Kerberos 5 Release 1.12.4
The MIT Kerberos Team announces the availability of the
krb5-1.12.4 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.
DES transition
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.12.4 (2015-05-29)
This is a bugfix release. The krb5-1.12 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.13 release series or later.
- Fix a minor vulnerability in krb5_read_message, which is primarily
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
- Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
[CVE-2015-2694]
- Fix some issues with the LDAP KDC database back end.
- Fix an iteration-related memory leak in the DB2 KDC database back
end.
- Fix issues with some less-used kadm5.acl functionality.
- Improve documentation.
Major changes in 1.12.3 (2015-02-18)
This is a bugfix release. The krb5-1.12 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.13 release series or later.
- Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354] [CVE-2014-5353]
- Fix multiple kadmind vulnerabilities, some of which are based in the
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
CVE-2014-9422 CVE-2014-9423]
Major changes in 1.12.2 (2014-08-11)
- Work around a gcc optimizer bug that could cause DB2 KDC
database operations to spin in an infinite loop
- Fix a backward compatibility problem with the LDAP KDB
schema that could prevent krb5-1.11 and later from decoding
entries created by krb5-1.6.
- Avoid an infinite loop under some circumstances when the GSS
mechglue loads a dynamic mechanism.
- Fix krb5kdc argument parsing so "-w" and "-r" options work
together reliably.
- Handle certain invalid RFC 1964 GSS tokens correctly to
avoid invalid memory reference vulnerabilities.
[CVE-2014-4341 CVE-2014-4342]
- Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
- Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
Major changes in 1.12.1 (2014-01-15)
- Make KDC log service principal names more consistently
during some error conditions, instead of "<unknown server>"
- Fix several bugs related to building AES-NI support on less common
configurations
- Fix several bugs related to keyring credential caches
Major changes in 1.12 (2013-12-10)
- Developer experience:
-
- Add a plugin interface to control
krb5_aname_to_localname and krb5_kuserok behavior.
- Add a plugin interface to control hostname-to-realm
mappings and the default realm.
- Add GSSAPI extensions for constructing MIC tokens using
IOV lists.
- Administrator experience:
-
- Principal entries may now refer to the names of policies
which do not exist as policy objects in the database.
Policy objects may now be deleted whether or not
principals reference their names. A principal which
references a nonexistent policy name will behave as if it
does not reference a policy.
- Add support for having no long-term keys for a
principal. This can be useful if the principal is only
intended to be used with PKINIT or OTP preauthentication.
- Add collection support to the KEYRING credential cache
type on Linux, and add support for persistent user
keyrings and larger credentials on systems which support
them.
- Add a FAST OTP preauthentication module for the KDC
which uses RADIUS to validate OTP token values.
- Add an experimental pluggable interface for auditing KDC
processing. This interface may change in a
backwards-incompatible way in a future release.
- Performance:
-
- The AES-based encryption types will use AES-NI
instructions when possible for improved performance.
You may retrieve the Kerberos 5 Release 1.12.4 source from
here.
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.12.4.
$Id: krb5-1.12.4.html,v 1.1 2015/06/01 22:08:35 tlyu Exp $
MIT Kerberos
[ home ]
[ contact ]