Kerberos 5 Release 1.13.2
The MIT Kerberos Team announces the availability of the
krb5-1.13.2 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
of fixed bugs tracked in our RT bugtracking system.
The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.
Major changes in 1.13.2 (2015-05-08)
This is a bug fix release.
- Fix a minor vulnerability in krb5_read_message, which is primarily
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
- Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
- Fix some issues with the LDAP KDC database back end.
- Fix an iteration-related memory leak in the DB2 KDC database back
- Fix issues with some less-used kadm5.acl functionality.
- Improve documentation.
Major changes in 1.13.1 (2015-02-11)
This is a bug fix release.
- Fix multiple vulnerabilities in the LDAP KDC back end.
- Fix multiple kadmind vulnerabilities, some of which are
based in the gssrpc library. [CVE-2014-5352 CVE-2014-5352
CVE-2014-9421 CVE-2014-9422 CVE-2014-9423]
Major changes in 1.13 (2014-10-15)
- Administrator experience:
- Add support for accessing KDCs via an HTTPS proxy server
using the MS-KKDCP protocol.
- Add support for hierarchical incremental propagation,
where slaves can act as intermediates between an upstream
master and other downstream slaves.
- Add support for configuring GSS mechanisms using
/etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
- Add support to the LDAP KDB module for binding to the
LDAP server using SASL.
- The KDC listens for TCP connections by default.
- Fix a minor key disclosure vulnerability where using the
"keepold" option to the kadmin randkey operation could
return the old keys. [CVE-2014-5351]
- User experience:
- Add client support for the Kerberos Cache Manager
protocol. If the host is running a Heimdal kcm daemon,
caches served by the daemon can be accessed with the KCM:
- When built on OS X 10.7 and higher, use "KCM:" as the
default cache type, unless overridden by command-line
options or krb5-config values.
- Add support for doing unlocked database dumps for the
DB2 KDC back end, which would allow the KDC and kadmind to
continue accessing the database during lengthy database
You may retrieve the Kerberos 5 Release 1.13.2 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.13.2.
$Id: krb5-1.13.2.html,v 1.1 2015/05/11 19:48:41 tlyu Exp $
[ home ]
[ contact ]