krb5-1.7-beta3 is available
tlyu at MIT.EDU
Tue May 26 18:40:59 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.7-beta3 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list in the next week. We expect
to release around June 1. Changes since krb5-1.7-beta2 are:
+6486 t_pac fails on SPARC Solaris
+6488 NFS fails to work with KRB5 1.7
+6489 UCS2 support doesn't handle upper half of BMP
+6490 Windows interop with RC4 TGS-REQ subkeys
+6492 Remove spurious assertion in handle_authdata
+6493 some fixes for 1.7
+6495 Fix test rules for non-gmake make versions
+6496 Fix vector initialization error in KDC preauth code
+6497 kinit/fast usage message
+6498 spnego_mech.c syntax error under _GSS_STATIC_LINK
+6499 use printf format attribute only with gcc
+6500 use correct type for krb5_c_prf_length length arg
+6501 Temporarily disable FAST PKINIT for 1.7 release
+6502 typo in doc/api/krb5.tex
+6503 typo in admin.texinfo
Major changes in 1.7
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto". NOTE:
Currently defaults to "true", but may default to "false" in a future
release. Setting this variable to "false" will have the effect of
removing weak enctypes (currently defined to be all single-DES
enctypes) from permitted_enctypes, default_tkt_enctypes, and
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
* NTLM recognition support in GSS-API, to facilitate dropping in an
* KDC support for principal aliases, if the back end supports them.
Currently, only the LDAP back end supports aliases.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Incremental propagation support for the KDC database.
* Master key rollover support.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
For a more complete list of changes, please consult
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----
More information about the krbdev