-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.15.5. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.15.5
====================================
You may retrieve the Kerberos 5 Release 1.15.5 source from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.15.5 release is:
http://web.mit.edu/kerberos/krb5-1.15/
Further information about Kerberos 5 may be found at the following
URL:
http://web.mit.edu/kerberos/
and at the MIT Kerberos Consortium web site:
https://www.kerberos.org/
DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.15.5 (2019-01-07)
====================================
This is a bug fix release.
* Fix a regression in the MEMORY credential cache type which could
cause client programs to crash.
* MEMORY credential caches will not be listed in the global
collection, with the exception of the default credential cache if it
is of type MEMORY.
* Remove an incorrect assertion in the KDC which could be used to
cause a crash [CVE-2018-20217].
Major changes in 1.15.4 (2018-11-01)
====================================
This is a bug fix release.
* Fix bugs with concurrent use of MEMORY ccache handles.
* Fix a KDC crash when falling back between multiple OTP tokens
configured for a principal entry.
* Fix memory bugs when gss_add_cred() is used to create a new
credential, and fix a bug where it ignores the desired_name.
* Fix the behavior of gss_inquire_cred_by_mech() when the credential
does not contain an element of the requested mechanism.
* Make cross-realm S4U2Self requests work on the client when no
default_realm is configured.
Major changes in 1.15.3 (2018-05-03)
====================================
This is a bug fix release.
* Fix flaws in LDAP DN checking, including a null dereference KDC
crash which could be triggered by kadmin clients with administrative
privileges [CVE-2018-5729, CVE-2018-5730].
* Fix a KDC PKINIT memory leak.
* Fix a small KDC memory leak on transited or authdata errors when
processing TGS requests.
* Fix a null dereference when the KDC sends a large TGS reply.
* Fix "kdestroy -A" with the KCM credential cache type.
* Fix the handling of capaths "." values.
* Fix handling of repeated subsection specifications in profile files
(such as when multiple included files specify relations in the same
subsection).
Major changes in 1.15.2 (2017-09-25)
====================================
This is a bug fix release.
* Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]
* Fix kadm5 setkey operation with LDAP KDB module
* Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
* Fix client null dereference when KDC offers encrypted challenge
without FAST
* Ignore dotfiles when processing profile includedir directive
* Improve documentation
Major changes in 1.15.1 (2017-03-01)
====================================
This is a bug fix release.
* Allow KDB modules to determine how the e_data field of principal
fields is freed
* Fix udp_preference_limit when the KDC location is configured with
SRV records
* Fix KDC and kadmind startup on some IPv4-only systems
* Fix the processing of PKINIT certificate matching rules which have
two components and no explicit relation
* Improve documentation
Major changes in 1.15 (2016-12-01)
==================================
Administrator experience:
* Improve support for multihomed Kerberos servers by adding options
for specifying restricted listening addresses for the KDC and
kadmind.
* Add support to kadmin for remote extraction of current keys without
changing them (requires a special kadmin permission that is excluded
from the wildcard permission), with the exception of highly
protected keys.
* Add a lockdown_keys principal attribute to prevent retrieval of the
principal's keys (old or new) via the kadmin protocol. In newly
created databases, this attribute is set on the krbtgt and kadmin
principals.
* Restore recursive dump capability for DB2 back end, so sites can
more easily recover from database corruption resulting from power
failure events.
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
in addition to SRV records. URI records can convey TCP and UDP
servers and master KDC status in a single DNS lookup, and can also
point to HTTPS proxy servers.
* Add support for password history to the LDAP back end.
* Add support for principal renaming to the LDAP back end.
* Use the getrandom system call on supported Linux kernels to avoid
blocking problems when getting entropy from the operating system.
* In the PKINIT client, use the correct DigestInfo encoding for PKCS
#1 signatures, so that some especially strict smart cards will work.
Code quality:
* Clean up numerous compilation warnings.
* Remove various infrequently built modules, including some preauth
modules that were not built by default.
Developer experience:
* Add support for building with OpenSSL 1.1.
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
authenticators in the replay cache. This helps sites that must
build with FIPS 140 conformant libraries that lack MD5.
* Eliminate util/reconf and allow the use of autoreconf alone to
regenerate the configure script.
Protocol evolution:
* Add support for the AES-SHA2 enctypes, which allows sites to conform
to Suite B crypto requirements.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJcM9gjAAoJEAy6CFdfg3LfTB4QAKdSJAFYPB/h4/7Hk2rAliEQ
sykLG79ZOOffxn6SY5TrrKRCt3lcLxHNESJxLjLpZ6178oPQ+rRBUCDx7K+4ZihP
9NKt+7/+hT+AHlJ7TDWazEQKpjBwGA96iDcyC9H5aHRisxRMeW1+lyO8Hq04ydOI
VMmDhLzfmbjD8kEHRUjLS5kCp1wU91+8BWXe0Tsx35XtfumoG4EQ4CUconos4ZYp
2UTqP5fLzSEyBHWGhtCRUcqNJq3LwKEC7yu35OaZ7wUoIVOzN0RJB8JbK6ENQUUA
l2bDWKXrGeEjPEyjT8TtqAD3w6vzvf2S/EToP3GoWzEIQdaS2tIlYxFCDxLDz3nA
7bC2zAq94pCMrl7CoVHsyxn9e8+L0vfmqrQ5EEvL+15keUu3QTXzzYbTUVB4lUv2
xDd4Q3oblXDYLEA6VpPxIqx7hacIW1MV3ej+g+ODkf16mG9YpCFCAhHWl93gCdg3
YcjINhibcmyFp1zM7hRwIc/fpDHqOJdFEfQQGzLROt0NJzkdLid6KDpZgDwMBoE8
099QlJ4NuwO6k9mbNRbF/Dz4sAQH0+xDN8UANjihNLG6wH9YOJcUmXJqgvpjlriq
Nz928GVJM469FDuhr6NaT0N7WL14pcFNFV51sPYUgv0i8vxhGIphVOB26wiPFSea
8mkGjs9reiTT7/SEkpey
=qUIw
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-annou...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
