-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.16.2. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.16.2 ==================================== You may retrieve the Kerberos 5 Release 1.16.2 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.16.2 release is: http://web.mit.edu/kerberos/krb5-1.16/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. Major changes in 1.16.2 (2018-11-01) ==================================== This is a bug fix release. * Fix bugs with concurrent use of MEMORY ccache handles. * Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry. * Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name. * Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism. * Make cross-realm S4U2Self requests work on the client when no default_realm is configured. * Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs. Major changes in 1.16.1 (2018-05-03) ==================================== This is a bug fix release. * Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730]. * Fix a KDC PKINIT memory leak. * Fix a small KDC memory leak on transited or authdata errors when processing TGS requests. * Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs. * Fix a null dereference when the KDC sends a large TGS reply. * Fix "kdestroy -A" with the KCM credential cache type. * Allow validation of Microsoft PACs containing enterprise names. * Fix the handling of capaths "." values. * Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection). Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added. Code quality: * The build is warning-clean under clang with the configured warning options. * The automated test suite runs cleanly under AddressSanitizer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJb29QpAAoJEAy6CFdfg3LfE5wQAJ3G6iia1TJIoj9i7p9+6Qv7 aAFLkg+MHlF6qS9jZhkm25uxYiI3nKfzggFjQca8nnQeBfar3hmtF7GcWjG4ZJB4 k9FMjL1gLIyDZQI94EAbCzp55tNz4njujDKObsU65dLuY6yze8ZmyzgHnHIyvwPb Bhyy8cjb9f39hFYtI/Rn3IAsTIRRHL0UmDXpynMvOobK9NXDu0b1lEcEgdTwaGro q/GLfcSXuaUNBAGL84fn8MT2NvyCmGCJTWzA2snsYo9gtIb/fdUDxH0wBIpE5uec RhLbpe0frMqQwjDXzgPL1t/8ExKk/dDp66Fadnv0lRCSqV8zrG3HD8PSXyIK420L U4f06LQEPUmj52OoMNdKim86I/4TIjsQvZmqv36JX/kJ87mpuKHqT2TnjZL7ylUe 9XQjVRM+3bY/5gwr4biXrIIfDtxVDakt5QxzvzorcD+iNx9iAf3wCWZIAOzqOOuO c9L71BMBG2g69HsTN6XTs6dYS0o6CHl4dY0I8BOs5KlBm9fB4ap3zQ13321gxTY4 YdOI3SJ5G9IlxwtnrFM7kAsqbp8M0XbYweptPotnfn2IhBq1H3VNZbhKQukOCCyL 68GgnSfLT6z0Re7IHwANgfKb0BwFhOmTKC9NI+jzoKNdPIy9OrMerNHrz7KPqRtg GqlXLOy2fwyCDycLkgYL =tGCQ -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-annou...@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos