Kerberos 5 Release 1.10.5
The MIT Kerberos Team announces the availability of the
krb5-1.10.5 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.
DES transition
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in krb5-1.10.5 (2013-04-17)
This is a bugfix release. The krb5-1.10 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.11 release series or later.
- Fix KDC null pointer dereference in TGS-REQ handling
[CVE-2013-1416]
- Incremental propagation could erroneously act as if a
slave's database were current after the slave received a full
dump that failed to load.
Major changes in 1.10.4 (2013-03-01)
This is a bugfix release.
- Fix null PKINIT pointer dereference vulnerabilities
[CVE-2012-1016, CVE-2013-1415]
- Prevent the KDC from returning a host-based service
principal referral to the local realm.
Major changes in 1.10.3 (2012-08-08)
This is a bugfix release.
- Fix KDC uninitialized pointer vulnerabilities that could
lead to a denial of service [CVE-2012-1014] or remote code
execution [CVE-2012-1015].
- Correctly use default_tgs_enctypes instead of
default_tkt_enctypes for TGS requests.
Major changes in 1.10.2 (2012-05-31)
This is a bugfix release.
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR
queries to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer
dereference), which could only be triggered by an
administrator with the "create" privilege. [CVE-2012-1013]
Major changes in 1.10.1 (2012-03-08)
This is a bugfix release.
- Fix access controls for KDB string attributes
[CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate
with Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases
where the KDC sends an account expiry time without a password
expiry time.
Major changes in 1.10 (2012-01-27)
- Code quality:
-
- Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC
denial of service vulnerabilities [CVE-2011-1527
CVE-2011-1528 CVE-2011-1529 CVE-2011-1530].
- Update the Fortuna implementation to more accurately
implement the description in Cryptography Engineering,
and make it the default PRNG.
- Add an alternative PRNG that relies on the OS native
PRNG.
- Developer experience:
-
- Add the ability for GSSAPI servers to use any keytab key
for a specified service, if the server specifies a
host-based name with no hostname component.
- In the build system, identify the source files needed for
per-message processing within a kernel and ensure that they remain
independent.
- Allow rd_safe and rd_priv to ignore the remote address.
- Rework KDC and kadmind networking code to use an event loop
architecture.
- Add a plugin interface for providing configuration information.
- Administrator experience:
-
- Add more complete support for renaming principals.
- Add the profile variable ignore_acceptor_hostname in libdefaults. If
set, GSSAPI will ignore the hostname component of acceptor names
supplied by the server, allowing any keytab key matching the service
to be used.
- Add support for string attributes on principal entries.
- Allow password changes to work over NATs.
- End-user experience:
-
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on the
service realm.
- Add support for $HOME/.k5identity, which allows credential choice
based on configured rules.
- Add support for localization. (No translations are provided in this
release, but the infrastructure is present for redistributors to
supply them.)
- Protocol evolution:
-
- Make PKINIT work with FAST in the client library.
Known Bugs
Known bugs reported against krb5-1.10.5 are listed
here.
Please note that the HTML versions of these documents are
converted from texinfo, and that the conversion is imperfect.
If you want PDF, PostScript, or GNU info versions, please download
the documentation tarball.
You may retrieve the Kerberos 5 Release 1.10.5 source from
here.
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.10.5.
$Id: krb5-1.10.5.html,v 1.1 2013/04/18 20:20:27 tlyu Exp $
MIT Kerberos
[ home ]
[ contact ]