Kerberos 5 Release 1.11.5
The MIT Kerberos Team announces the availability of the
krb5-1.11.5 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.
DES transition
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.11.5 (2014-01-21)
- Make KDC log service principal names more consistently during some
error conditions, instead of "<unknown server>"
- Fix some GSSAPI bugs.
- Improve documentation.
Major changes in 1.11.4 (2013-11-04)
- Fix a KDC null pointer dereference [CVE-2013-1417] that
could affect realms with an uncommon configuration.
- Fix a KDC null pointer dereference [CVE-2013-1418] that
could affect KDCs that serve multiple realms.
- Fix a number of bugs related to KDC master key rollover.
Major changes in 1.11.3 (2013-06-03)
- Fix a UDP ping-pong vulnerability in the kpasswd (password
changing) service. [CVE-2002-2443]
- Improve interoperability with some Windows native PKINIT
clients.
Major changes in 1.11.2 (2013-04-11)
- Incremental propagation could erroneously act as if a
slave's database were current after the slave received a full
dump that failed to load.
- gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
Major changes in 1.11.1 (2013-02-21)
- Restore capability for multi-hop SAM-2 preauth exchanges,
which krb5-1.11 had inadvertently removed.
- Fix a null pointer dereference in the KDC PKINIT code
[CVE-2013-1415].
Major changes in 1.11 (2012-12-17)
- Code quality:
-
- Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
- Refactor parts of KDC
- Developer experience:
-
- Documentation consolidation
- Add a new API krb5_kt_have_content() to determine whether a keytab
exists and contains any entries.
- Add a new API krb5_cccol_have_content() to determine whether the
ccache collection contains any credentials.
- Add a new API krb5_kt_client_default() to resolve the default client
keytab.
- Add new APIs gss_export_cred and gss_import_cred to serialize and
unserialize GSSAPI credentials.
- Add a krb5_get_init_creds_opt_set_in_ccache() option.
- Add get_cc_config() and set_cc_config() clpreauth callbacks for
getting string attribute values from an in_ccache and storing them
in an out_ccache, respectively.
- Add a plugin interface for GSSAPI interposer mechanisms.
- Add an optional responder callback to the krb5_get_init_creds
functions. The responder callback can consider and answer all
preauth-related questions at once, and can process more complicated
questions than the prompter.
- Add a method to the clpreauth interface to allow modules to supply
response items for consideration by the responder callback.
- Projects/Password_response_item
- Add GSSAPI extensions to allow callers to specify credential store
locations when acquiring or storing credentials
- Add a new API krb5_kt_client_default() to resolve the default client
keytab.
- Administrator experience:
-
- Documentation consolidation
- Add parameter expansion for default_keytab_name and
default_client_keytab_name profile variables.
- Add new default_ccache_name profile variable to override the
built-in default credential cache name.
- Add configure-time support for changing the built-in ccache and
keytab names.
- Add krb5-config options for displaying the built-in ccache and
keytab names.
- In the default build, use the system's built-in ccache and keytab
names if they can be discovered using krb5-config.
- Add support for a "default client keytab". Its location is
determined by the KRB5_CLIENT_KTNAME environment variable, the
default_client_keytab profile relation, or a hardcoded path (TBD).
- GSSAPI initiator applications can now acquire credentials
automatically from the default client keytab, if one is available.
- Add client support for FAST OTP (RFC 6560)
- End-user experience:
-
- Documentation consolidation
- Store metadata in the ccache about how a credential was acquired, to
improve the user's experience when reacquiring
- Projects/Extensible_Policy
- Performance:
-
- Improve KDC lookaside cache performance
- Protocol evolution:
-
- Add client support for FAST OTP (RFC 6560)
- Build Camellia encryption support by default
You may retrieve the Kerberos 5 Release 1.11.5 source from
here.
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.11.5.
$Id: krb5-1.11.5.html,v 1.1 2014/01/22 23:52:19 tlyu Exp $
MIT Kerberos
[ home ]
[ contact ]