krb5-1.7-beta3 is available

Tom Yu tlyu at MIT.EDU
Tue May 26 18:40:59 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5-1.7-beta3 is now available for download from

         http://web.mit.edu/kerberos/dist/

The main MIT Kerberos web page is

         http://web.mit.edu/kerberos/

Please send comments to the krbdev list in the next week.  We expect
to release around June 1.  Changes since krb5-1.7-beta2 are:

+6486    t_pac fails on SPARC Solaris
+6488    NFS fails to work with KRB5 1.7
+6489    UCS2 support doesn't handle upper half of BMP
+6490    Windows interop with RC4 TGS-REQ subkeys
+6492    Remove spurious assertion in handle_authdata
+6493    some fixes for 1.7
+6495    Fix test rules for non-gmake make versions
+6496    Fix vector initialization error in KDC preauth code
+6497    kinit/fast usage message
+6498    spnego_mech.c syntax error under _GSS_STATIC_LINK
+6499    use printf format attribute only with gcc
+6500    use correct type for krb5_c_prf_length length arg
+6501    Temporarily disable FAST PKINIT for 1.7 release
+6502    typo in doc/api/krb5.tex
+6503    typo in admin.texinfo

Major changes in 1.7
- --------------------

* Remove support for version 4 of the Kerberos protocol (krb4).

* New libdefaults configuration variable "allow_weak_crypto".  NOTE:
  Currently defaults to "true", but may default to "false" in a future
  release.  Setting this variable to "false" will have the effect of
  removing weak enctypes (currently defined to be all single-DES
  enctypes) from permitted_enctypes, default_tkt_enctypes, and
  default_tgs_enctypes.

* Client library now follows client principal referrals, for
  compatibility with Windows.

* KDC can issue realm referrals for service principals based on domain
  names.

* Encryption algorithm negotiation (RFC 4537).

* In the replay cache, use a hash over the complete ciphertext to
  avoid false-positive replay indications.

* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  similar to the equivalent SSPI functionality.

* DCE RPC, including three-leg GSS context setup and unencapsulated
  GSS tokens.

* NTLM recognition support in GSS-API, to facilitate dropping in an
  NTLM implementation.

* KDC support for principal aliases, if the back end supports them.
  Currently, only the LDAP back end supports aliases.

* Microsoft set/change password (RFC 3244) protocol in kadmind.

* Incremental propagation support for the KDC database.

* Master key rollover support.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
  framework that can protect the AS exchange from dictionary attack.

* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
  allows a GSS application to request credential delegation only if
  permitted by KDC policy.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
  various vulnerabilities in SPNEGO and ASN.1 code.

For a more complete list of changes, please consult

http://krbdev.mit.edu/rt/NoAuth/krb5-1.7/fixed-1.7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkoccBIACgkQSO8fWy4vZo56qgCg9iUucRGy0xU1f/SZ2quzNlHg
nKYAoN74v7/i2fjxYohfVpaW6kKGYkXS
=NbMA
-----END PGP SIGNATURE-----

More information about the krbdev mailing list