Kerberos 5 Release 1.15.3
The MIT Kerberos Team announces the availability of the
krb5-1.15.3 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.
DES transition
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.15.3 (2018-05-03)
This is a bug fix release.
- Fix flaws in LDAP DN checking, including a null dereference
KDC crash which could be triggered by kadmin clients with
administrative privileges [CVE-2018-5729, CVE-2018-5730].
- Fix a KDC PKINIT memory leak.
- Fix a small KDC memory leak on transited or authdata errors
when processing TGS requests.
- Fix a null dereference when the KDC sends a large TGS reply.
- Fix "kdestroy -A" with the KCM credential cache type.
- Fix the handling of capaths "." values.
- Fix handling of repeated subsection specifications in
profile files (such as when multiple included files specify
relations in the same subsection).
Major changes in 1.15.2 (2017-09-25)
This is a bug fix release.
- Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
- Preserve GSS contexts on init/accept failure [CVE-2017-11462]
- Fix kadm5 setkey operation with LDAP KDB module
- Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
- Fix client null dereference when KDC offers encrypted challenge
without FAST
- Ignore dotfiles when processing profile includedir directive
- Improve documentation
Major changes in 1.15.1 (2017-03-01)
This is a bug fix release.
- Allow KDB modules to determine how the e_data field of
principal fields is freed
- Fix udp_preference_limit when the KDC location is configured
with SRV records
- Fix KDC and kadmind startup on some IPv4-only systems
- Fix the processing of PKINIT certificate matching rules
which have two components and no explicit relation
- Improve documentation
Major changes in 1.15 (2016-12-01)
- Administrator experience
-
- Improve support for multihomed Kerberos servers by
adding options for specifying restricted listening
addresses for the KDC and kadmind.
- Add support to kadmin for remote extraction of current
keys without changing them (requires a special kadmin
permission that is excluded from the wildcard permission),
with the exception of highly protected keys.
- Add a lockdown_keys principal attribute to prevent
retrieval of the principal's keys (old or new) via the
kadmin protocol. In newly created databases, this
attribute is set on the krbtgt and kadmin principals.
- Restore recursive dump capability for DB2 back end, so
sites can more easily recover from database corruption
resulting from power failure events.
- Add DNS auto-discovery of KDC and kpasswd servers from
URI records, in addition to SRV records. URI records can
convey TCP and UDP servers and master KDC status in a
single DNS lookup, and can also point to HTTPS proxy
servers.
- Add support for password history to the LDAP back end.
- Add support for principal renaming to the LDAP back end.
- Use the getrandom system call on supported Linux kernels
to avoid blocking problems when getting entropy from the
operating system.
- In the PKINIT client, use the correct DigestInfo
encoding for PKCS #1 signatures, so that some especially
strict smart cards will work.
- Code quality
-
- Clean up numerous compilation warnings.
- Remove various infrequently built modules, including some preauth
modules that were not built by default.
- Developer experience:
-
- Add support for building with OpenSSL 1.1.
- Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
- Eliminate util/reconf and allow the use of autoreconf
alone to regenerate the configure script.
- Protocol evolution
-
- Add support for the AES-SHA2 enctypes, which allows
sites to conform to Suite B crypto requirements.
You may retrieve the Kerberos 5 Release 1.15.3 source from
here.
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.15.3.
$Id: krb5-1.15.3.html,v 1.1 2018/05/03 19:12:26 ghudson Exp $
MIT Kerberos
[ home ]
[ contact ]