path: root/README

                   Kerberos Version 5, Release 1.10

                            Release Notes
                        The MIT Kerberos Team

Copyright and Other Notices
---------------------------

Copyright (C) 1985-2013 by the Massachusetts Institute of Technology
and its contributors.  All rights reserved.

Please see the file named NOTICE for additional notices.

MIT Kerberos is a project of the MIT Kerberos Consortium.  For more
information about the Kerberos Consortium, see http://kerberos.org/

For more information about the MIT Kerberos software, see
    http://web.mit.edu/kerberos/

People interested in participating in the MIT Kerberos development
effort should visit http://k5wiki.kerberos.org/

Building and Installing Kerberos 5
----------------------------------

The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5.  The info file
krb5-install.info has the same information in info file format.  You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation.  This
is also available as an HTML file, install.html.

Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively.  They are also available as info files
kerberos-admin.info and krb5-user.info, respectively.  These files are
also available as HTML files.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments by sending email to
krb5-bugs@mit.edu.

Please keep in mind that unencrypted e-mail is not secure. If you need
to report a security vulnerability, or send sensitive information,
please PGP-encrypt it to krbcore-security@mit.edu.

You may view bug reports by visiting

    http://krbdev.mit.edu/rt/

and using the "Guest Login" button.  Please note that the web
interface to our bug database is read-only for guests, and the primary
way to interact with our bug database is via email.

DES transition
--------------

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
from using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in krb5-1.10.7 (2013-11-06)
-----------------------------------------

This is a bugfix release.  The krb5-1.10 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.11 release series or later.

* Fix a KDC locking issue that could lead to the KDC process holding a
  persistent lock, preventing administrative actions such as password
  changes.

* Fix a number of bugs related to KDC master key rollover.

* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect
  KDCs that serve multiple realms.

krb5-1.10.7 changes by ticket ID
--------------------------------

7675    Fix lock inconsistency in ctx_unlock()
7725    Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
7744    Fix typos in kdb5_util master key command outputs
7745    Correctly activate master keys in pre-1.7 KDBs
7749    Fix decoding of mkey kvno in mkey_aux tl-data
7750    Improve LDAP KDB initialization error messages
7757    Multi-realm KDC null deref [CVE-2013-1418]

Major changes in krb5-1.10.6 (2013-06-05)
-----------------------------------------

This is a bugfix release.  The krb5-1.10 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.11 release series or later.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

krb5-1.10.6 changes by ticket ID
--------------------------------

7638    Fix kpasswd UDP ping-pong [CVE-2002-2443]
7649    Fix transited handling for GSSAPI acceptors
7658    Ignore missing Q in dh_params
7659    allow dh_min_bits >= 1024
7660    Set msg_type when decoding FAST requests

Major changes in krb5-1.10.5 (2013-04-17)
-----------------------------------------

This is a bugfix release.  The krb5-1.10 release series is in
maintenance, and for new deployments, installers should prefer the
krb5-1.11 release series or later.

* Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416]

* Incremental propagation could erroneously act as if a slave's
  database were current after the slave received a full dump that
  failed to load.

krb5-1.10.5 changes by ticket ID
--------------------------------

7600    KDC TGS-REQ null deref [CVE-2013-1416]
7606    Fix condition with empty body
7607    Reset ulog if database load failed

Major changes in krb5-1.10.4 (2013-03-01)
-----------------------------------------

This is a bugfix release.

* Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016,
  CVE-2013-1415]

* Prevent the KDC from returning a host-based service principal
  referral to the local realm.

krb5-1.10.4 changes by ticket ID
--------------------------------

7194    Avoid mapping GSSAPI minor code on success
7233    Use gssalloc in more parts of GSSAPI
7236    Remove unused struct and switch_to stubs
7237    CCAPI cleanup and bugfixes
7254    Do not be over-restrictive in the presence of UAC
7255    Set fCachesTicket=TRUE when no credentials
7277    Remove preauth_sam2 from windows build
7322    CCAPI client rpc fixes
7339    Improve error translation for CCAPIv3 routines
7340    Fix KfW thread-local storage allocation issues
7342    Do not emit debug printfs under NODEBUG
7349    SapGUI sometimes crashes on new session with MSLSA cache
7350    Try harder not to use clock_gettime in verto-k5ev
7353    assertion failure (possible memory corruption) when restarting
        putty session
7363    Update windows/README
7386    Add version info for ccapiserver.exe
7387    Windows build leaves (OUTPRE)/krb5ccNN.res in
        ccapi/lib/win/srctmp
7388    Cache TGS-REPs too
7438    Update Camellia feature description
7454    select on set of all bad fds
7527    PKINIT (draft9) null ptr deref [CVE-2012-1016]
7528    Fix spurious clock skew caused by gak_fct delay
7536    Don't return a host referral to the service realm
7537    Ensure null termination of AFS salts
7538    Make verify_init_creds work with existing ccache
7540    Fail during configure if unable to find ar
7541    Suppress maybe-uninitialized warning in x-deltat.y
7542    Avoid side effects in assert expressions
7543    Suppress some gcc uninitialized variable warnings
7544    Handle PKINIT DH replies with no certs
7545    Fix various integer issues
7575    Make kprop/kpropd work with RC4 session key
7576    Convert success in krb5_chpw_result_code_string
7577    PKINIT null pointer deref [CVE-2013-1415]
7578    Check for negative poll timeout in k5_sendto_kdc
7579    Fix gss_str_to_oid for OIDs with zero-valued arcs
7580    Fix no_host_referral concatention in KDC
7581    Fix kdb5_util dump.c uninitialized warnings
7582    Minor pointer management patches

Major changes in 1.10.3 (2012-08-08)
------------------------------------

This is a bugfix release.

* Fix KDC uninitialized pointer vulnerabilities that could lead to a
  denial of service [CVE-2012-1014] or remote code execution
  [CVE-2012-1015].

* Correctly use default_tgs_enctypes instead of default_tkt_enctypes
  for TGS requests.

krb5-1.10.3 changes by ticket ID
--------------------------------

7150    Does not build when CPPFLAGS=-DDEBUG is set.
7155    default_tgs_enctypes not used for client TGS enctypes
7185    Fix crash on invalid DIR ccache primary file
7197    Translate WinSock errors to Posix counterparts
7198    Implement switch_to for ccapiv3
7199    Add krb5int_cc_user_set_default_name
7200    Always recreate acl files during dejagnu tests
7201    Handle huge /bin directories in libdb2 test
7203    kfw add preauth_sam2 to OBJS for windows build
7204    KFW win-mac.h fixes
7206    Use %i, not %s to Tprintf GetLastError()
7207    Don't use syslog / LOG_DEBUG when they don't exist
7208    __func__ -> __FUNCTION__ in disp_status.c
7209    Define USE_CCAPI_V3 in krb5/ccache on windows
7210    Remove the UNICODE defines from wshelper
7212    MSLSA Don't use lstrcpy on ANSI strings
7213    Implement cccol iterators for mslsa
7214    krb5_stdccv3_get_principal error handling fixup
7215    Remove DISABLE_TRACING from windows build
7226    Fix KDC uninit ptrs [CVE-2012-1014 CVE-2012-1015]
7227    Fix oid set construction in gss_inquire_cred()
7228    Further fixes for WSA/Posix error translation
7230    Add missing quote to install-windows
7231    Regression tests for CVE-2012-1014, CVE-2012-1015

Major changes in 1.10.2 (2012-05-31)
------------------------------------

This is a bugfix release.

* Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
  Controllers.

* Update a workaround for a glibc bug that would cause DNS PTR queries
  to occur even when rdns = false.

