  sets the ok-as-delegate bit in the service ticket.

* Use the permitted_enctypes krb5.conf setting as the default value
  for default_tkt_enctypes and default_tgs_enctypes.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account
  name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified
  by X.509 certificate.  (Requires support for certificate lookup from
  a third-party KDB module.)

* Remove support for an old ("draft 9") variant of PKINIT.

* Add support for Microsoft NegoEx.  (Requires one or more third-party
  GSS modules implementing NegoEx mechanisms.)

* Honor the transited-policy-checked ticket flag on application
  servers, eliminating the requirement to configure capaths on
  servers in some scenarios.

User experience:

* Add support for "dns_canonicalize_hostname=fallback""`, causing
  host-based principal names to be tried first without DNS
  canonicalization, and again with DNS canonicalization if the
  un-canonicalized server is not found.

* Expand single-component hostnames in host-based principal names when
  DNS canonicalization is not used, adding the system's first DNS
  search path as a suffix.  Add a "qualify_shortname" krb5.conf
  relation to override this suffix or disable expansion.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS
  security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
  messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity
  Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  support can always be tested.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl7H/sUACgkQDLoIV1+D
ct8sRRAAkSLkpUrOU7cMxFFDCds+ffAgMuKraNHGGje5Pp1Tij0KZPiaw3azrKMU
npw6WGgaYy3RuaWY/4K6DdQak1MePadgR4KjB0hm1FN88DlM3IiXv26Sf2E8/Lx0
MtF02/+iIR6bFnvQ2ZJSzDUC9AB+P6oBBh2loxZTnQWm7w+ClZaqeQeoYh2Xiudu
5w5hJEfiwZq6FaX/zvwFR7ySpQj6hYJoBgFlVHe5M0aFbNsozDf7Xv/OQunPLzsw
FZzAJPgy12UoeXmfxeRwSiM6VrJEQDUfbsNlf/LfOial+w2uErCC1G9JURBO9FAq
9/IFrFScEDSDyGey+KFlqqDBE7C4qDAjLT+iLDgdT71vuzBMR4OUeHEFJn8lEli1
veuzs1nz15QpKQU1IDYsepAo2myfblCJyxbcALFnLdqBQWlrmN01O2SPhK35e2Wp
Zoam6KqdT9xEcJIFV4O6tAT+3lAbxlYT3Gv9MT6NFhmTC8rn381OZ5SjMvYPaxKI
Zv4YJpEpJeu0uH+a1iado4m33iMQX88loyBRmhl2/nSda4cVLlduLC/dqwIHH8ns
rKjoXWH2pExwESgUk8xirE/h1E8IpTg0GBKVjMvwKHBXFMSoiakDbWmfBjhKMiAK
oQBjPnvDowlVpGgz1AsJif2JEdLzfKwCbWiKrphbypkvhN1YrlE=
=Dy8c
-----END PGP SIGNATURE-----

More information about the kerberos-announce mailing list