krb5-1.15.5 is released

Greg Hudson ghudson at
Mon Jan 7 17:53:46 EST 2019

Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.15.5.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.


You may retrieve the Kerberos 5 Release 1.15.5 source from the
following URL:

The homepage for the krb5-1.15.5 release is:

Further information about Kerberos 5 may be found at the following

and at the MIT Kerberos Consortium web site:

DES transition

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.15.5 (2019-01-07)

This is a bug fix release.

* Fix a regression in the MEMORY credential cache type which could
  cause client programs to crash.

* MEMORY credential caches will not be listed in the global
  collection, with the exception of the default credential cache if it
  is of type MEMORY.

* Remove an incorrect assertion in the KDC which could be used to
  cause a crash [CVE-2018-20217].

Major changes in 1.15.4 (2018-11-01)

This is a bug fix release.

* Fix bugs with concurrent use of MEMORY ccache handles.

* Fix a KDC crash when falling back between multiple OTP tokens
  configured for a principal entry.

* Fix memory bugs when gss_add_cred() is used to create a new
  credential, and fix a bug where it ignores the desired_name.

* Fix the behavior of gss_inquire_cred_by_mech() when the credential
  does not contain an element of the requested mechanism.

* Make cross-realm S4U2Self requests work on the client when no
  default_realm is configured.

Major changes in 1.15.3 (2018-05-03)

This is a bug fix release.

* Fix flaws in LDAP DN checking, including a null dereference KDC
  crash which could be triggered by kadmin clients with administrative
  privileges [CVE-2018-5729, CVE-2018-5730].

* Fix a KDC PKINIT memory leak.

* Fix a small KDC memory leak on transited or authdata errors when
  processing TGS requests.

* Fix a null dereference when the KDC sends a large TGS reply.

* Fix "kdestroy -A" with the KCM credential cache type.

* Fix the handling of capaths "." values.

* Fix handling of repeated subsection specifications in profile files
  (such as when multiple included files specify relations in the same

Major changes in 1.15.2 (2017-09-25)

This is a bug fix release.

* Fix a KDC denial of service vulnerability caused by unset status
  strings [CVE-2017-11368]

* Preserve GSS contexts on init/accept failure [CVE-2017-11462]

* Fix kadm5 setkey operation with LDAP KDB module

* Use a ten-second timeout after successful connection for HTTPS KDC
  requests, as we do for TCP requests

* Fix client null dereference when KDC offers encrypted challenge
  without FAST

* Ignore dotfiles when processing profile includedir directive

* Improve documentation

Major changes in 1.15.1 (2017-03-01)

This is a bug fix release.

* Allow KDB modules to determine how the e_data field of principal
  fields is freed

* Fix udp_preference_limit when the KDC location is configured with
  SRV records

* Fix KDC and kadmind startup on some IPv4-only systems

* Fix the processing of PKINIT certificate matching rules which have
  two components and no explicit relation

* Improve documentation

Major changes in 1.15 (2016-12-01)

Administrator experience:

* Improve support for multihomed Kerberos servers by adding options
  for specifying restricted listening addresses for the KDC and

* Add support to kadmin for remote extraction of current keys without
  changing them (requires a special kadmin permission that is excluded
  from the wildcard permission), with the exception of highly
  protected keys.

* Add a lockdown_keys principal attribute to prevent retrieval of the
  principal's keys (old or new) via the kadmin protocol.  In newly
  created databases, this attribute is set on the krbtgt and kadmin

* Restore recursive dump capability for DB2 back end, so sites can
  more easily recover from database corruption resulting from power
  failure events.

* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
 in addition to SRV records.  URI records can convey TCP and UDP
 servers and master KDC status in a single DNS lookup, and can also
 point to HTTPS proxy servers.

* Add support for password history to the LDAP back end.

* Add support for principal renaming to the LDAP back end.

* Use the getrandom system call on supported Linux kernels to avoid
  blocking problems when getting entropy from the operating system.

* In the PKINIT client, use the correct DigestInfo encoding for PKCS
  #1 signatures, so that some especially strict smart cards will work.

Code quality:

* Clean up numerous compilation warnings.

* Remove various infrequently built modules, including some preauth
  modules that were not built by default.

Developer experience:

* Add support for building with OpenSSL 1.1.

* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
  authenticators in the replay cache.  This helps sites that must
  build with FIPS 140 conformant libraries that lack MD5.

* Eliminate util/reconf and allow the use of autoreconf alone to
  regenerate the configure script.

Protocol evolution:

* Add support for the AES-SHA2 enctypes, which allows sites to conform
  to Suite B crypto requirements.
Version: GnuPG v1

kerberos-announce mailing list
kerberos-announce at

More information about the krbdev mailing list