Kerberos 5 Release 1.13.7

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.13.7 is now available

The MIT Kerberos Team announces the availability of the krb5-1.13.7 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.13.7 (2016-09-15)

This is a bug fix release. The krb5-1.13 release series is near the end of its maintenance period, and krb5-1.13.7 will probably be the final release of this series. For new deployments, installers should prefer the krb5-1.14 release series or later.

• Fix some rare btree data corruption bugs
• Fix numerous minor memory leaks
• Improve portability (Linux-ppc64el, FreeBSD)
• Improve some error messages
• Improve documentation

Major changes in 1.13.6 (2016-07-25)

This is a bug fix release. The krb5-1.13 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.14 release series or later.

• Improve some error messages
• Improve documentation
• Allow a principal with nonexistent policy to bypass the minimum password lifetime check, consistent with other aspects of nonexistent policies
• Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120]

Major changes in 1.13.5 (2016-04-18)

This is a bug fix release. The krb5-1.13 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.14 release series or later.

• Fix a moderate-severity vulnerability in the LDAP KDC back end that could be exploited by a privileged kadmin user [CVE-2016-3119]

Major changes in 1.13.4 (2016-03-07)

This is a bug fix release. The krb5-1.13 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.14 release series or later.

• Fix some moderate-severity vulnerabilities [CVE-2015-8629, CVE-2015-8630, CVE-2015-8631] in kadmind.
• Improve behavior on hosts with long hostnames.
• Avoid spurious failures when doing normal kprop to heavily loaded slave KDCs.

Major changes in 1.13.3 (2015-12-04)

This is a bug fix release. The krb5-1.13 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.14 release series or later.

• Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] [CVE-2015-2698]
• Fix build_principal memory bug that could cause a KDC crash. [CVE-2015-2697]
• Allow an iprop slave to receive full resyncs from KDCs running krb5-1.10 or earlier.

Major changes in 1.13.2 (2015-05-08)

This is a bug fix release.

• Fix a minor vulnerability in krb5_read_message, which is primarily used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
• Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. [CVE-2015-2694]
• Fix some issues with the LDAP KDC database back end.
• Fix an iteration-related memory leak in the DB2 KDC database back end.
• Fix issues with some less-used kadm5.acl functionality.
• Improve documentation.

Major changes in 1.13.1 (2015-02-11)

This is a bug fix release.

• Fix multiple vulnerabilities in the LDAP KDC back end. [CVE-2014-5354] [CVE-2014-5353]
• Fix multiple kadmind vulnerabilities, some of which are based in the gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423]

Major changes in 1.13 (2014-10-15)

Administrator experience:

• Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.
• Add support for hierarchical incremental propagation, where slaves can act as intermediates between an upstream master and other downstream slaves.
• Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
• Add support to the LDAP KDB module for binding to the LDAP server using SASL.
• The KDC listens for TCP connections by default.
• Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]

User experience:

• Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.
• When built on OS X 10.7 and higher, use "KCM:" as the default cache type, unless overridden by command-line options or krb5-config values.

Performance:

• Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.

Retrieving Kerberos 5 Release 1.13.7

You may retrieve the Kerberos 5 Release 1.13.7 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.13.7.