Kerberos 5 Release 1.14.5
    
    
    The MIT Kerberos Team announces the availability of the
      krb5-1.14.5 release.  The detached PGP
      signature is available without going through the download
      page, if you wish to verify the authenticity of a distribution
      you have obtained elsewhere.
    
Please see the README file for a
      more complete list of changes.
    
You may also see the current full
      list
	of fixed bugs tracked in our RT bugtracking system.
    
DES transition
    The Data Encryption Standard (DES) is widely recognized as
      weak.  The krb5-1.7 release contains measures to encourage sites
      to migrate away from using single-DES cryptosystems.  Among
      these is a configuration variable that enables "weak" enctypes,
      which now defaults to "false" beginning with krb5-1.8.
    
Major changes in 1.14.5 (2017-03-02)
    This is a bug fix release.
    
      - Fix udp_preference_limit when the KDC location is configured
	with SRV records
      
- Fix the processing of PKINIT certificate matching rules
	which have two components and no explicit relation
      
- More reliably scrub secret data from memory when it is no
	longer needed
      
- Fix a bug which could cause KDC handling of OTP requests to
	fail until the KDC is restarted
      
- Fix PKINIT client with certain PKCS#11 middleware
      
- Improve documentation
    
Major changes in 1.14.4 (2016-09-13)
    This is a bug fix release.
    
      - Fix some rare btree data corruption bugs
      
- Fix numerous minor memory leaks
      
- Improve portability (Linux-ppc64el, FreeBSD)
      
- Improve some error messages
      
- Improve documentation
    
Major changes in 1.14.3 (2016-07-20)
    This is a bug fix release.
    
      - Improve some error messages
      
- Improve documentation
      
- Allow a principal with nonexistent policy to bypass the
	minimum password lifetime check, consistent with other aspects
	of nonexistent policies
      
- Fix a rare KDC denial of service vulnerability when
	anonymous client principals are restricted to obtaining TGTs
	only [CVE-2016-3120]
    
Major changes in 1.14.2 (2016-04-18)
    This is a bug fix release.
    
      - Fix a moderate-severity vulnerability in the LDAP KDC back
	end that could be exploited by a privileged kadmin user
	[CVE-2016-3119]
      
- Improve documentation
      
- Fix some interactions with GSSAPI interposer mechanisms
    
Major changes in 1.14.1 (2016-02-29)
    This is a bug fix release.
    
      - Fix some moderate-severity vulnerabilities [CVE-2015-8629,
	CVE-2015-8630, CVE-2015-8631] in kadmind.
      
- Improve behavior on hosts with long hostnames.
      
- Avoid spurious failures when doing normal kprop to heavily
	loaded slave KDCs.
    
Major changes in 1.14 (2015-11-20)
    
      - Administrator experience:
      
- 
	
	  - Add a new kdb5_util tabdump command to provide
	    reporting-friendly tabular dump formats (tab-separated or
	    CSV) for the KDC database.  Unlike the normal dump format,
	    each output table has a fixed number of fields.  Some
	    tables include human-readable forms of data that are
	    opaque in ordinary dump files.  This format is also
	    suitable for importing into relational databases for
	    complex queries.
	  
- Add support to kadmin and kadmin.local for specifying a
	    single command line following any global options, where
	    the command arguments are split by the shell--for example,
	    "kadmin getprinc principalname".  Commands issued this way
	    do not prompt for confirmation or display warning
	    messages, and exit with non-zero status if the operation
	    fails.
	  
- Accept the same principal flag names in kadmin as we do
	    for the default_principal_flags kdc.conf variable, and
	    vice versa.  Also accept flag specifiers in the form that
	    kadmin prints, as well as hexadecimal numbers.
	  
- Remove the triple-DES and RC4 encryption types from the
	    default value of supported_enctypes, which determines the
	    default key and salt types for new password-derived keys.
	    By default, keys will only created only for AES128 and
	    AES256.  This mitigates some types of password guessing
	    attacks.
	  
- Add support for directory names in the KRB5_CONFIG and
	    KRB5_KDC_PROFILE environment variables.
	  
