diff options
author | Tom Yu <tlyu@mit.edu> | 2013-11-04 15:24:40 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-11-04 19:38:38 -0500 |
commit | 42f69d022e61dd267a57fadfc5c50cdfd57090ac (patch) | |
tree | aa1c457f18bf077f4d9ed8ed098ba4598336045e | |
parent | 828f970a9e398ce25c73050ac6320fcc50c04c33 (diff) | |
download | krb5-42f69d022e61dd267a57fadfc5c50cdfd57090ac.zip krb5-42f69d022e61dd267a57fadfc5c50cdfd57090ac.tar.gz krb5-42f69d022e61dd267a57fadfc5c50cdfd57090ac.tar.bz2 |
Updates for krb5-1.11.4krb5-1.11.4-final
-rw-r--r-- | README | 45 | ||||
-rw-r--r-- | src/man/k5identity.man | 2 | ||||
-rw-r--r-- | src/man/k5login.man | 2 | ||||
-rw-r--r-- | src/man/k5srvutil.man | 2 | ||||
-rw-r--r-- | src/man/kadm5.acl.man | 2 | ||||
-rw-r--r-- | src/man/kadmin.man | 2 | ||||
-rw-r--r-- | src/man/kadmind.man | 2 | ||||
-rw-r--r-- | src/man/kdb5_ldap_util.man | 2 | ||||
-rw-r--r-- | src/man/kdb5_util.man | 6 | ||||
-rw-r--r-- | src/man/kdc.conf.man | 2 | ||||
-rw-r--r-- | src/man/kdestroy.man | 2 | ||||
-rw-r--r-- | src/man/kinit.man | 2 | ||||
-rw-r--r-- | src/man/klist.man | 2 | ||||
-rw-r--r-- | src/man/kpasswd.man | 2 | ||||
-rw-r--r-- | src/man/kprop.man | 2 | ||||
-rw-r--r-- | src/man/kpropd.man | 29 | ||||
-rw-r--r-- | src/man/kproplog.man | 2 | ||||
-rw-r--r-- | src/man/krb5-config.man | 2 | ||||
-rw-r--r-- | src/man/krb5.conf.man | 2 | ||||
-rw-r--r-- | src/man/krb5kdc.man | 2 | ||||
-rw-r--r-- | src/man/ksu.man | 2 | ||||
-rw-r--r-- | src/man/kswitch.man | 2 | ||||
-rw-r--r-- | src/man/ktutil.man | 2 | ||||
-rw-r--r-- | src/man/kvno.man | 2 | ||||
-rw-r--r-- | src/man/sclient.man | 2 | ||||
-rw-r--r-- | src/man/sserver.man | 2 | ||||
-rw-r--r-- | src/patchlevel.h | 6 |
27 files changed, 87 insertions, 45 deletions
@@ -77,6 +77,42 @@ from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. +Major changes in 1.11.4 (2013-11-04) +------------------------------------ + +* Fix a KDC null pointer dereference [CVE-2013-1417] that could affect + realms with an uncommon configuration. + +* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect + KDCs that serve multiple realms. + +* Fix a number of bugs related to KDC master key rollover. + +krb5-1.11.4 changes by ticket ID +-------------------------------- + +7508 Indefinite FD polling +7650 Issue following client referral from AD +7664 Build with Visual Studio 2012 +7668 KDC null deref due to referrals [CVE-2013-1417] +7670 Add test case for CVE-2013-1417 +7671 Install ccselect_plugin.h +7702 krb5-1.11.3 FTBFS on NetBSD +7723 Fix GSSAPI krb5 cred ccache import +7724 Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100 +7726 Use protocol error for PKINIT cert expiry +7727 Discuss cert expiry, no-key princs in PKINIT docs +7734 Fix typos in kdb5_util master key command outputs +7735 Use active master key in update_princ_encryption +7737 Correctly activate master keys in pre-1.7 KDBs +7742 Reset key-generation parameters for each enctype +7746 Fix decoding of mkey kvno in mkey_aux tl-data +7747 Improve LDAP KDB initialization error messages +7748 Document master key rollover +7752 Clarify kpropd standalone mode documentation +7756 Multi-realm KDC null deref [CVE-2013-1418] +7758 Fix reference for trace logging + Major changes in 1.11.3 (2013-06-03) ------------------------------------ @@ -556,6 +592,7 @@ reports, suggestions, and valuable resources: Mark Bannister David Bantz Alex Baule + David Benjamin Adam Bernstein Arlene Berry Jeff Blaine @@ -576,14 +613,18 @@ reports, suggestions, and valuable resources: Nalin Dahyabhai Mark Davies Dennis Davis + Alex Dehnert Mark Deneen + Günther Deschner Roland Dowdeswell + Viktor Dukhovni Jason Edgecombe Mark Eichin Shawn M. Emery Douglas E. Engert Peter Eriksson Juha Erkkilä + Gilles Espinasse Ronni Feldt Bill Fellows JC Ferguson @@ -596,6 +637,7 @@ reports, suggestions, and valuable resources: Steve Grubb Philip Guenther Dominic Hargreaves + Robbie Harwood Jakob Haufe Matthieu Hautreux Paul B. Henson @@ -619,6 +661,7 @@ reports, suggestions, and valuable resources: Jan iankko Lieskovsky Oliver Loch Kevin Longfellow + Nuno Lopes Ryan Lynch Nathaniel McCallum Greg McClement @@ -648,6 +691,7 @@ reports, suggestions, and valuable resources: Mike Roszkowski Guillaume Rousse Tom Shaw + Jim Shi Peter Shoults Simo Sorce Michael Spang @@ -668,6 +712,7 @@ reports, suggestions, and valuable resources: Simon Wilkinson Nicolas Williams Ross Wilper + Augustin Wolf Xu Qiang Nickolai Zeldovich Hanz van Zijst diff --git a/src/man/k5identity.man b/src/man/k5identity.man index b14fd09..04baa86 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -1,4 +1,4 @@ -.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos" +.TH "K5IDENTITY" "5" " " "1.11.4" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules . diff --git a/src/man/k5login.man b/src/man/k5login.man index f3c634a..5fd516c 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -1,4 +1,4 @@ -.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos" +.TH "K5LOGIN" "5" " " "1.11.4" "MIT Kerberos" .SH NAME k5login \- Kerberos V5 acl file for host access . diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index 8845053..5e2c748 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -1,4 +1,4 @@ -.