* Fix a kadmind denial of service issue (null pointer dereference),
  which could only be triggered by an administrator with the "create"
  privilege.  [CVE-2012-1013]

krb5-1.10.2 changes by ticket ID
--------------------------------

7095    Build system uses @localedir@ without requiring autoconf 2.60
7099    Decrypting history key entries can fail after 1.8 upgrade
7119    Preauth fails for second AS request in a krb5 context
7120    Use correct name-type in TGS-REQs for 2008R2 RODCs
7124    krb5_sname_to_principal canonicalization should work with
        IPv6-only hosts
7127    Can't change password without default_realm
7136    S4U2Self using kvno broken in 1.10.1, but not in 1-9.3
7143    krb5_set_trace_filename not exported
7148    Export gss_mech_krb5_wrong from libgssapi_krb5
7152    Null pointer deref in kadmind [CVE-2012-1013]

Major changes in 1.10.1 (2012-03-08)
------------------------------------

This is a bugfix release.

* Fix access controls for KDB string attributes [CVE-2012-1012]

* Make the ASN.1 encoding of key version numbers interoperate with
  Windows Read-Only Domain Controllers

* Avoid generating spurious password expiry warnings in cases where
  the KDC sends an account expiry time without a password expiry time.

krb5-1.10.1 changes by ticket ID
--------------------------------

7074    workaround for Solaris 8 lacking isblank
7081    Don't use stack variable address in as_req state
7082    Various lookaside cache fixes
7084    Don't check mech in krb5_gss_inquire_cred_by_mech
7087    krb5_gss_get_name_attribute fails to set display_value
7088    Fix uninitialized variable warning in trval.c
7089    Initialize gss_get_name_attribute output buffers
7092    kvno ASN.1 encoding interop with Windows RODCs
7093    Access controls for string RPCs [CVE-2012-1012]
7096    Fix KDB iteration when callback does write calls
7098    Fix spurious password expiry warning

Major changes in 1.10 (2012-01-27)
----------------------------------

Additional background information on these changes may be found at

    http://k5wiki.kerberos.org/wiki/Release_1.10

and

    http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects

Code quality:

* Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC denial of
  service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
  CVE-2011-1530].

* Update the Fortuna implementation to more accurately implement the
  description in _Cryptography Engineering_, and make it the default
  PRNG.

* Add an alternative PRNG that relies on the OS native PRNG.

Developer experience:

* Add the ability for GSSAPI servers to use any keytab key for a
  specified service, if the server specifies a host-based name with no
  hostname component.

* In the build system, identify the source files needed for
  per-message processing within a kernel and ensure that they remain
  independent.

* Allow rd_safe and rd_priv to ignore the remote address.

* Rework KDC and kadmind networking code to use an event loop
  architecture.

* Add a plugin interface for providing configuration information.

Administrator experience:

* Add more complete support for renaming principals.

* Add the profile variable ignore_acceptor_hostname in libdefaults. If
  set, GSSAPI will ignore the hostname component of acceptor names
  supplied by the server, allowing any keytab key matching the service
  to be used.

* Add support for string attributes on principal entries.

* Allow password changes to work over NATs.

End-user experience:

* Add the DIR credential cache type, which can hold a collection of
  credential caches.

* Enhance kinit, klist, and kdestroy to support credential cache
  collections if the cache type supports it.

* Add the kswitch command, which changes the selected default cache
  within a collection.

* Add heuristic support for choosing client credentials based on the
  service realm.

* Add support for $HOME/.k5identity, which allows credential choice
  based on configured rules.

* Add support for localization. (No translations are provided in this
  release, but the infrastructure is present for redistributors to
  supply them.)

