Greg Hudson
2018-11-02 04:37:04 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.16.2. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.16.2
====================================
You may retrieve the Kerberos 5 Release 1.16.2 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.16.2 release is:
http://web.mit.edu/kerberos/krb5-1.16/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.16.2 (2018-11-01)
====================================
This is a bug fix release.
* Fix bugs with concurrent use of MEMORY ccache handles.
* Fix a KDC crash when falling back between multiple OTP tokens
configured for a principal entry.
* Fix memory bugs when gss_add_cred() is used to create a new
credential, and fix a bug where it ignores the desired_name.
* Fix the behavior of gss_inquire_cred_by_mech() when the credential
does not contain an element of the requested mechanism.
* Make cross-realm S4U2Self requests work on the client when no
default_realm is configured.
* Add a kerberos(7) man page containing documentation of the
environment variables that affect Kerberos programs.
Major changes in 1.16.1 (2018-05-03)
====================================
This is a bug fix release.
* Fix flaws in LDAP DN checking, including a null dereference KDC
crash which could be triggered by kadmin clients with administrative
privileges [CVE-2018-5729, CVE-2018-5730].
* Fix a KDC PKINIT memory leak.
* Fix a small KDC memory leak on transited or authdata errors when
processing TGS requests.
* Fix a regression in pkinit_cert_match matching of client
certificates containing Microsoft UPN SANs.
* Fix a null dereference when the KDC sends a large TGS reply.
* Fix "kdestroy -A" with the KCM credential cache type.
* Allow validation of Microsoft PACs containing enterprise names.
* Fix the handling of capaths "." values.
* Fix handling of repeated subsection specifications in profile files
(such as when multiple included files specify relations in the same
subsection).
Major changes in 1.16 (2017-12-05)
==================================
Administrator experience:
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
option.
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string.
* kpropd supports a --pid-file option to write a pid file at startup,
when it is run in standalone mode.
* The "encrypted_challenge_indicator" realm option can be used to
attach an authentication indicator to tickets obtained using FAST
encrypted challenge pre-authentication.
* Localization support can be disabled at build time with the
--disable-nls configure option.
Developer experience:
* The kdcpolicy pluggable interface allows modules control whether
tickets are issued by the KDC.
* The kadm5_auth pluggable interface allows modules to control whether
kadmind grants access to a kadmin request.
* The certauth pluggable interface allows modules to control which
PKINIT client certificates can authenticate to which client
principals.
* KDB modules can use the client and KDC interface IP addresses to
determine whether to allow an AS request.
* GSS applications can query the bit strength of a krb5 GSS context
using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
gss_inquire_sec_context_by_oid().
* GSS applications can query the impersonator name of a krb5 GSS
credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
gss_inquire_cred_by_oid().
* kdcpreauth modules can query the KDC for the canonicalized requested
client principal name, or match a principal name against the
requested client principal name with canonicalization.
Protocol evolution:
* The client library will continue to try pre-authentication
mechanisms after most failure conditions.
* The KDC will issue trivially renewable tickets (where the renewable
lifetime is equal to or less than the ticket lifetime) if requested
by the client, to be friendlier to scripts.
* The client library will use a random nonce for TGS requests instead
of the current system time.
* For the RC4 string-to-key or PAC operations, UTF-16 is supported
(previously only UCS-2 was supported).
* When matching PKINIT client certificates, UPN SANs will be matched
correctly as UPNs, with canonicalization.
User experience:
* Dates after the year 2038 are accepted (provided that the platform
time facilities support them), through the year 2106.
* Automatic credential cache selection based on the client realm will
take into account the fallback realm and the service hostname.
* Referral and alternate cross-realm TGTs will not be cached, avoiding
some scenarios where they can be added to the credential cache
multiple times.
* A German translation has been added.
Code quality:
* The build is warning-clean under clang with the configured warning
options.
* The automated test suite runs cleanly under AddressSanitizer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJb29QpAAoJEAy6CFdfg3LfE5wQAJ3G6iia1TJIoj9i7p9+6Qv7
aAFLkg+MHlF6qS9jZhkm25uxYiI3nKfzggFjQca8nnQeBfar3hmtF7GcWjG4ZJB4
k9FMjL1gLIyDZQI94EAbCzp55tNz4njujDKObsU65dLuY6yze8ZmyzgHnHIyvwPb
Bhyy8cjb9f39hFYtI/Rn3IAsTIRRHL0UmDXpynMvOobK9NXDu0b1lEcEgdTwaGro
q/GLfcSXuaUNBAGL84fn8MT2NvyCmGCJTWzA2snsYo9gtIb/fdUDxH0wBIpE5uec
RhLbpe0frMqQwjDXzgPL1t/8ExKk/dDp66Fadnv0lRCSqV8zrG3HD8PSXyIK420L
U4f06LQEPUmj52OoMNdKim86I/4TIjsQvZmqv36JX/kJ87mpuKHqT2TnjZL7ylUe
9XQjVRM+3bY/5gwr4biXrIIfDtxVDakt5QxzvzorcD+iNx9iAf3wCWZIAOzqOOuO
c9L71BMBG2g69HsTN6XTs6dYS0o6CHl4dY0I8BOs5KlBm9fB4ap3zQ13321gxTY4
YdOI3SJ5G9IlxwtnrFM7kAsqbp8M0XbYweptPotnfn2IhBq1H3VNZbhKQukOCCyL
68GgnSfLT6z0Re7IHwANgfKb0BwFhOmTKC9NI+jzoKNdPIy9OrMerNHrz7KPqRtg
GqlXLOy2fwyCDycLkgYL
=tGCQ
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.16.2. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.16.2
====================================
You may retrieve the Kerberos 5 Release 1.16.2 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.16.2 release is:
http://web.mit.edu/kerberos/krb5-1.16/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.16.2 (2018-11-01)
====================================
This is a bug fix release.
