Kerberos Version 5, Release 1.5.3 Release Notes The MIT Kerberos Team Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in a gzipped tarfile, krb5-1.5.3.tar.gz. Instructions on how to extract the entire distribution follow. If you have the GNU tar program and gzip installed, you can simply do: gtar zxpf krb5-1.5.3.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: gzcat krb5-1.5.3.tar.gz | tar xpf - Both of these methods will extract the sources into krb5-1.5.3/src and the documentation into krb5-1.5.3/doc. Building and Installing Kerberos 5 ---------------------------------- The first file you should look at is doc/install-guide.ps; it contains the notes for building and installing Kerberos 5. The info file krb5-install.info has the same information in info file format. You can view this using the GNU emacs info-mode, or by using the standalone info file viewer from the Free Software Foundation. This is also available as an HTML file, install.html. Other good files to look at are admin-guide.ps and user-guide.ps, which contain the system administrator's guide, and the user's guide, respectively. They are also available as info files kerberos-admin.info and krb5-user.info, respectively. These files are also available as HTML files. If you are attempting to build under Windows, please see the src/windows/README file. Note that this release might not build under Windows currently. Reporting Bugs -------------- Please report any problems/bugs/comments using the krb5-send-pr program. The krb5-send-pr program will be installed in the sbin directory once you have successfully compiled and installed Kerberos V5 (or if you have installed one of our binary distributions). If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. You may view bug reports by visiting http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". Major changes in krb5-1.5.3 --------------------------- [5512] Fix MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956, VU#220816] [5513] Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog [CVE-2007-0957, VU#704024] [5520] Fix MITKRB5-SA-2007-003: double-free in kadmind - the RPC library could perform a double-free due to a GSS-API library bug [CVE-2007-1216, VU#419344] krb5-1.5.3 changes by ticket ID ------------------------------- 5512 (krb5-1.5.x) MITKRB5-SA-2007-001: telnetd allows login as arbitrary user 5513 (krb5-1.5.x) MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog 5520 (krb5-1.5.x) MITKRB5-SA-2007-003: double-free in kadmind Major changes in krb5-1.5.2 --------------------------- * Fix for MITKRB5-SA-2006-002: the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind. * Fix for MITKRB5-SA-2006-003: the GSS-API mechglue layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused a security vulnerability in kadmind. Major known bugs in krb5-1.5.2 ------------------------------ 5293 crash creating db2 database in non-existent directory Attempting to create a KDB in a non-existent directory using the Berkeley DB back end may cause a crash resulting from a null pointer dereference. If a core dump occurs, this may cause a local exposure of sensitive information such a master key password. This will be fixed in an upcoming patch release. krb5-1.5.2 changes by ticket ID ------------------------------- Listed below are the RT tickets of bugs fixed in krb5-1.5.2. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/fixed-1.5.2.html for a current listing with links to the complete tickets. 3965 Autoconf 2.60 datarootdir issue 4237 windows ccache and keytab file paths without a prefix 4305 windows thread support frees thread local storage after TlsSetValue 4309 wix installer - win2k compatibility for netidmgr 4310 NSIS installer - update for Win2K NetIDMgr 4312 KFW 3.1 Beta 2 NetIDMgr Changes 4354 db2 policy database loading broken 4355 test policy dump/load in make check 4368 kdc: make_toolong_error does not initialize all fields for krb5_mk_error 4407 final commits for KFW 3.1 Beta 2 4499 Document prerequisites for make check 4500 Initialize buffer before calling res_ninit 5307 fix MITKRB5-SA-2006-002 for 1.5-branch 5308 fix MITKRB5-SA-2006-003 for 1.5-branch Major changes in 1.5.1 ---------------------- The only significant change in krb5-1.5.1 is to fix the security vulnerabilities described in MITKRB5-SA-2006-001, which are local privilege escalation vulnerabilities in applications running on Linux and AIX. krb5-1.5.1 changes by ticket ID ------------------------------- Listed below are the RT tickets of bugs fixed in krb5-1.5.1. