Kerberos 5 Release 1.11.6

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.11.6 is now available

The MIT Kerberos Team announces the availability of the krb5-1.11.6 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.11.6 (2015-02-24)

This is a bugfix release. The krb5-1.11 release series has reached the end of its maintenance period, and krb5-1.11.6 is the last planned release in the krb5-1.11 series. For new deployments, installers should prefer the krb5-1.13 release series or later.

• Work around a gcc optimizer bug that could cause DB2 KDC database operations to spin in an infinite loop
• Fix a backward compatibility problem with the LDAP KDB schema that could prevent krb5-1.11 and later from decoding entries created by krb5-1.6.
• Handle certain invalid RFC 1964 GSS tokens correctly to avoid invalid memory reference vulnerabilities. [CVE-2014-4341 CVE-2014-4342]
• Fix memory management vulnerabilities in GSSAPI SPNEGO. [CVE-2014-4343 CVE-2014-4344]
• Fix buffer overflow vulnerability in LDAP KDB back end. [CVE-2014-4345]
• Fix multiple vulnerabilities in the LDAP KDC back end. [CVE-2014-5354 CVE-2014-5353]
• Fix multiple kadmind vulnerabilities, some of which are based in the gssrpc library. [CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423]

Major changes in 1.11.5 (2014-01-21)

• Make KDC log service principal names more consistently during some error conditions, instead of "<unknown server>"
• Fix some GSSAPI bugs.
• Improve documentation.

Major changes in 1.11.4 (2013-11-04)

• Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration.
• Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms.
• Fix a number of bugs related to KDC master key rollover.

Major changes in 1.11.3 (2013-06-03)

• Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]
• Improve interoperability with some Windows native PKINIT clients.

Major changes in 1.11.2 (2013-04-11)

• Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load.
• gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism.

Major changes in 1.11.1 (2013-02-21)

• Restore capability for multi-hop SAM-2 preauth exchanges, which krb5-1.11 had inadvertently removed.
• Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].

Major changes in 1.11 (2012-12-17)

Code quality:

• Improve ASN.1 support code, making it table-driven for decoding as well as encoding
• Refactor parts of KDC

Developer experience:

• Documentation consolidation
• Add a new API krb5_kt_have_content() to determine whether a keytab exists and contains any entries.
• Add a new API krb5_cccol_have_content() to determine whether the ccache collection contains any credentials.
• Add a new API krb5_kt_client_default() to resolve the default client keytab.
• Add new APIs gss_export_cred and gss_import_cred to serialize and unserialize GSSAPI credentials.
• Add a krb5_get_init_creds_opt_set_in_ccache() option.
• Add get_cc_config() and set_cc_config() clpreauth callbacks for getting string attribute values from an in_ccache and storing them in an out_ccache, respectively.
• Add a plugin interface for GSSAPI interposer mechanisms.
• Add an optional responder callback to the krb5_get_init_creds functions. The responder callback can consider and answer all preauth-related questions at once, and can process more complicated questions than the prompter.
• Add a method to the clpreauth interface to allow modules to supply response items for consideration by the responder callback.
• Projects/Password_response_item
• Add GSSAPI extensions to allow callers to specify credential store locations when acquiring or storing credentials
• Add a new API krb5_kt_client_default() to resolve the default client keytab.

Administrator experience:

• Documentation consolidation
• Add parameter expansion for default_keytab_name and default_client_keytab_name profile variables.
• Add new default_ccache_name profile variable to override the built-in default credential cache name.
• Add configure-time support for changing the built-in ccache and keytab names.
• Add krb5-config options for displaying the built-in ccache and keytab names.
• In the default build, use the system's built-in ccache and keytab names if they can be discovered using krb5-config.
• Add support for a "default client keytab". Its location is determined by the KRB5_CLIENT_KTNAME environment variable, the default_client_keytab profile relation, or a hardcoded path (TBD).
• GSSAPI initiator applications can now acquire credentials automatically from the default client keytab, if one is available.
• Add client support for FAST OTP (RFC 6560)

End-user experience:

• Documentation consolidation
• Store metadata in the ccache about how a credential was acquired, to improve the user's experience when reacquiring
• Projects/Extensible_Policy

Performance:

• Improve KDC lookaside cache performance

Protocol evolution:

• Add client support for FAST OTP (RFC 6560)
• Build Camellia encryption support by default

Retrieving Kerberos 5 Release 1.11.6

You may retrieve the Kerberos 5 Release 1.11.6 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.11.6.