Kerberos 5 Release 1.19.4
The MIT Kerberos Team announces the availability of the
krb5-1.19.4 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
of fixed bugs tracked in our RT bugtracking system.
Beginning with the krb5-1.19 release, a warning will be issued
if initial credentials are acquired using the des3-cbc-sha1
encryption type. In future releases, this encryption type will
be disabled by default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption
types have been removed.
Major changes in 1.19.4 (2022-11-15)
- Fix integer overflows in PAC parsing [CVE-2022-42898].
- Fix memory leak in OTP kdcpreauth module.
Major changes in 1.19.3 (2022-03-11)
- Fix a denial of service attack against the KDC [CVE-2021-37750].
Major changes in 1.19.2 (2021-07-22)
- Fix a denial of service attack against the KDC encrypted
challenge code [CVE-2021-36222].
- Fix a memory leak when gss_inquire_cred() is called without
a credential handle.
Major changes in 1.19.1 (2021-02-18)
- Fix a linking issue with Samba.
- Better support multiple pkinit_identities values by checking
whether certificates can be loaded for each value.
Major changes in 1.19 (2021-02-01)
- Administrator experience
- When a client keytab is present, the GSSAPI krb5 mech
will refresh credentials even if the current credentials
were acquired manually.
- It is now harder to accidentally delete the K/M entry from a KDB.
- Developer experience
- gss_acquire_cred_from() now supports the "password" and
"verify" options, allowing credentials to be acquired via
password and verified using a keytab key.
- When an application accepts a GSS security context, the
new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator
and acceptor both provided matching channel bindings.
- Added the GSS_KRB5_NT_X509_CERT name type, allowing
S4U2Self requests to identify the desired client principal
- PKINIT certauth modules can now cause the hw-authent
flag to be set in issued tickets.
- The krb5_init_creds_step() API will now issue the same
password expiration warnings as
- Protocol evolution
- Added client and KDC support for Microsoft's
Resource-Based Constrained Delegation, which allows
cross-realm S4U2Proxy requests. A third-party database
module is required for KDC support.
- kadmin/admin is now the preferred server principal name
for kadmin connections, and the host-based form is no
longer created by default. The client will still try the
host-based form as a fallback.
- Added client and server support for Microsoft's
KERB_AP_OPTIONS_CBT extension, which causes channel
bindings to be required for the initiator if the acceptor
provided them. The client will send this option if the
client_aware_gss_bindings profile option is set.
- User experience
- kinit will now issue a warning if the des3-cbc-sha1
encryption type is used in the reply. This encryption
type will be deprecated and removed in future releases.
- Added kvno flags --out-cache, --no-store, and
--cached-only (inspired by Heimdal's kgetcred).
You may retrieve the Kerberos 5 Release 1.19.4 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.19.4.
$Id: krb5-1.19.4.html,v 1.1 2022/11/15 16:43:50 ghudson Exp $
[ home ]
[ contact ]