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/fixed-1.5.1.html for a current listing with links to the complete tickets. 3904 fix uninitialized vars 3956 gssapi compilation errors on Windows 3971 broken configure test for dlopen 3998 Document add_entry in ktutil man page 4012 reverse test for copy_oid_set in lib/gssapi/krb5/indicate_mechs.c 4036 reject configure option for static libraries 4037 respect LDFLAGS in NetBSD build 4063 gss mech glue implementation should validate opaque pointer types 4088 gss_import_name can fail to call gssint_initialize_library() 4125 fix MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities 4137 ksu spuriously fails when exiting shell when ksu-ing to non-root 4168 clean up mkrel patchlevel.h editing etc. Major changes in 1.5 -------------------- Kerberos 5 Release 1.5 includes many significant changes to the Kerberos build system, to GSS-API, and to the Kerberos KDC and administration system. These changes build up infrastructure as part of our efforts to make Kerberos more extensible and flexible. While we are confident that these changes will improve Kerberos in the long run, significant code restructuring may introduce portability problems or change behavior in ways that break applications. It is always important to test a new version of critical security software like Kerberos before deploying it in your environment to confirm that the new version meets your environment's requirements. Because of the significant restructuring, it is more important than usual to perform this testing and to report problems you find. Highlights of major changes include: * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be loaded at run-time. * multi-mechanism GSS-API implementation ("mechglue"), donated by Sun Microsystems * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems * Per-directory ChangeLog files have been deleted. Releases now include auto-generated revision history logs in the combined file doc/CHANGES. Changes by ticket ID -------------------- Listed below are the RT tickets of bugs fixed in krb5-1.5. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/fixed-1.5.html for a current listing with links to the complete tickets. 581 verify_krb_v4_tgt is not 64-bit clean 856 patch to add shared library support for BSD/OS 4 1245 source tree not 64-bit clean 1288 v4 ticket file format incompatibilities 1431 fix errno.h references for cygwin 1434 use win32 rename solution in rcache for cygwin 1988 profile library fails to handle space in front of comments 2577 [Russ Allbery] Bug#250966: /usr/sbin/klogind: Authorization behavior not fully documented 2615 Fwd: Patch for telnet / telnetd to avoid crashes when used with MS kdc and PAC field 2628 Cygwin build patches 2648 [Russ Allbery] Bug#262192: libkrb53: krb_get_pw_in_tkt problems with AFS keys 2712 whitespace patch for src/kdc/kerberos_v4.c 2759 fake-getaddrinfo.h incorrectly checks for gethostbyname_r errors 2761 move getaddrinfo hacks into support lib for easier maintenance 2763 file ccache should be held open while scanning for credentials 2786 dead code in init_common() causes malloc(0) 2791 hooks for recording statistics on locking behavior 2807 Add VERSIONRC branding to krb5 support dll 2855 Possible thread safety issue in lib/krb5/os/def_realm.c 2856 Need a function to clone krb5_context structs for thread safe apps 2863 windows klist won't link 2880 fix calling convention for thread support fns 2882 Windows 2003 SP1 ktpass.exe generate keytab files fail to load with 1.4 2886 krb5_do_preauth could attempt to free NULL pointer 2931 implement SPNEGO 2932 implement multi-mech GSSAPI 2933 plug-in architecture 2936 supplementary error strings 2959 profile library should check high-resolution timestamps if available 2979 threaded test program built even with thread support disabled 3008 Incorrect cross-references in man pages 3010 Minor path and service man page fixes 3011 krb5-config should never return -I/usr/include 3013 Man pages for fakeka and krb524init 3014 texinfo variable fixes, info dir entries 3030 Bug report: Kinit has no suport for addresses in credentials. Kinit -a is not enabled. 