* Fix bugs with concurrent use of MEMORY ccache handles.
* Fix a KDC crash when falling back between multiple OTP tokens
configured for a principal entry.
* Fix memory bugs when gss_add_cred() is used to create a new
credential, and fix a bug where it ignores the desired_name.
* Fix the behavior of gss_inquire_cred_by_mech() when the credential
does not contain an element of the requested mechanism.
* Make cross-realm S4U2Self requests work on the client when no
default_realm is configured.
* Add a kerberos(7) man page containing documentation of the
environment variables that affect Kerberos programs.
Major changes in 1.16.1 (2018-05-03)
====================================
This is a bug fix release.
* Fix flaws in LDAP DN checking, including a null dereference KDC
crash which could be triggered by kadmin clients with administrative
privileges [CVE-2018-5729, CVE-2018-5730].
* Fix a KDC PKINIT memory leak.
* Fix a small KDC memory leak on transited or authdata errors when
processing TGS requests.
* Fix a regression in pkinit_cert_match matching of client
certificates containing Microsoft UPN SANs.
* Fix a null dereference when the KDC sends a large TGS reply.
* Fix "kdestroy -A" with the KCM credential cache type.
* Allow validation of Microsoft PACs containing enterprise names.
* Fix the handling of capaths "." values.
* Fix handling of repeated subsection specifications in profile files
(such as when multiple included files specify relations in the same
subsection).
Major changes in 1.16 (2017-12-05)
==================================
Administrator experience:
* The KDC can match PKINIT client certificates against the
"pkinit_cert_match" string attribute on the client principal entry,
using the same syntax as the existing "pkinit_cert_match" profile
option.
* The ktutil addent command supports the "-k 0" option to ignore the
key version, and the "-s" option to use a non-default salt string.
* kpropd supports a --pid-file option to write a pid file at startup,
when it is run in standalone mode.
* The "encrypted_challenge_indicator" realm option can be used to
attach an authentication indicator to tickets obtained using FAST
encrypted challenge pre-authentication.
* Localization support can be disabled at build time with the
--disable-nls configure option.
Developer experience:
* The kdcpolicy pluggable interface allows modules control whether
tickets are issued by the KDC.
* The kadm5_auth pluggable interface allows modules to control whether
kadmind grants access to a kadmin request.
* The certauth pluggable interface allows modules to control which
PKINIT client certificates can authenticate to which client
principals.
* KDB modules can use the client and KDC interface IP addresses to
determine whether to allow an AS request.
* GSS applications can query the bit strength of a krb5 GSS context
using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
gss_inquire_sec_context_by_oid().
* GSS applications can query the impersonator name of a krb5 GSS
credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
gss_inquire_cred_by_oid().
* kdcpreauth modules can query the KDC for the canonicalized requested
client principal name, or match a principal name against the
requested client principal name with canonicalization.
Protocol evolution:
* The client library will continue to try pre-authentication
mechanisms after most failure conditions.
* The KDC will issue trivially renewable tickets (where the renewable
lifetime is equal to or less than the ticket lifetime) if requested
by the client, to be friendlier to scripts.
* The client library will use a random nonce for TGS requests instead
of the current system time.
* For the RC4 string-to-key or PAC operations, UTF-16 is supported
(previously only UCS-2 was supported).
* When matching PKINIT client certificates, UPN SANs will be matched
correctly as UPNs, with canonicalization.
User experience:
* Dates after the year 2038 are accepted (provided that the platform
time facilities support them), through the year 2106.
* Automatic credential cache selection based on the client realm will
take into account the fallback realm and the service hostname.
* Referral and alternate cross-realm TGTs will not be cached, avoiding
some scenarios where they can be added to the credential cache
multiple times.
* A German translation has been added.
Code quality:
* The build is warning-clean under clang with the configured warning
options.
* The automated test suite runs cleanly under AddressSanitizer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJb29QpAAoJEAy6CFdfg3LfE5wQAJ3G6iia1TJIoj9i7p9+6Qv7
aAFLkg+MHlF6qS9jZhkm25uxYiI3nKfzggFjQca8nnQeBfar3hmtF7GcWjG4ZJB4
k9FMjL1gLIyDZQI94EAbCzp55tNz4njujDKObsU65dLuY6yze8ZmyzgHnHIyvwPb
Bhyy8cjb9f39hFYtI/Rn3IAsTIRRHL0UmDXpynMvOobK9NXDu0b1lEcEgdTwaGro
q/GLfcSXuaUNBAGL84fn8MT2NvyCmGCJTWzA2snsYo9gtIb/fdUDxH0wBIpE5uec
RhLbpe0frMqQwjDXzgPL1t/8ExKk/dDp66Fadnv0lRCSqV8zrG3HD8PSXyIK420L
U4f06LQEPUmj52OoMNdKim86I/4TIjsQvZmqv36JX/kJ87mpuKHqT2TnjZL7ylUe
9XQjVRM+3bY/5gwr4biXrIIfDtxVDakt5QxzvzorcD+iNx9iAf3wCWZIAOzqOOuO
c9L71BMBG2g69HsTN6XTs6dYS0o6CHl4dY0I8BOs5KlBm9fB4ap3zQ13321gxTY4
YdOI3SJ5G9IlxwtnrFM7kAsqbp8M0XbYweptPotnfn2IhBq1H3VNZbhKQukOCCyL
68GgnSfLT6z0Re7IHwANgfKb0BwFhOmTKC9NI+jzoKNdPIy9OrMerNHrz7KPqRtg
GqlXLOy2fwyCDycLkgYL
=tGCQ
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev