Kerberos 5 Release 1.9.4

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.9.4 is now available

The MIT Kerberos Team announces the availability of the krb5-1.9.4 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.9.4

This is a bugfix release.

• Fix interop issues with Windows Server 2008 R2 Read-Only Domain Controllers.
• Work around a glibc bug that causes spurious DNS PTR queries to occur even when rdns = false.
• Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013]

Major changes in 1.9.3

• Fix MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling [CVE-2011-1530].
• Fix an interaction in iprop that could cause spurious excess kadmind processes when a kprop child fails.

Major changes in 1.9.2

This is primarily a bugfix release.

• Improve KDC performance by fully its disabling replay cache.
• Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529].

Major changes in 1.9.1

This is primarily a bugfix release.

• Fix vulnerabilities:
  • kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  • KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
  • KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
  • kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
• Interoperability:
  • Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC instead.
  • Correctly validate HMAC-MD5 checksums that use DES keys

Major changes in 1.9

Code quality

• Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others).
• Add a Python-based testing framework.
• Perform DAL cleanup.

Developer experience

• Add NSS crypto back end.
• Improve PRNG modularity.
• Add a Fortuna-like PRNG back end.

Performance

• Account lockout performance improvements -- allow disabling of some account lockout functionality to reduce the number of write operations to the database during authentication
• Add support for multiple KDC worker processes.

Administrator experience

• Add Trace logging support to ease the diagnosis of configuration problems.
• Add support for purging old keys (e.g. from "cpw -randkey -keepold").
• Add plugin interface for password sync -- based on proposed patches by Russ Allbery that support his krb5-sync package
• Add plugin interface for password quality checks -- enables pluggable password quality checks similar to Russ Allbery's krb5-strength package.
• Add a configuration file validator script.
• Add KDC support for SecurID preauthentication -- this is the old SAM-2 protocol, implemented to support existing deployments, not the in-progress FAST-OTP work.
• Add "cheat" capability for kinit when running on a KDC host.

Protocol evolution

• Add support for IAKERB -- a mechanism for tunneling Kerberos KDC transactions over GSS-API, enabling clients to authenticate to services even when the clients cannot directly reach the KDC that serves the services.
• Add support for Camellia encryption (disabled by default).
• Add GSS-API support for implementors of the SASL GS2 bridge mechanism.

Known Bugs

Known bugs reported against krb5-1.9.4 are listed here.

Documentation for krb5-1.9.4

Please note that the HTML versions of these documents are converted from texinfo, and that the conversion is imperfect. If you want PostScript or GNU info versions, please download the documentation tarball.

• install guide
• user guide
• admin guide
• documentation tarball

Retrieving Kerberos 5 Release 1.9.4

You may retrieve the Kerberos 5 Release 1.9.4 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.9.4.