- Add support for authentication indicators, which are
	    ticket annotations to indicate the strength of the initial
	    authentication.  Add support for the "require_auth" string
	    attribute, which can be set on server principal entries to
	    require an indicator when authenticating to the server.
	  
- Add support for key version numbers larger than 255 in
	    keytab files, and for version numbers up to 65535 in KDC
	    databases.
	  
- Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry
	    from the KDC during pre-authentication, corresponding to
	    the client's most preferred encryption type.
	  
- Add support for server name identification (SNI) when
	    proxying KDC requests over HTTPS.
	  
- Add support for the err_fmt profile parameter, which can
	    be used to generate custom-formatted error messages.
	
 
- Code quality:
      
- 
	
	  - Fix memory aliasing issues in SPNEGO and IAKERB
	    mechanisms that could cause server
	    crashes. [CVE-2015-2695] [CVE-2015-2696] [CVE-2015-2698]
	  
-  Fix build_principal memory bug that could cause a KDC
	    crash. [CVE-2015-2697]
	
 
- Developer experience:
      
- 
	
	  - Change gss_acquire_cred_with_password() to acquire
	    credentials into a private memory credential cache.
	    Applications can use gss_store_cred() to make the
	    resulting credentials visible to other processes.
	  
- Change gss_acquire_cred() and SPNEGO not to acquire
	    credentials for IAKERB or for non-standard variants of the
	    krb5 mechanism OID unless explicitly requested.  (SPNEGO
	    will still accept the Microsoft variant of the krb5
	    mechanism OID during negotiation.)
	  
- Change gss_accept_sec_context() not to accept tokens for
	    IAKERB or for non-standard variants of the krb5 mechanism
	    OID unless an acceptor credential is acquired for those
	    mechanisms.
	  
- Change gss_acquire_cred() to immediately resolve
	    credentials if the time_rec parameter is not NULL, so that
	    a correct expiration time can be returned.  Normally
	    credential resolution is delayed until the target name is
	    known.
	  
- Add krb5_prepend_error_message() and
	    krb5_wrap_error_message() APIs, which can be used by
	    plugin modules or applications to add prefixes to existing
	    detailed error messages.
	  
- Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs,
	    which implement the RFC 6113 PRF+ operation and key
	    derivation using PRF+.
	  
- Add support for pre-authentication mechanisms which use
	    multiple round trips, using the the
	    KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code.  Add
	    get_cookie() and set_cookie() callbacks to the kdcpreauth
	    interface; these callbacks can be used to save marshalled
	    state information in an encrypted cookie for the next
	    request.
	  
- Add a client_key() callback to the kdcpreauth interface
	    to retrieve the chosen client key, corresponding to the
	    ETYPE-INFO2 entry sent by the KDC.
	  
- Add an add_auth_indicator() callback to the kdcpreauth
	    interface, allowing pre-authentication modules to assert
	    authentication indicators.
	  
- Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred
	    option to suppress sending the confidentiality and
	    integrity flags in GSS initiator tokens unless they are
	    requested by the caller.  These flags control the
	    negotiated SASL security layer for the Microsoft
	    GSS-SPNEGO SASL mechanism.
	  
- Make the FILE credential cache implementation less prone
	    to corruption issues in multi-threaded programs,
	    especially on platforms with support for open file
	    description locks.
	
 
- Performance:
      
- 
	
	  - On slave KDCs, poll the master KDC immediately after
	    processing a full resync, and do not require two full
	    resyncs after the master KDC's log file is reset.
	
 
- User experience:
      
- 
	
	  - Make gss_accept_sec_context() accept tickets near their
	    expiration but within clock skew tolerances, rather than
	    rejecting them immediately after the server's view of the
	    ticket expiration time.
	    
 
You may retrieve the Kerberos 5 Release 1.14.5 source from
      here.
      If you need to acquire the sources from some other distribution
      site, you may verify them against the detached
      PGP signature for krb5-1.14.5.
    
    $Id: krb5-1.14.5.html,v 1.2 2017/12/01 17:35:38 ghudson Exp $
    MIT Kerberos
    [ home ]
    [ contact ]