Protocol evolution:

* Make PKINIT work with FAST in the client library.

krb5-1.10 changes by ticket ID
------------------------------

6118    rename principals
6323    kadmin: rename support
6430    Avoid looping when preauth can't be generated
6617    uninitialized values used in mkey-migration code
6732    checks for openpty() aren't made using -lutil
6770    kg_unseal leads to overlap of source and desitination in memcpy...
6813    memory leak in gss_accept_sec_context
6814    Improve kdb5_util load locking and recovery
6816    potential memory leak in spnego
6817    potential null dereference in gss mechglue
6835    accept_sec_context RFC4121 support bug in 1.8.3
6851    pkinit can't parse some valid cms messages
6854    kadmin's ktremove can remove wrong entries when removing kvno 0
6855    Improve acceptor name flexibility
6857    missing ifdefs around IPv6 code
6858    Assume ELF on FreeBSD if objformat doesn't exist
6863    memory leak on SPNEGO error path
6868    Defer hostname lookups in krb5_sendto_kdc
6872    Fix memory leak in t_expire_warn
6874    Fortuna as default PRNG
6878    Add test script for user2user programs
6887    Use first principal in keytab when verifying creds
6890    Implement draft-josefsson-gss-capsulate
6891    Add gss_userok and gss_pname_to_uid
6892    Prevent bleed-through of mechglue symbols into loaded mechs
6893    error codes from error responses can be discarded when there's e-data
6894    More sensical mech selection for gss_acquire_cred/accept_sec_context
6895    gss_duplicate_name SPI for SPNEGO
6896    Allow anonymous name to be imported with empty name buffer
6897    Default principal name in the acceptor cred corresponds to
        first entry in associated keytab.
6898    Set correct minor_status value in call to gss_display_status.
6902    S4U impersonated credential KRB5_CC_NOT_FOUND
6904    Install k5login(5) as well as .k5login(5)
6905    support poll() in sendto_kdc.c
6909    Kernel subset
6910    Account lockout policy parameters not documented
6911    Account lockout policy options time format
6914    krb5-1.9.1 static compile error +preliminary patch (fwd)
6915    klist -s trips over referral entries
6918    Localize user interface strings using gettext
6921    Convert preauth_plugin.h to new plugin framework
6922    Work around glibc getaddrinfo PTR lookups
6923    Use AI_ADDRCONFIG for more efficient getaddrinfo
6924    Fix multiple libkdb_ldap memory leaks
6927    chpass_util.c improvements
6928    use timegm() for krb5int_gmt_mktime() when available
6929    Pluggable configuration
6931    Add libedit/readline support to ss.
6933    blocking recv caused our server to hang
6934    don't require a default realm
6936    multiple mechanisms and spnego_gss_init_sec_context
6944    gss_acquire_cred erroneous failure and potential segfault for caller
6945    spnego_gss_acquire_cred_impersonate_name incorrect usage of
        impersonator_cred_handle
6951    assertion failure when connections fail in service_fds()
6953    Add the DIR ccache type
6954    Add new cache collection APIs
6955    Remove unneeded cccol behaviors
6956    Add ccache collection support to tools
6957    Add krb5_cc_select() API and pluggable interface
6958    Make gss-krb5 use cache collection
6961    Support pkinit: SignedData with no signers (KDC)
6962    pkinit: client: Use SignedData for anonymous
6964    Support special salt type in default krb5_dbe_cpw.
6965    Remove CFLAGS and external deps from krb5-config --libs
6966    Eliminate domain-based client realm walk
6968    [PATCH] Man page fixes
6969    Create e_data as pa_data in KDC interfaces.
6971    Use type-safe callbacks in preauth interface
6974    Make krb5_pac_sign public
6975    Add PKINIT NSS support
6976    Hide gak_fct interface and arguments in clpreauth
6977    Install krb5/preauth_plugin.h
6978    Allow rd_priv/rd_safe without remote address
6979    Allow password changes over NATs
6980    Ensure termination in Windows vsnprintf wrapper
6981    SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528
        CVE-2011-1529]
6987    Fix krb5_cc_set_config
6988    Fix handling of null edata method in KDC preauth
6989    fix tar invocation in mkrel
6992    Make krb5_find_authdata public
6994    Fix intermediate key length in hmac-md5 checksum
6995    Initialize typed_e_data in as_req_state
6996    Make krb5_check_clockskew public
6997    don't build po/ if msgfmt is missing
6999    compile warnings, mininum version check for pkinit (NSS code paths)
7000    Exit on error in kadmind kprop child
7002    verto sshould have a pointer to upstream sources and be in NOTICE
7003    Fix month/year units in getdate
7006    Fix format string for TRACE_INIT_CREDS_SERVICE
7014    Fix com_err.h dependencies in gss-kernel-lib
7015    Add plugin interface_names entry for ccselect
7017    Simplify and fix kdcpreauth request_body callback
7018    Update verto to 0.2.2 release
7019    Make verto context available to kdcpreauth modules
7020    reading minor error message doesn't work for the IAKERB mech
7021    Fix failure interval of 0 in LDAP lockout code
7023    Clean up client-side preauth error data handling
7027    FAST PKINIT
7029    Fix --with-system-verto without pkg-config
7030    Ldap dependency for parallel builds
7033    krb5 1.10 KRB5_PADATA_ENC_TIMESTAMP isn't working
7034    mk_cred: memory management
7035    krb5_lcc_store() now ignores config credentials
7036    Fix free ofuninitialized memory in sname_to_princ
7037    Use LsaDeregisterLogonProcess(), not CloseHandle()
7038    Added support for loading of Krb5.ini from Windows APPDATA
7039    Handle TGS referrals to the same realm
7042    SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
7049    Fix subkey memory leak in krb5_get_credentials
7050    KfW changes for krb5-1.10
7051    krb5_server_decrypt_ticket_keytab wrongly succeeds
7053    Verify acceptor's mech in SPNEGO initiator
7055    Rename Table of Contents.hhc
7057    Krb5 1.9.x does not build on Solaris 8 - Implicit function
        declaration error
7060    Convert securid module edata method
7065    delete duplicate NOTICE file
7067    documentation license to CC-BY-SA 3.0 Unported
7077    LIBS should not include PKINIT_CRYPTO_IMPL_LIBS
7078    Use INSTALL_DATA to install message catalogues

