Skip to content

cydhaselton/krb-android

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

                   Kerberos Version 5, Release 1.14

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices
---------------------------

Copyright (C) 1985-2016 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

Documentation
-------------

Unified documentation for Kerberos V5 is available in both HTML and
PDF formats.  The table of contents of the HTML format documentation
is at doc/html/index.html, and the PDF format documentation is in the
doc/pdf directory.

Additionally, you may find copies of the HTML format documentation
online at

    http://web.mit.edu/kerberos/krb5-latest/doc/

for the most recent supported release, or at

    http://web.mit.edu/kerberos/krb5-devel/doc/

for the release under development.

More information about Kerberos may be found at

    http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site

    http://kerberos.org/

Building and Installing Kerberos 5
----------------------------------

Build documentation is in doc/html/build/index.html or
doc/pdf/build.pdf.

The installation guide is in doc/html/admin/install.html or
doc/pdf/install.pdf.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.

You may view bug reports by visiting

http://krbdev.mit.edu/rt/

and using the "Guest Login" button.  Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.

DES transition
--------------

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.


Major changes in 1.14.3 (2016-07-20)
------------------------------------

This is a bug fix release.

* Improve some error messages

* Improve documentation

* Allow a principal with nonexistent policy to bypass the minimum
  password lifetime check, consistent with other aspects of
  nonexistent policies

* Fix a rare KDC denial of service vulnerability when anonymous client
  principals are restricted to obtaining TGTs only [CVE-2016-3120]

krb5-1.14.3 changes by ticket ID
--------------------------------

8378    Improve error message "kadmind: No such file or directory
        while initializing, aborting"
8392    Add missing newline in kinit usage message
8395    Fetching master key list crashes if K/M has no key data
8413    Fix unlikely pointer error in get_in_tkt.c
8415    Uninitialized read in krb5_sname_match
8417    Fix typo in doc/user/tkt_mgmt.rst
8421    Avoid setting AS key when OTP preauth fails
8422    Relax t_sn2princ.py reverse resolution test
8427    kadmind minimum life check fails for nonexistent policies
8430    Fix incorrect recv() size calculation in libkrad
8431    profile_flush_to_file() can corrupt shared tree state
8448    Confusing error text for unset default_realm
8452    Update LDAP docs for password lockout
8455    k5_expand_path_tokens_extra() always returns 0 even if
        expand_token() fails
8457    Fix error code on clpreauth module failure
8458    Fix S4U2Self KDC crash when anon is restricted [CVE-2016-3120]


Major changes in 1.14.2 (2016-04-18)
------------------------------------

This is a bug fix release.

* Fix a moderate-severity vulnerability in the LDAP KDC back end that
  could be exploited by a privileged kadmin user [CVE-2016-3119]

* Improve documentation

* Fix some interactions with GSSAPI interposer mechanisms

krb5-1.14.2 changes by ticket ID
--------------------------------

8330    Enable interposing gss_inquire_attrs_for_mech()
8358    Report inquire_attrs_for_mech mech failures
8359    Enable interposing gss_inquire_saslname_for_mech
8360    Use public OID for interposing several functions
8362    memleak in decrypt_2ndtkt()
8363    s4u protocol transition tests revealing memleaks in krb5kdc
8373    SPNEGO gss_init_sec_context() can fail or prematurely resolve creds
8383    Fix LDAP null deref on empty arg [CVE-2016-3119]
8385    Fix keytab file format description
8387    Add documentation for krb5_error_code
8390    Default to LSA when TGT in LSA is inaccessible


Major changes in 1.14.1 (2016-02-29)
------------------------------------

* Fix some moderate-severity vulnerabilities [CVE-2015-8629,
  CVE-2015-8630, CVE-2015-8631] in kadmind.

* Improve behavior on hosts with long hostnames.

