• krb5-1.18.3 is released

    From Greg Hudson@21:1/5 to All on Tue Nov 17 20:02:54 2020
    Hash: SHA512

    The MIT Kerberos Team announces the availability of MIT Kerberos 5
    Release 1.18.3. Please see below for a list of some major changes
    included, or consult the README file in the source tree for a more
    detailed list of significant changes.


    You may retrieve the Kerberos 5 Release 1.18.3 source from the
    following URL:


    The homepage for the krb5-1.18.3 release is:


    Further information about Kerberos 5 may be found at the following


    DES no longer supported

    Beginning with the krb5-1.18 release, single-DES encryption types are
    no longer supported.

    Major changes in 1.18.3 (2020-11-17)

    This is a bug fix release.

    * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.

    * Fix a locking issue with the LMDB KDB module which could cause KDC
    and kadmind processes to lose access to the database.

    * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

    Major changes in 1.18.2 (2020-05-21)

    This is a bug fix release.

    * Fix a SPNEGO regression where an acceptor using the default
    credential would improperly filter mechanisms, causing a negotiation

    * Fix a bug where the KDC would fail to issue tickets if the local
    krbtgt principal's first key has a single-DES enctype.

    * Add stub functions to allow old versions of OpenSSL libcrypto to
    link against libkrb5.

    * Fix a NegoEx bug where the client name and delegated credential
    might not be reported.

    Major changes in 1.18.1 (2020-04-13)

    This is a bug fix release.

    * Fix a crash when qualifying short hostnames when the system has no
    primary DNS domain.

    * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.

    * Fix KDC enforcement of auth indicators when they are modified by the
    KDB module.

    * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.

    * Fix a compile error when building with musl libc on Linux.

    * Fix a compile error when building with gcc 4.x.

    * Change the KDC constrained delegation precedence order for
    consistency with Windows KDCs.

    Major changes in 1.18 (2020-02-12)

    Administrator experience:

    * Remove support for single-DES encryption types.

    * Change the replay cache format to be more efficient and robust.
    Replay cache filenames using the new format end with ".rcache2" by

    * setuid programs will automatically ignore environment variables that
    normally affect krb5 API functions, even if the caller does not use

    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
    credential forwarding during GSSAPI authentication unless the KDC
    sets the ok-as-delegate bit in the service ticket.

    * Use the permitted_enctypes krb5.conf setting as the default value
    for default_tkt_enctypes and default_tgs_enctypes.

    Developer experience:

    * Implement krb5_cc_remove_cred() for all credential cache types.

    * Add the krb5_pac_get_client_info() API to get the client account
    name from a PAC.

    Protocol evolution:

    * Add KDC support for S4U2Self requests where the user is identified
    by X.509 certificate. (Requires support for certificate lookup from
    a third-party KDB module.)

    * Remove support for an old ("draft 9") variant of PKINIT.

    * Add support for Microsoft NegoEx. (Requires one or more third-party
    GSS modules implementing NegoEx mechanisms.)

    * Honor the transited-policy-checked ticket flag on application
    servers, eliminating the requirement to configure capaths on
    servers in some scenarios.

    User experience:

    * Add support for "dns_canonicalize_hostname=fallback""`, causing
    host-based principal names to be tried first without DNS
    canonicalization, and again with DNS canonicalization if the
    un-canonicalized server is not found.

    * Expand single-component hostnames in host-based principal names when
    DNS canonicalization is not used, adding the system's first DNS
    search path as a suffix. Add a "qualify_shortname" krb5.conf
    relation to override this suffix or disable expansion.

    Code quality:

    * The libkrb5 serialization code (used to export and import krb5 GSS
    security contexts) has been simplified and made type-safe.

    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
    messages has been revised to conform to current coding practices.

    * The test suite has been modified to work with macOS System Integrity
    Protection enabled.

    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
    support can always be tested.

    iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0cnUACgkQDLoIV1+D ct8hSA/8Cdl2KXdREhb7FVbTKsIku5tCVl3U+n8peN3xhbpqEN2Nq0/wppgifwYv t2u6Xhye4WXBG1htARqUVRCwq0xh9EtoOQ9OLInrurt5JWJpHsRMUy8oh4cozBA3 EIAF0kuoXHOZU/Frq9Irz8UNf9Lb7ZcACykD4SAnbiuaxeyl9Bi6ok7b6oORybCa ppWEz0tsEjmKL5mrGhYzDN2zB7PDHOu9NYYTdq6fiik1PucR91pFGsd3/1PlIPN/ XayTWTaUFUMrGly6+dUDjVr74f2WPvM0k8aHvrSnD0FjW5yamexYrXFtfniD7ZI+ CtrLhIphVBoehGdAZpjkW1vjGl7supBf1AB2jEB1B/NsWnbftWsXDmskLCUeNTgF i6oS4ZZZeI9+Hwq8Wn2fMNkrk218rRtsDcsEfe8/vzQQ07jYcCcQ0ALqt+EmgAul +vlPDuDr1GkjxpwRRkdVbRhcy7Hwu5/ke7dj9ypMVRLhAj4BDWPGrdzT+2dFLn6p Hux7RE8vkx93sL6AV3qHJR3q1anBM5nr5dhjOWSodAxy1yFdBW8fRlzWtW7vDbn7 O4ghtzq0NfyJCNkYNMKI8P+SpTc3WljFQ/5HU7d7wHg0H3cXCTQLzlZEuGes4tnN 2GiE+XY4jBVUkYZ9lpk9WwORbp2K9KcwHP2W53aFWcZL7SUc3QE=
    -----END PGP SIGNATURE-----
    kerberos-announce mailing list
    kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)