3065 Implement RFC 3961 PRF 3086 [Sergio Gelato] Bug#311977: libkrb53: gss_init_sec_context sometimes fails to initialise output_token 3088 don't always require support library when building with sun cc 3122 fixes for AIX 5.2 select() and IPv4/IPv6 issues 3129 shlib build problems on HP-UX 10.20 with gcc-3.4.3 3233 kuserok needs to check for uid 99 on Mac OS X 3252 Tru64 compilation fails after k5-int.h/krb5.h changes 3266 Include errno.h in kdc/kerberos_v4.c 3268 kprop should fall back on port 754 rather than failing 3269 telnet help should connect to a host named help 3308 kadmin.local is killed due to segmentation fault when principal name argument is missing. 3332 don't destroy uninitialized rcache mutex in error cases 3358 krb5 doesn't build when pthread_mutexattr_setrobust_np is defined but not declared 3364 plugins should be thread-safe 3415 Windows 64-bit support 3416 tweak kdb interface for thread safety 3417 move/add thread support to support lib 3423 Add support for utmps interface on HPUX 11.23 3426 trunk builds without thread support are not working 3434 sizeof type should be checked at compile time, not configure time 3438 enhancement: report errno when generic I/O errors happen in kinit 3445 args to ctype.h macros should be cast to unsigned char, not int 3466 ioctl header portability fixes for telnet on GNU/kFreeBSD 3467 Allow GSS_C_NO_OID in krb5_gss_canon_name 3468 udp_preference_limit typo in krb5.conf man page 3490 getpwnam_r status checked incorrectly 3502 Cannot acquire initiator cred using gss_acquire_cred with explicit name on Windows 3512 updates to NSIS installer for KFW 3521 Add configurable Build value to File and Product versions for Windows 3549 library double-free with an empty keytab 3607 clients/ksu/setenv.c doesn't build on Solaris 3620 use strerror_r 3668 Prototype for krb5_c_prf missing const 3671 shsUpdate should take an unsigned int for length 3675 unsigned/signed int warnings in krb5_context variables. 3687 initialize cc_version to 0 not NULL 3688 Added CoreFoundation bundle plugin support 3689 build kadm5 headers in generate-files-mac target 3690 build rpc includes in generate-files-mac target. 3697 kadmin hangs indefinitely when admin princ has escaped chars 3706 ipv4+ipv6 messages can trip up KDC replay detection 3714 fix incorrect padata memory allocation in send_tgs.c 3716 Plugin search algorithm should take lists of name and directories 3719 fix bug in flag checking in libdb2 mpool code 3724 need to export kadm5_set_use_password_server 3736 Cleanup a number of cast away from const warnings in gssapi 3739 vsnprintf not present on windows 3746 krb5_cc_gen_new memory implementation doesn't create a new ccache 3761 combine kdc.conf, krb5.conf data in KDC programs 3783 install headers into include/krb5 3790 memory leak in GSSAPI credential releasing code 3791 memory leak in gss_krb5_set_allowable_enctypes error path 3825 krb5int_get_plugin_dir_data() uses + instead of * in realloc 3826 memory leaks in krb5kdc due to not freeing error messages 3854 CCAPI krb4int_save_credentials_addr should match prototype 3866 gld --as-needed not portable enough 3879 Update texinfo.tex 3888 ftpd's getline conflicts with current glibc headers 3898 Export gss_inquire_mechs_for_name for KFW 3899 Export krb5_gss_register_acceptor_identity in KFW 3900 update config.guess and config.sub 3902 g_userok.c has implicit declaration of strlen 3903 various kadm5 files need string.h 3905 warning fixes for spnego 3909 Plugins need to use RTLD_GROUP when available, but definitely not RTLD_GLOBAL 3910 fix parallel builds for libgss 3911 getaddrinfo code uses vars outside of storage duration 3918 fix warnings for lib/gssapi/mechglue/g_initialize.c 3920 cease export of krb5_gss_* 3921 remove unimplemented/unused mechglue functions 3922 mkrel should update patchlevel.h prior to reconf 3923 implement RFC4120 behavior on TCP requests with high bit set in length 3924 the krb5_get_server_rcache routine frees already freed memory in error path 3925 krb5_get_profile should reflect profile in the supplied context 3927 fix