* Avoid spurious failures when doing normal kprop to heavily loaded
  slave KDCs.

krb5-1.14.1 changes by ticket ID
--------------------------------

8276    Fix mechglue gss_acquire_cred_impersonate_name
8281    Fix memory leak in SPNEGO gss_init_sec_context()
8300    Fix k5crypto NSS iov processing bug
8301    Correctly use k5_wrapmsg() in ldap_principal2.c
8326    hostrealm code won't compile in debug mode using Solaris
        Studio C
8327    Set TL_DATA mask flag for master key operations
8334    Check context handle in gss_export_sec_context()
8335    Work around uninitialized warning in cc_kcm.c
8336    MAXHOSTNAMELEN is too short for some FQDNs
8337    Check internal context on init context errors
8338    Fix interposed gss_accept_sec_context()
8339    Add .travis.yml
8340    ksu broken with 2FA principals again
8341    Verify decoded kadmin C strings [CVE-2015-8629]
8342    Check for null kadm5 policy name [CVE-2015-8630]
8343    Fix leaks in kadmin server stubs [CVE-2015-8631]
8346    Fix EOF check in kadm5.acl line processing
8347    Fix iprop server stub error management
8367    Use blocking lock when creating db2 KDB


Major changes in 1.14 (2015-11-20)
----------------------------------

Administrator experience:

* Add a new kdb5_util tabdump command to provide reporting-friendly
  tabular dump formats (tab-separated or CSV) for the KDC database.
  Unlike the normal dump format, each output table has a fixed number
  of fields.  Some tables include human-readable forms of data that
  are opaque in ordinary dump files.  This format is also suitable for
  importing into relational databases for complex queries.

* Add support to kadmin and kadmin.local for specifying a single
  command line following any global options, where the command
  arguments are split by the shell--for example, "kadmin getprinc
  principalname".  Commands issued this way do not prompt for
  confirmation or display warning messages, and exit with non-zero
  status if the operation fails.

* Accept the same principal flag names in kadmin as we do for the
  default_principal_flags kdc.conf variable, and vice versa.  Also
  accept flag specifiers in the form that kadmin prints, as well as
  hexadecimal numbers.

* Remove the triple-DES and RC4 encryption types from the default
  value of supported_enctypes, which determines the default key and
  salt types for new password-derived keys.  By default, keys will
  only created only for AES128 and AES256.  This mitigates some types
  of password guessing attacks.

* Add support for directory names in the KRB5_CONFIG and
  KRB5_KDC_PROFILE environment variables.

* Add support for authentication indicators, which are ticket
  annotations to indicate the strength of the initial authentication.
  Add support for the "require_auth" string attribute, which can be
  set on server principal entries to require an indicator when
  authenticating to the server.

* Add support for key version numbers larger than 255 in keytab files,
  and for version numbers up to 65535 in KDC databases.

* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
  during pre-authentication, corresponding to the client's most
  preferred encryption type.

* Add support for server name identification (SNI) when proxying KDC
  requests over HTTPS.

* Add support for the err_fmt profile parameter, which can be used to
  generate custom-formatted error messages.

Code quality:

* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
  [CVE-2015-2698]

* Fix build_principal memory bug that could cause a KDC
  crash. [CVE-2015-2697]

Developer experience:

* Change gss_acquire_cred_with_password() to acquire credentials into
  a private memory credential cache.  Applications can use
  gss_store_cred() to make the resulting credentials visible to other
  processes.

* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
  IAKERB or for non-standard variants of the krb5 mechanism OID unless
  explicitly requested.  (SPNEGO will still accept the Microsoft
  variant of the krb5 mechanism OID during negotiation.)

* Change gss_accept_sec_context() not to accept tokens for IAKERB or
  for non-standard variants of the krb5 mechanism OID unless an
  acceptor credential is acquired for those mechanisms.

* Change gss_acquire_cred() to immediately resolve credentials if the
  time_rec parameter is not NULL, so that a correct expiration time
  can be returned.  Normally credential resolution is delayed until
  the target name is known.

* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
  which can be used by plugin modules or applications to add prefixes
  to existing detailed error messages.

* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
  implement the RFC 6113 PRF+ operation and key derivation using PRF+.

