The MIT Kerberos Team announces the availability of the krb5-1.21 release. The detached PGP signature is available without going through the download page, if you wish to verify the authenticity of a distribution you have obtained elsewhere.
Please see the README file for a more complete list of changes.
You may also see the current full list of fixed bugs tracked in our RT bugtracking system.
Beginning with release 1.20, the KDC will include minimal PACs in tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol transition and constrained delegation) must now contain valid PACs in the incoming tickets. Beginning with release 1.21, service ticket PACs will contain a new KDC checksum buffer, to mitigate a hash collision attack against the old KDC checksum. If only some KDCs in a realm have been upgraded across versions 1.20 or 1.21, the upgraded KDCs will reject S4U requests containing tickets from non-upgraded KDCs and vice versa.
Beginning with the krb5-1.21 release, the KDC will not issue tickets with triple-DES or RC4 session keys unless explicitly configured using the new allow_des3 and allow_rc4 variables in [libdefaults]. To facilitate the negotiation of session keys, the KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute.
Beginning with the krb5-1.19 release, a warning will be issued if initial credentials are acquired using the des3-cbc-sha1 encryption type. Beginning with the krb5-1.21 release, a warning will also be issued for the arcfour-hmac encryption type. In future releases, these encryption types will be disabled by default and eventually removed.
Beginning with the krb5-1.18 release, all support for single-DES encryption types has been removed.
You may retrieve the Kerberos 5 Release 1.21 source from here. If you need to acquire the sources from some other distribution site, you may verify them against the detached PGP signature for krb5-1.21.