Acknowledgements
----------------

Past and present Sponsors of the MIT Kerberos Consortium:

    Apple
    Carnegie Mellon University
    Centrify Corporation
    Columbia University
    Cornell University
    The Department of Defense of the United States of America (DoD)
    Fidelity Investments
    Google
    Iowa State University
    MIT
    Michigan State University
    Microsoft
    The National Aeronautics and Space Administration
        of the United States of America (NASA)
    Network Appliance (NetApp)
    Nippon Telephone and Telegraph (NTT)
    Oracle
    Pennsylvania State University
    Red Hat
    Stanford University
    TeamF1, Inc.
    The University of Alaska
    The University of Michigan
    The University of Pennsylvania

Past and present members of the Kerberos Team at MIT:

    Danilo Almeida
    Jeffrey Altman
    Justin Anderson
    Richard Basch
    Mitch Berger
    Jay Berkenbilt
    Andrew Boardman
    Bill Bryant
    Steve Buckley
    Joe Calzaretta
    John Carr
    Mark Colan
    Don Davis
    Alexandra Ellwood
    Carlos Garay
    Dan Geer
    Nancy Gilman
    Matt Hancher
    Thomas Hardjono
    Sam Hartman
    Paul Hill
    Marc Horowitz
    Eva Jacobus
    Miroslav Jurisic
    Barry Jaspan
    Benjamin Kaduk
    Geoffrey King
    Kevin Koch
    John Kohl
    HaoQi Li
    Jonathan Lin
    Peter Litwack
    Scott McGuire
    Steve Miller
    Kevin Mitchell
    Cliff Neuman
    Paul Park
    Ezra Peisach
    Chris Provenzano
    Ken Raeburn
    Jon Rochlis
    Jeff Schiller
    Jen Selby
    Robert Silk
    Bill Sommerfeld
    Jennifer Steiner
    Ralph Swick
    Brad Thompson
    Harry Tsai
    Zhanna Tsitkova
    Ted Ts'o
    Marshall Vale
    Tom Yu