signedness warnings in spnego_mech.c 3928 fix typo in MS_BUG_TEST case in krb5_gss_glue.c 3940 Disable MSLSA: ccache in WOW64 on pre-Vista Beta 2 systems 3942 make gssint_get_mechanism match prototype 3944 write svn log output when building release 3945 mkrel should only generate doc/CHANGES for checkouts 3948 Windows: fix krb5.h generation 3949 fix plugin.c to compile on Windows 3950 autoconf 2.60 compatibility 3951 remove unused dlopen code in lib/gssapi/mechglue/g_initialize.c 3952 fix calling convention for krb5 error-message routines, document usage of krb5_get_error_message 3953 t_std_conf references private function due to explicit linking of init_os_ctx.o 3954 remove mechglue gss_config's gssint_userok and pname_to_uid 3957 remove unused lib/gssapi/mechglue/g_utils.c 3959 re-order inclusions in spnego_mech.c to avoid breaking system headers 3962 krb5_get_server_rcache double free 3964 "kdb5_util load" to existing db doesn't work, needed for kpropd 3968 fix memory leak in mechglue/g_init_sec_ctx.c 3970 test kdb5_util dump/load functionality in dejagnu 3972 make gss_unwrap match prototype 3974 work around failure to load into nonexistent db Known bugs by ticket ID: ------------------------ Listed below are the RT tickets for known bugs in krb5-1.5. Please see http://krbdev.mit.edu/rt/NoAuth/krb5-1.5/bugs-1.5.html for an up-to-date list, including links to the complete tickets. 3947 allow multiple calls to krb5_get_error_message to retrieve message 3956 gssapi compilation errors on Windows 3973 kdb5_util load now fails if db doesn't exist [workaround] Copyright Notice and Legal Administrivia ---------------------------------------- Copyright (C) 1985-2007 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Individual source code files are copyright MIT, Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). ---- The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. ---- Portions contributed by Matt Crawford were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. ---- The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: Copyright 2000 by Zero-Knowledge Systems, Inc. Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ---- The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. --- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files: lib/gssapi/generic/gssapi_err_generic.et lib/gssapi/mechglue/g_accept_sec_context.c lib/gssapi/mechglue/g_acquire_cred.c lib/gssapi/mechglue/g_canon_name.c lib/gssapi/mechglue/g_compare_name.c lib/gssapi/mechglue/g_context_time.c lib/gssapi/mechglue/g_delete_sec_context.c lib/gssapi/mechglue/g_dsp_name.c lib/gssapi/mechglue/g_dsp_status.c lib/gssapi/mechglue/g_dup_name.c lib/gssapi/mechglue/g_exp_sec_context.c lib/gssapi/mechglue/g_export_name.c lib/gssapi/mechglue/g_glue.c lib/gssapi/mechglue/g_imp_name.c lib/gssapi/mechglue/g_imp_sec_context.c lib/gssapi/mechglue/g_init_sec_context.c lib/gssapi/mechglue/g_initialize.c lib/gssapi/mechglue/g_inq_context.c lib/gssapi/mechglue/g_inq_cred.c lib/gssapi/mechglue/g_inq_names.c lib/gssapi/mechglue/g_process_context.c lib/gssapi/mechglue/g_rel_buffer.c lib/gssapi/mechglue/g_rel_cred.c lib/gssapi/mechglue/g_rel_name.c lib/gssapi/mechglue/g_rel_oid_set.c lib/gssapi/mechglue/g_seal.c lib/gssapi/mechglue/g_sign.c lib/gssapi/mechglue/g_store_cred.c lib/gssapi/mechglue/g_unseal.c lib/gssapi/mechglue/g_verify.c lib/gssapi/mechglue/mglueP.h lib/gssapi/mechglue/oid_ops.c lib/gssapi/spnego/gssapiP_spnego.h lib/gssapi/spnego/spnego_mech.c are subject to the following license: Copyright (c) 2004 Sun Microsystems, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Acknowledgments --------------- Thanks to Russ Allbery for contributing and integrating patches from Debian and other places. Thanks to Michael Calmer for contributing patches for code clean-up. Thanks to Novell for donating the KDB abstraction layer. Thanks to Sun Microsystems for donating their implementations of mechglue and SPNEGO. Thanks to the numerous others who reported bugs and/or contributed patches. Thanks to iDefense for notifying us about the vulnerability in MITKRB5-SA-2007-002. Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson, Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl, Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.