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos" +.TH "K5SRVUTIL" "1" " " "1.11.4" "MIT Kerberos" .SH NAME k5srvutil \- host key table (keytab) manipulation utility . diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index 607653c..570cd96 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -1,4 +1,4 @@ -.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos" +.TH "KADM5.ACL" "5" " " "1.11.4" "MIT Kerberos" .SH NAME kadm5.acl \- Kerberos ACL file . diff --git a/src/man/kadmin.man b/src/man/kadmin.man index df75fae..a3f29d4 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -1,4 +1,4 @@ -.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos" +.TH "KADMIN" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kadmin \- Kerberos V5 database administration program . diff --git a/src/man/kadmind.man b/src/man/kadmind.man index e348fc0..a49acf8 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -1,4 +1,4 @@ -.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos" +.TH "KADMIND" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kadmind \- KADM5 administration server . diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index 6bb8697..aec70c7 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -1,4 +1,4 @@ -.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos" +.TH "KDB5_LDAP_UTIL" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kdb5_ldap_util \- Kerberos configuration utility . diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index 8aa8241..f0063d6 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -1,4 +1,4 @@ -.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos" +.TH "KDB5_UTIL" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kdb5_util \- Kerberos database maintenance utility . @@ -349,8 +349,8 @@ gives more verbose output. .sp Update all principal records (or only those matching the \fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the -active database master key, if they are encrypted using older -versions, and give a count at the end of the number of principals +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals updated. If the \fB\-f\fP option is not given, ask for confirmation before starting to make changes. The \fB\-v\fP option causes each principal processed to be listed, with an indication as to whether it diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index d98198a..04e47f9 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -1,4 +1,4 @@ -.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos" +.TH "KDC.CONF" "5" " " "1.11.4" "MIT Kerberos" .SH NAME kdc.conf \- Kerberos V5 KDC configuration file . diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index c647ec0..b4512f7 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -1,4 +1,4 @@ -.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos" +.TH "KDESTROY" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kdestroy \- destroy Kerberos tickets . diff --git a/src/man/kinit.man b/src/man/kinit.man index 6a8f32b..fc44aac 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -1,4 +1,4 @@ -.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos" +.TH "KINIT" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kinit \- obtain and cache Kerberos ticket-granting ticket . diff --git a/src/man/klist.man b/src/man/klist.man index 598c779..f581e67 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -1,4 +1,4 @@ -.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos" +.TH "KLIST" "1" " " "1.11.4" "MIT Kerberos" .SH NAME klist \- list cached Kerberos tickets . diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index c890562..82e2fd8 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -1,4 +1,4 @@ -.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos" +.TH "KPASSWD" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kpasswd \- change a user's Kerberos password . diff --git a/src/man/kprop.man b/src/man/kprop.man index 389fd61..f072ff7 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -1,4 +1,4 @@ -.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos" +.TH "KPROP" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kprop \- propagate a Kerberos V5 principal database to a slave server . diff --git a/src/man/kpropd.man b/src/man/kpropd.man index a244f49..02f91bc 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -1,4 +1,4 @@ -.