* Add support for pre-authentication mechanisms which use multiple
  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
  interface; these callbacks can be used to save marshalled state
  information in an encrypted cookie for the next request.

* Add a client_key() callback to the kdcpreauth interface to retrieve
  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
  by the KDC.

* Add an add_auth_indicator() callback to the kdcpreauth interface,
  allowing pre-authentication modules to assert authentication
  indicators.

* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
  suppress sending the confidentiality and integrity flags in GSS
  initiator tokens unless they are requested by the caller.  These
  flags control the negotiated SASL security layer for the Microsoft
  GSS-SPNEGO SASL mechanism.

* Make the FILE credential cache implementation less prone to
  corruption issues in multi-threaded programs, especially on
  platforms with support for open file description locks.

Performance:

* On slave KDCs, poll the master KDC immediately after processing a
  full resync, and do not require two full resyncs after the master
  KDC's log file is reset.

User experience:

* Make gss_accept_sec_context() accept tickets near their expiration
  but within clock skew tolerances, rather than rejecting them
  immediately after the server's view of the ticket expiration time.


krb5-1.14 changes by ticket ID
------------------------------

6938    krb5 and ldap signed traffic
7532    Improve support for large kvnos
7790    Make cross-realm S4U2Self work
7804    Can't write to file ccache with OPENCLOSE unset
7903    Remove des3 and arcfour from supported_enctypes
7991    kadmin should have a script-friendly mode
8002    Fix KCM ccache per-type cursor
8021    SPNEGO clients should not try IAKERB by default
8022    klist -s only looks for TGTs
8023    Use OFD locks where available
8025    krb5 gss_inquire_context doesn't work with partially established context
8026    Use stdio reads, O_APPEND writes in FILE ccache
8027    Client RPC timeout during kadmin listprincs command
8030    Add support for directories in profile paths
8046    Add new error message wrapping APIs
8047    Add err_fmt profile parameter
8048    Remove ksu -D flag documentation
8052    Include file ccache name in error messages
8062    Fix const correctness on krb5_c_fx_cf2_simple()
8063    Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
8123    Check timestamp in PKINIT kdcpreauth module
8124    Use preauth timestamp in PKINIT clpreauth module
8139    SIGNTICKET creation and verification doesn't always use the right key
8152    gss_acquire_cred_with_password() ignores expired creds
8157    Authentication indicator support
8161    kpropd -t (runonce) doesn't work for full dumps
8163    python test issues
8164    Avoid unnecessary iprop full resyncs after resets
8171    kadm5_hook does not have rename method
8198    Support SNI in MS-KKDCP client
8199    Only include one key in etype-info
8200    Add client_keyblock kdcpreauth callback
8213    Policy extensions in 1.11 break iprop dump compatibility
8215    Unify KDB principal flag specifiers
8217    Limit use of deprecated krb5 mech OIDs
8219    Conditionalize iprop stderr output in kadmind
8221    Fail during configure if stdint.h missing
8224    Add KDC_ERR_PREAUTH_EXPIRED support
8225    Improve krb5_cccol_have_content() error messages
8227    Allow missing authenticator checksum with GSSAPI
8228    Add krb5_c_prfplus() and krb5_c_derive_prfplus()
8233    Add secure cookie support
8234    Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
8235    Resolve krb5 GSS creds if time_rec is requested
8236    Update SPNEGO hintName value to current spec
8242    Improve PKINIT OpenSSL error reporting
8243    Add tabular dump capability to kdb5_util
8244    SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
8245    kerberos.ldif file has malformed entries
8246    Fix error mappings for IOV MIC mechglue funcs
8251    Fix kadmin with e2fsprogs libss
8252    Fix build_principal memory bug [CVE-2015-2697]
8253    Fix minor utf8-to-ucs2s read overrun bug
8254    use appropriate default for krb5_cv_sys_rcdir when cross-compiling
8255    Define error status GSS_S_BAD_MIC
8256    Fix typo in GSS_S_UNAUTHORIZED error message
8257    Fix gss_inquire_names_for_mech() on MS krb5 mech
8258    Correct GSS major code for non-default QOP values
8259    Check output params on GSS OID set functions
8260    Fix gss_store_cred() minor code on acceptor cred
8262    Set plugin_base_dir for kadmin tests
8264    kdb_check test target uses installed message catalog
8266    Installed krb5.conf files can affect test suite
8267    unsetenv() returns void
8268    krb5 gss_accept_sec_context() does not allow clock skew
8269    Accept new passwords as const char pointers
8271    Zap secure cookie contents when freeing
8273    Fix IAKERB context export/import [CVE-2015-2698]


