krb5-1.10-beta1 is available
tlyu at MIT.EDU
Wed Jan 11 20:03:08 EST 2012
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5-1.10-beta1 is now available for download from
The main MIT Kerberos web page is
Please send comments to the krbdev list. The final release will
probably occur later this month. The README file contains a more
extensive list of changes.
Major changes in krb5-1.10:
* Fix MITKRB5-SA-2011-006 and MITKRB5SA-2011-007 KDC denial of service
vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
* Update the Fortuna implementation to more accurately implement the
description in _Cryptography Engineering_, and make it the default
* Add an alternative PRNG that relies on the OS native PRNG.
* Add the ability for GSSAPI servers to use any keytab key for a
specified service, if the server specifies a host-based name with no
* In the build system, identify the source files needed for
per-message processing within a kernel and ensure that they remain
* Allow rd_safe and rd_priv to ignore the remote address.
* Rework KDC and kadmind networking code to use an event loop
* Add a plugin interface for providing configuration information.
* Add more complete support for renaming principals.
* Add the profile variable ignore_acceptor_hostname in libdefaults. If
set, GSSAPI will ignore the hostname component of acceptor names
supplied by the server, allowing any keytab key matching the service
to be used.
* Add support for string attributes on principal entries.
* Allow password changes to work over NATs.
* Add the DIR credential cache type, which can hold a collection of
* Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
* Add the kswitch command, which changes the selected default cache
within a collection.
* Add heuristic support for choosing client credentials based on the
* Add support for $HOME/.k5identity, which allows credential choice
based on configured rules.
* Add support for localization. (No translations are provided in this
release, but the infrastructure is present for redistributors to
* Make PKINIT work with FAST in the client library.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
-----END PGP SIGNATURE-----
More information about the krbdev