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos" +.TH "KPROPD" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kpropd \- Kerberos V5 slave KDC update server . @@ -69,9 +69,14 @@ kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd .UNINDENT .UNINDENT .sp -kpropd can also run as a standalone daemon. This is required for -incremental propagation. But this is also useful for debugging -purposes. +kpropd can also run as a standalone daemon, backgrounding itself and +waiting for connections on port 754 (or the port specified with the +\fB\-P\fP option if given). Standalone mode is required for incremental +propagation. Starting in release 1.11, kpropd automatically detects +whether it was run from inetd and runs in standalone mode if it is +not. Prior to release 1.11, the \fB\-S\fP option is required to run +kpropd in standalone mode; this option is now accepted for backward +compatibility but does nothing. .sp Incremental propagation may be enabled with the \fBiprop_enable\fP variable in \fIkdc.conf(5)\fP. If incremental propagation is @@ -101,19 +106,11 @@ to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/kr Allows the user to specify the pathname to the \fIkdb5_util(8)\fP program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP. .TP -.B \fB\-S\fP -[DEPRECATED] Enable standalone mode. Normally kpropd is invoked by -inetd(8) so it expects a network connection to be passed to it -from inetd(8). If the \fB\-S\fP option is specified, or if standard -input is not a socket, kpropd will put itself into the background, -and wait for connections on port 754 (or the port specified with the -\fB\-P\fP option if given). -.TP .B \fB\-d\fP -Turn on debug mode. In this mode, if the \fB\-S\fP option is -selected, kpropd will not detach itself from the current job and -run in the background. Instead, it will run in the foreground and -print out debugging messages during the database propagation. +Turn on debug mode. In this mode, kpropd will not detach +itself from the current job and run in the background. Instead, +it will run in the foreground and print out debugging messages +during the database propagation. .TP .B \fB\-P\fP Allow for an alternate port number for kpropd to listen on. This diff --git a/src/man/kproplog.man b/src/man/kproplog.man index 34dc812..d9184cc 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -1,4 +1,4 @@ -.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos" +.TH "KPROPLOG" "8" " " "1.11.4" "MIT Kerberos" .SH NAME kproplog \- display the contents of the Kerberos principal update log . diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man index 74e5cfb..2be370a 100644 --- a/src/man/krb5-config.man +++ b/src/man/krb5-config.man @@ -1,4 +1,4 @@ -.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos" +.TH "KRB5-CONFIG" "1" " " "1.11.4" "MIT Kerberos" .SH NAME krb5-config \- tool for linking against MIT Kerberos libraries . diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index bdf3585..4ffe03e 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -1,4 +1,4 @@ -.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos" +.TH "KRB5.CONF" "5" " " "1.11.4" "MIT Kerberos" .SH NAME krb5.conf \- Kerberos configuration file . diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index f8fdc60..21b7814 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -1,4 +1,4 @@ -.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos" +.TH "KRB5KDC" "8" " " "1.11.4" "MIT Kerberos" .SH NAME krb5kdc \- Kerberos V5 KDC . diff --git a/src/man/ksu.man b/src/man/ksu.man index 02318b9..1d099c0 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -1,4 +1,4 @@ -.TH "KSU" "1" " " "1.11.3" "MIT Kerberos" +.TH "KSU" "1" " " "1.11.4" "MIT Kerberos" .SH NAME ksu \- Kerberized super-user . diff --git a/src/man/kswitch.man b/src/man/kswitch.man index 20e0190..9190a7a 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -1,4 +1,4 @@ -.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos" +.TH "KSWITCH" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kswitch \- switch primary ticket cache . diff --git a/src/man/ktutil.man b/src/man/ktutil.man index 064c506..36211ae 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -1,4 +1,4 @@ -.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos" +.TH "KTUTIL" "1" " " "1.11.4" "MIT Kerberos" .SH NAME ktutil \- Kerberos keytab file maintenance utility . diff --git a/src/man/kvno.man b/src/man/kvno.man index df3d279..47bdda8 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -1,4 +1,4 @@ -.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos" +.TH "KVNO" "1" " " "1.11.4" "MIT Kerberos" .SH NAME kvno \- print key version numbers of Kerberos principals . diff --git a/src/man/sclient.man b/src/man/sclient.man index 6684b28..6d80a00 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -1,4 +1,4 @@ -.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos" +.TH "SCLIENT" "1" " " "1.11.4" "MIT Kerberos" .SH NAME sclient \- sample Kerberos version 5 client . diff --git a/src/man/sserver.man b/src/man/sserver.man index 325ace6..1f7cc5f 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -1,4 +1,4 @@ -.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos" +.TH "SSERVER" "8" " " "1.11.4" "MIT Kerberos" .SH NAME sserver \- sample Kerberos version 5 server . diff --git a/src/patchlevel.h b/src/patchlevel.h index eb6cf94..9674800 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -51,7 +51,7 @@ */ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 11 -#define KRB5_PATCHLEVEL 3 -#define KRB5_RELTAIL "postrelease" +#define KRB5_PATCHLEVEL 4 +/* #undef KRB5_RELTAIL */ /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "krb5-1.11" +#define KRB5_RELTAG "krb5-1.11.4-final" |