Acknowledgements
----------------

Past Sponsors of the MIT Kerberos Consortium:

    Apple
    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Google
    Iowa State University
    MIT
    Michigan State University
    Microsoft
    MITRE Corporation
    Morgan-Stanley
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    US Government Office of the National Coordinator for Health
        Information Technology (ONC)
    Oracle
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Sarah Day
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Benjamin Kaduk
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Ian Abbott
    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Heinz-Ado Arnolds
    Derek Atkins
    Mark Bannister
    David Bantz
    Alex Baule
    David Benjamin
    Thomas Bernard
    Adam Bernstein
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Sumit Bose
    Emmanuel Bouillon
    Philip Brown
    Michael Calmer
    Andrea Campi
    Julien Chaffraix
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Ian Crowther
    Arran Cudbard-Bell
    Jeff D'Angelo
    Nalin Dahyabhai
    Mark Davies
    Dennis Davis
    Alex Dehnert
    Mark Deneen
    Günther Deschner
    John Devitofranceschi
    Roland Dowdeswell
    Viktor Dukhovni
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Juha Erkkilä
    Gilles Espinasse
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    Remi Ferrand
    Paul Fertser
    William Fiveash
    Ákos Frohner
    Sebastian Galiano
    Marcus Granado
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Robbie Harwood
    Jakob Haufe
    Matthieu Hautreux
    Paul B. Henson
    Jeff Hodges
    Christopher Hogan
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Spencer Jackson
    Diogenes S. Jesus
    Pavel Jindra
    Joel Johnson
    Anders Kaseorg
    W. Trevor King
    Patrik Kis
    Mikkel Kruse
    Reinhard Kugler
    Tomas Kuthan
    Pierre Labastie
    Volker Lendecke
    Jan iankko Lieskovsky
    Oliver Loch
    Kevin Longfellow
    Jon Looney
    Nuno Lopes
    Ryan Lynch
    Roland Mainz
    Andrei Maslennikov
    Michael Mattioli
    Nathaniel McCallum
    Greg McClement
    Cameron Meadors
    Alexey Melnikov
    Franklyn Mendez
    Markus Moeller
    Kyle Moffett
    Paul Moore
    Keiichi Mori
    Michael Morony
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Felipe Ortega
    Michael Osipov
    Andrej Ota
    Dmitri Pal
    Javier Palacios
    Tom Parker
    Ezra Peisach
    Zoran Pericic
    W. Michael Petullo
    Mark Phalan
    Brett Randall
    Jonathan Reams
    Jonathan Reed
    Robert Relyea
    Martin Rex
    Jason Rogers
    Matt Rogers
    Nate Rosenblum
    Solly Ross
    Mike Roszkowski
    Guillaume Rousse
    Andreas Schneider
    Tom Shaw
    Jim Shi
    Peter Shoults
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Joe Travaglini
    Tim Uglow
    Rathor Vipin
    Denis Vlasenko
    Jorgen Wahlsten
    Stef Walter
    Max (Weijun) Wang
    John Washington
    Stef Walter
    Xi Wang
    Kevin Wasserman
    Margaret Wasserman
    Marcus Watts
    Andreas Wiese
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Augustin Wolf
    David Woodhouse
    Tsu-Phong Wu
    Xu Qiang
    Neng Xue
    Nickolai Zeldovich
    Hanz van Zijst
    Gertjan Zwartjes

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published