krb5-1.12.5 is released

Tom Yu tlyu at mit.edu
Wed Dec 16 17:23:49 EST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.12.5.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.12.5
====================================

You may retrieve the Kerberos 5 Release 1.12.5 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.12.5 release is:

        http://web.mit.edu/kerberos/krb5-1.12/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.12.5 (2015-12-16)
====================================

This is a bugfix release.  The krb5-1.12 release series has reached
the end of its maintenance period, and krb5-1.12.5 is the last planned
release in the krb5-1.12 series.  For new deployments, installers
should prefer the krb5-1.14 release series or later.

* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
  [CVE-2015-2698]

* Fix build_principal memory bug that could cause a KDC
  crash. [CVE-2015-2697]

* Allow an iprop slave to receive full resyncs from KDCs running
  krb5-1.10 or earlier.

Major changes in 1.12.4 (2015-05-29)
====================================

This is a bugfix release.  The krb5-1.12 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.13 release series or later.

* Fix a minor vulnerability in krb5_read_message, which is primarily
  used in the BSD-derived kcmd suite of applications.  [CVE-2014-5355]

* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
  [CVE-2015-2694]

* Fix some issues with the LDAP KDC database back end.

* Fix an iteration-related memory leak in the DB2 KDC database back
  end.

* Fix issues with some less-used kadm5.acl functionality.

* Improve documentation.

Major changes in 1.12.3 (2015-02-18)
====================================

This is a bugfix release.  The krb5-1.12 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.13 release series or later.

* Fix multiple vulnerabilities in the LDAP KDC back end.
  [CVE-2014-5354] [CVE-2014-5353]

* Fix multiple kadmind vulnerabilities, some of which are based in the
  gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
  CVE-2014-9422 CVE-2014-9423]

Major changes in 1.12.2 (2014-08-11)
====================================

* Work around a gcc optimizer bug that could cause DB2 KDC database
  operations to spin in an infinite loop

* Fix a backward compatibility problem with the LDAP KDB schema that
  could prevent krb5-1.11 and later from decoding entries created by
  krb5-1.6.

* Avoid an infinite loop under some circumstances when the GSS
  mechglue loads a dynamic mechanism.

* Fix krb5kdc argument parsing so "-w" and "-r" options work together
  reliably.

* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
  invalid memory reference vulnerabilities.  [CVE-2014-4341
  CVE-2014-4342]

* Fix memory management vulnerabilities in GSSAPI SPNEGO.
  [CVE-2014-4343 CVE-2014-4344]

* Fix buffer overflow vulnerability in LDAP KDB back end.
  [CVE-2014-4345]

Major changes in 1.12.1 (2014-01-15)
====================================

* Make KDC log service principal names more consistently during some
  error conditions, instead of "<unknown server>"

* Fix several bugs related to building AES-NI support on less common
  configurations

* Fix several bugs related to keyring credential caches

Major changes in 1.12 (2013-12-10)
==================================

Developer experience:

* Add a plugin interface to control krb5_aname_to_localname and
  krb5_kuserok behavior.

* Add a plugin interface to control hostname-to-realm mappings and the
  default realm.

* Add GSSAPI extensions for constructing MIC tokens using IOV lists.

Administrator experience:

* Principal entries may now refer to the names of policies which do
  not exist as policy objects in the database.  Policy objects may now
  be deleted whether or not principals reference their names.  A
  principal which references a nonexistent policy name will behave as
  if it does not reference a policy.

* Add support for having no long-term keys for a principal. This can
  be useful if the principal is only intended to be used with PKINIT
  or OTP preauthentication.

* Add collection support to the KEYRING credential cache type on
  Linux, and add support for persistent user keyrings and larger
  credentials on systems which support them.

* Add a FAST OTP preauthentication module for the KDC which uses
  RADIUS to validate OTP token values.

* Add an experimental pluggable interface for auditing KDC
  processing. This interface may change in a backwards-incompatible
  way in a future release.

Performance:

* The AES-based encryption types will use AES-NI instructions when
  possible for improved performance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBAgAGBQJWceR1AAoJEKMvF/0AVcMFEqQMAKIYu/b4XvNlGRsnB6UDbaS/
FlvQTwoHpWcthHRvBzVsJGCkbEI2umzLut3Y3StzUqRB9Mafg3GkSYuGf0g8QZc5
w4mHiJ76CpEJS7iK5XuZCmO3df8IX3LbOoT5wM/7ZyN0N7wCA6BdH5S7DRi8fUbe
iqQ5nDOWI8IMZ7UXOpkyVHkyz6dTvAtx4ylMmr8QtFcIOhf4JpsSiLh9htPpuv0b
/BmHGSjvgu170w8UgCqNecynyt5uTE7yUG9S2gMkWxmRClrx89A7PiRVrgPDV/Bm
d3HAMCJxyMvgtt/JoPdgQMV54ej3ef2JLu7bOOuDMtYK24vgtpV10B1R348Ijsr3
Kc+bCCdTXupo5klh8qpQ0lbfHyM9Yyk6dsUT0a9swbCvnMOPFl9ladVUDa9OqpC+
RNqgrRgGTd+TPpSN6HqTZAyLfPGjCpRqLOPmQhnHmw8NcWsGq3fNFwSaRL823W6u
Y0otA7es2pEFUGomVQt+CPmQUG35QtKgowawfAERzw==
=bhkQ
-----END PGP SIGNATURE-----

_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce

More information about the Kerberos mailing list