krb5-1.12.2 is released
Tom Yu
tlyu at MIT.EDU
Tue Aug 12 17:25:47 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.12.2. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.12.2
====================================
You may retrieve the Kerberos 5 Release 1.12.2 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.12.2 release is:
http://web.mit.edu/kerberos/krb5-1.12/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
http://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.12.2 (2014-08-11)
====================================
* Work around a gcc optimizer bug that could cause DB2 KDC database
operations to spin in an infinite loop
* Fix a backward compatibility problem with the LDAP KDB schema that
could prevent krb5-1.11 and later from decoding entries created by
krb5-1.6.
* Avoid an infinite loop under some circumstances when the GSS
mechglue loads a dynamic mechanism.
* Fix krb5kdc argument parsing so "-w" and "-r" options work together
reliably.
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341
CVE-2014-4342]
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
* Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
Major changes in 1.12.1 (2014-01-15)
====================================
* Make KDC log service principal names more consistently during some
error conditions, instead of "<unknown server>"
* Fix several bugs related to building AES-NI support on less common
configurations
* Fix several bugs related to keyring credential caches
Major changes in 1.12 (2013-12-10)
==================================
Developer experience:
* Add a plugin interface to control krb5_aname_to_localname and
krb5_kuserok behavior.
* Add a plugin interface to control hostname-to-realm mappings and the
default realm.
* Add GSSAPI extensions for constructing MIC tokens using IOV lists.
Administrator experience:
* Principal entries may now refer to the names of policies which do
not exist as policy objects in the database. Policy objects may now
be deleted whether or not principals reference their names. A
principal which references a nonexistent policy name will behave as
if it does not reference a policy.
* Add support for having no long-term keys for a principal. This can
be useful if the principal is only intended to be used with PKINIT
or OTP preauthentication.
* Add collection support to the KEYRING credential cache type on
Linux, and add support for persistent user keyrings and larger
credentials on systems which support them.
* Add a FAST OTP preauthentication module for the KDC which uses
RADIUS to validate OTP token values.
* Add an experimental pluggable interface for auditing KDC
processing. This interface may change in a backwards-incompatible
way in a future release.
Performance:
* The AES-based encryption types will use AES-NI instructions when
possible for improved performance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBU+qGWxUCTNN0nXiJAQIYLAgAjD9/Y4YYhOTgO5Gya0aXucuCtWfAYZT/
RsMdxaKWzbVyfi0jiLERNttaD6fNXJ+8ptM9KxsZIwY6gDoTOBYMZhPy2mxFHovE
wOTa9FXpjd6h17mHNNScKsKUkS9m4Xdgq4WcQY0Ap3C7Y5hG4rc07/iR31meFXuI
Di87k67EObqc7qY5fvJO+N+PbXdiN6a1OuYN4iEL4yskpTvMgnI/HjjXWXUHTLcT
VpUr3u5pMiceYKdVJakpnSecKNYIZaZgv3BM4vZ2TE6h4xorXtVXBWAuh+HNw9Fm
B3UCENeaeOyuP3BLo2q4ghfu6AwcT5+OLbPn2kVQ5oyiIN8ozI9h+g==
=zoZ2
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
More information about the Kerberos
mailing list