From 701484048f984e761b98e34474b977e6f372326c Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 17 Jun 2003 01:00:45 +0000 Subject: Update for krb5-1.3-beta4. Fix note on [999]. Move notes re addressless tickets and NAT-friendliness to "major changes". Still need to fill out the TODO for IPv6. ticket: 1600 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15630 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 6 deletions(-) (limited to 'README') diff --git a/README b/README index 3cecfda..9bedcf6 100644 --- a/README +++ b/README @@ -114,6 +114,9 @@ Major changes listed by ticket ID * [880] krb5_gss_register_acceptor_identity() implemented (is called gsskrb5_register_acceptor_identity() by Heimdal). +* [1087] ftpd no longer requires channel bindings, allowing easier use + of ftp from behind a NAT. + * [1156, 1209] It is now possible to use the system com_err to build this release. @@ -142,13 +145,17 @@ Major changes listed by ticket ID * [1281] The "fakeka" program, which emulates the AFS kaserver, has been integrated. Thanks to Ken Hornstein. -* [1377, 1442, 1443] The Microsoft set-password protocol has been - implemented. Thanks to Paul Nelson. +* [1343] The KDC now defaults to not answering krb4 requests. + +* [1344] Addressless tickets are requested by default now. * [1372] There is no longer a need to create a special keytab for kadmind. The legacy administration daemons "kadmind4" and "v5passwdd" will still require a keytab, though. +* [1377, 1442, 1443] The Microsoft set-password protocol has been + implemented. Thanks to Paul Nelson. + * [1385, 1395, 1410] The krb4 protocol vulnerabilities [MITKRB5-SA-2003-004] have been worked around. Note that this will disable krb4 cross-realm functionality, as well as krb4 triple-DES @@ -188,6 +195,9 @@ Minor changes listed by ticket ID * [299] kadmin no longer complains about missing kdc.conf parameters when it really means krb5.conf parameters. +* [318] Run-time load path for tcl is set now when linking test + programs. + * [443] --includedir honored now. * [479] unused argument in try_krb4() in login.c deleted. @@ -201,6 +211,8 @@ Minor changes listed by ticket ID * [620] krb4 encrypted rcp should work a little better now. Thanks to Greg Hudson. +* [647] libtelnet/kerberos5.c no longer uses internal include files. + * [673] Weird echoing of admin password in kadmin client worked around by not using buffered stdio calls to read passwords. @@ -243,6 +255,9 @@ Minor changes listed by ticket ID * [953] des3 no longer failing on Windows due to SHA1 implementation problems. +* [964] kdb_init_hist() no longer fails if master_key_enctype is not + in supported_enctypes. + * [970] A minor inconsistency in ccache.tex has been fixed. * [971] option parsing bugs rendered irrelevant by removal of unused @@ -255,7 +270,8 @@ Minor changes listed by ticket ID * [992] Related to [677], quirks with --with-cc no longer relevant as AC_PROG_CC is used instead now. -* [999] kdc_default_options now honored in gss context initialization. +* [999] The kdc_default_options configuration variable is now honored. + Thanks to Emily Ratliff. * [1006] Client library, as well as KDC, now perform reasonable sorting of ETYPE-INFO preauthentication data. @@ -275,9 +291,6 @@ Minor changes listed by ticket ID * [1066] printf() argument mismatches in rpc unit tests fixed. -* [1087] ftpd no longer requires channel bindings, allowing easier use - of ftp from behind a NAT. - * [1102] gssapi_generic.h should now work with C++. * [1136] Some documentation for the setup of cross-realm @@ -375,12 +388,20 @@ Minor changes listed by ticket ID * [1324] The KDC no longer logs an inappropriate "no matching key" error when an encrypted timestamp preauth password is incorrect. +* [1334] The KDC now returns a clockskew error when the timestamp in + the encrypted timestamp preauth is out of bounds, rather than just + returning a preauthentcation failure. + * [1342] gawk is no longer required for building kerbsrc.zip for the Windows build. * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer to freed memory. +* [1351] The filename globbing vulnerability [CERT VU#258721] in the + ftp client's handling of filenames beginning with "|" or "-" + returned from the "mget" command has been fixed. + * [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately during GSSAPI context establishment. @@ -497,6 +518,23 @@ Minor changes listed by ticket ID * [1576, 1575] The client library no longer requests RENEWABLE_OK if the renew lifetime is greater than the ticket lifetime. +* [1587] A more standard autoconf test to locate the C compiler allows + for gcc to be found by default without additional configuration + arguments. + +* [1593] Replay cache filenames are now escaped with hyphens, not + backslashes. + +* [1598] MacOS 9 support removed from in-tree com_err. + +* [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu. + +* [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an + uninitialized memory reference in kg_unseal_v1(). Thanks to Kent + Wu. + +* [1610] Fixed AES credential delegation under GSSAPI. + --[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]-- * [1054] KRB-CRED messages for RC4 are encrypted now. @@ -513,6 +551,9 @@ Minor changes listed by ticket ID * [1276] Generated dependencies handle --without-krb4 properly now. +* [1339] An inadvertent change to the krb4 get_adm_hst API (strcpy vs + strncpy etc.) has been fixed. + * [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a warning. @@ -555,6 +596,14 @@ Minor changes listed by ticket ID * [1569] A debug statement has been removed from krb524init. +* [1594] Darwin gets an explicit dependency of err_txt.o on + krb_err.c. + +* [1596] Calling conventions, etc. tweaked for KfW build of + krb524.dll. + +* [1605] Fixed a leak of subkeys in krb5_rd_rep(). + Copyright Notice and Legal Administrivia ---------------------------------------- -- cgit v1.1