• krb5-1.17.2 is released

    From Greg Hudson@21:1/5 to All on Tue Nov 17 20:03:15 2020
    Hash: SHA512

    The MIT Kerberos Team announces the availability of MIT Kerberos 5
    Release 1.17.2. Please see below for a list of some major changes
    included, or consult the README file in the source tree for a more
    detailed list of significant changes.


    You may retrieve the Kerberos 5 Release 1.17.2 source from the
    following URL:


    (The distribution URL has changed from previous releases. The same
    contents are available at the old URL.)

    The homepage for the krb5-1.17.2 release is:


    Further information about Kerberos 5 may be found at the following


    and at the MIT Kerberos Consortium web site:


    Feedback based on experiences with the SPAKE pre-authentication
    mechanism and the LMDB-based KDB module would be greatly appreciated,
    as it will help us decide when these features are ready to become
    defaults in a future release. Please send feedback to
    kerberos at mit.edu.

    DES transition

    The Data Encryption Standard (DES) is widely recognized as weak. The
    krb5-1.7 release contains measures to encourage sites to migrate away
    from using single-DES cryptosystems. Among these is a configuration
    variable that enables "weak" enctypes, which defaults to "false"
    beginning with krb5-1.8.

    Major changes in 1.17.2 (2020-11-17)

    This is a bug fix release.

    * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.

    * Fix a locking issue with the LMDB KDB module which could cause KDC
    and kadmind processes to lose access to the database.

    * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

    * Fix a null deference when processing a CAMMAC with an invalid
    service verifier.

    Major changes in 1.17.1 (2019-12-11)

    This is a bug fix release.

    * Fix a bug preventing "addprinc -randkey -kvno" from working in

    * Fix a bug preventing time skew correction from working when a KCM
    credential cache is used.

    Major changes in 1.17 (2019-01-08)

    Administrator experience:

    * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added. The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.

    * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.

    Developer experience:

    * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client

    * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.

    * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.

    * Programs which use large numbers of memory credential caches should
    perform better.

    Protocol evolution:

    * The SPAKE pre-authentication mechanism is now supported. This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates. SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.

    * PKINIT freshness tokens are now supported. Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.

    * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is

    * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's. The client code for
    cross-realm S4U2Self requests is also now more robust.

    User experience:

    * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.

    * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.

    * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos

    Code quality:

    * Python test scripts now use Python 3.

    * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.

    * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio. A large volume of
    unused Windows-specific code has been removed. Visual Studio 2013
    or later is now required.

    iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0cm8ACgkQDLoIV1+D ct+rgw/+POGd1wMUgNLZBPSNJCPVkauz1/TegbURaXZ84f21SuvkhWEUmia8yNsG 2yKptsQILO9aBZ1BTAFGljYREgpy/FlPpdA9YnbhsLG8KCrDz7jywPTtPkCNGiOH 1Ffx0wXP/uc4o74Kt7gmPB005+y8HDij4IMGzJhF91qf8nrmcymqjI6MAbx6Fscu EZXzL6FkF9+xaYhfrdGx1H1RWZTD9dei1RGNpsHyxCONHPvCOE4Qq/LmXTynTGO6 xviKKnl8podP+bjy/+ykW8mKTTtxrWsHr4QHVEWsu1CRF0zpE9KEtHgiXnRg77Eh YXeEuJ9xDalBpHfXgWnN4xtGQBR6r3XquoW+1OKZOOTM16/ZpTdb2/TERfGFmwVk s7yN48ZhPLemFiDMFXJi9tTf0OHNR/Z86LrudzUDTcTRqC2epFdaQJyYDtSyj88N /V3MhedEUP2n5p02HApUIECgkVqK+pZ2+9HOvACWfi//1zBuLjA4dg3IeLYLWP27 3ZoGqsL3mqCBiMNsS7TP8og8m+GhDKBW9bjIw2/GzD9vqesHVSj/fwM8MjSoRPdx laL/djR24isevEvNegwcQfelDlQiuVg3bPMG3dNG9Ga+NYpvLC7OQskP3YW5HcPT Pa63BXdnzHO9owUUVED3nifL2po9vK5YTGXsoiC0/ELlCvcahnM=
    -----END PGP SIGNATURE-----
    kerberos-announce mailing list
    kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)