Kerberos 5 Release 1.20.1
The MIT Kerberos Team announces the availability of the
krb5-1.20.1 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.
Please see the README file for a
more complete list of changes.
You may also see the current full
of fixed bugs tracked in our RT bugtracking system.
Beginning with release 1.20, the KDC will include minimal PACs
in tickets instead of AD-SIGNEDPATH authdata. S4U requests
(protocol transition and constrained delegation) must now
contain valid PACs in the incoming tickets. If only some KDCs
in a realm have been upgraded across version 1.20, the upgraded
KDCs will reject S4U requests containing tickets from
non-upgraded KDCs and vice versa.
Beginning with the krb5-1.19 release, a warning will be issued
if initial credentials are acquired using the des3-cbc-sha1
encryption type. In future releases, this encryption type will
be disabled by default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption
types have been removed.
Major changes in 1.20.1 (2022-11-15)
- Fix integer overflows in PAC parsing [CVE-2022-42898].
- Fix null deref in KDC when decoding invalid NDR.
- Fix memory leak in OTP kdcpreauth module.
- Fix PKCS11 module path search.
Major changes in 1.20 (2022-05-26)
- Administrator experience
- Added a "disable_pac" realm relation to suppress adding
PAC authdata to tickets, for realms which do not need to
support S4U requests.
- Most credential cache types will use atomic replacement
when a cache is reinitialized using kinit or refreshed
from the client keytab.
- kprop can now propagate databases with a dump size
larger than 4GB, if both the client and server are
- kprop can now work over NATs that change the destination
IP address, if the client is upgraded.
- Developer experience
- Updated the KDB interface. The sign_authdata() method
is replaced with the issue_pac() method, allowing KDB
modules to add logon info and other buffers to the PAC
issued by the KDC.
- Host-based initiator names are better supported in the
GSS krb5 mechanism.
- Protocol evolution
- Replaced AD-SIGNEDPATH authdata with minimal PACs.
- To avoid spurious replay errors, password change
requests will not be attempted over UDP until the attempt
over TCP fails.
- PKINIT will sign its CMS messages with SHA-256 instead
- Code quality
- Updated all code using OpenSSL to be compatible with
- Reorganized the libk5crypto build system to allow the
OpenSSL back-end to pull in material from the builtin
back-end depending on the OpenSSL version.
- Simplified the PRNG logic to always use the platform
- Converted the remaining Tcl tests to Python.
You may retrieve the Kerberos 5 Release 1.20.1 source from
If you need to acquire the sources from some other distribution
site, you may verify them against the detached
PGP signature for krb5-1.20.1.
$Id: krb5-1.20.1.html,v 1.1 2022/11/15 16:46:16 ghudson Exp $
[ home ]
[ contact ]