The following external contributors have provided code, patches, bug
reports, suggestions, and valuable resources:

    Ian Abbott
    Brandon Allbery
    Russell Allbery
    Brian Almeida
    Michael B Allen
    Heinz-Ado Arnolds
    Derek Atkins
    Mark Bannister
    David Bantz
    Alex Baule
    David Benjamin
    Adam Bernstein
    Arlene Berry
    Jeff Blaine
    Radoslav Bodo
    Sumit Bose
    Emmanuel Bouillon
    Michael Calmer
    Julien Chaffraix
    Ravi Channavajhala
    Srinivas Cheruku
    Leonardo Chiquitto
    Howard Chu
    Andrea Cirulli
    Christopher D. Clausen
    Kevin Coffman
    Simon Cooper
    Sylvain Cortes
    Nalin Dahyabhai
    Mark Davies
    Dennis Davis
    Alex Dehnert
    Mark Deneen
    Günther Deschner
    Roland Dowdeswell
    Viktor Dukhovni
    Jason Edgecombe
    Mark Eichin
    Shawn M. Emery
    Douglas E. Engert
    Peter Eriksson
    Juha Erkkilä
    Gilles Espinasse
    Ronni Feldt
    Bill Fellows
    JC Ferguson
    William Fiveash
    Ákos Frohner
    Sebastian Galiano
    Marcus Granado
    Scott Grizzard
    Helmut Grohne
    Steve Grubb
    Philip Guenther
    Dominic Hargreaves
    Robbie Harwood
    Jakob Haufe
    Matthieu Hautreux
    Paul B. Henson
    Jeff Hodges
    Christopher Hogan
    Love Hörnquist Åstrand
    Ken Hornstein
    Henry B. Hotz
    Luke Howard
    Jakub Hrozek
    Shumon Huque
    Jeffrey Hutzelman
    Wyllys Ingersoll
    Holger Isenberg
    Pavel Jindra
    Joel Johnson
    W. Trevor King
    Mikkel Kruse
    Reinhard Kugler
    Volker Lendecke
    Jan iankko Lieskovsky
    Oliver Loch
    Kevin Longfellow
    Nuno Lopes
    Ryan Lynch
    Nathaniel McCallum
    Greg McClement
    Cameron Meadors
    Alexey Melnikov
    Franklyn Mendez
    Markus Moeller
    Kyle Moffett
    Paul Moore
    Keiichi Mori
    Michael Morony
    Zbysek Mraz
    Edward Murrell
    Nikos Nikoleris
    Felipe Ortega
    Andrej Ota
    Dmitri Pal
    Javier Palacios
    Tom Parker
    Ezra Peisach
    W. Michael Petullo
    Mark Phalan
    Jonathan Reams
    Robert Relyea
    Martin Rex
    Jason Rogers
    Mike Roszkowski
    Guillaume Rousse
    Tom Shaw
    Jim Shi
    Peter Shoults
    Simo Sorce
    Michael Spang
    Michael Ströder
    Bjørn Tore Sund
    Joe Travaglini
    Rathor Vipin
    Jorgen Wahlsten
    Stef Walter
    Max (Weijun) Wang
    John Washington
    Stef Walter
    Xi Wang
    Kevin Wasserman
    Margaret Wasserman
    Marcus Watts
    Andreas Wiese
    Simon Wilkinson
    Nicolas Williams
    Ross Wilper
    Augustin Wolf
    Xu Qiang
    Nickolai Zeldovich
    Hanz van Zijst
    Gertjan Zwartjes

The above is not an exhaustive list; many others have contributed in
various ways to the MIT Kerberos development effort over the years.
Other acknowledgments (for bug reports and patches) are in the
doc/CHANGES file.