Kerberos 5 Release 1.18.5

• Announcement
• README file
• Known Bugs
• Documentation
• Retrieving

Kerberos 5 Release 1.18.5 is now available

The MIT Kerberos Team announces the availability of the krb5-1.18.5 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.

Please see the README file for a more complete list of changes.

You may also see the current full list of fixed bugs tracked in our RT bugtracking system.

DES no longer supported

Beginning with the krb5-1.18 release, single-DES encryption types are no longer supported.

Major changes in 1.18.5 (2022-03-11)

• Fix a denial of service attack against the KDC [CVE-2021-37750].

Major changes in 1.18.4 (2021-07-22)

• Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222].
• Fix a memory leak when gss_inquire_cred() is called without a credential handle.

Major changes in 1.18.3 (2020-11-17)

• Fix a denial of service vulnerability when decoding Kerberos protocol messages.
• Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database.
• Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded.

Major changes in 1.18.2 (2020-05-21)

• Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure.
• Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype.
• Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5.
• Fix a NegoEx bug where the client name and delegated credential might not be reported.

Major changes in 1.18.1 (2020-04-13)

• Fix a crash when qualifying short hostnames when the system has no primary DNS domain.
• Fix a regression when an application imports "service@" as a GSS host-based name for its acceptor credential handle.
• Fix KDC enforcement of auth indicators when they are modified by the KDB module.
• Fix removal of require_auth string attributes when the LDAP KDB module is used.
• Fix a compile error when building with musl libc on Linux.
• Fix a compile error when building with gcc 4.x.
• Change the KDC constrained delegation precedence order for consistency with Windows KDCs.

Major changes in 1.18 (2020-02-12)

Administrator experience

• Remove support for single-DES encryption types.
• Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
• setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
• Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
• Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes.

Developer experience

• Implement krb5_cc_remove_cred() for all credential cache types.
• Add the krb5_pac_get_client_info() API to get the client account name from a PAC.

Protocol evolution

• Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
• Remove support for an old ("draft 9") variant of PKINIT.
• Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)

User experience

• Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
• Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion.
• Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios.

Code quality

• The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
• The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
• The test suite has been modified to work with macOS System Integrity Protection enabled.
• The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.

Retrieving Kerberos 5 Release 1.18.5

You may retrieve the Kerberos 5 Release 1.18.5 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.18.5.