diff options
Diffstat (limited to 'third_party/heimdal/NEWS')
-rw-r--r-- | third_party/heimdal/NEWS | 1152 |
1 files changed, 1152 insertions, 0 deletions
diff --git a/third_party/heimdal/NEWS b/third_party/heimdal/NEWS new file mode 100644 index 0000000..79efe80 --- /dev/null +++ b/third_party/heimdal/NEWS @@ -0,0 +1,1152 @@ +Release Notes - Heimdal - Version Heimdal 7.3 + + Security + + - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently + caused the previous hop realm to not be added to the transit path + of issued tickets. This may, in some cases, enable bypass of capath + policy in Heimdal versions 1.5 through 7.2. + + Note, this may break sites that rely on the bug. With the bug some + incomplete [capaths] worked, that should not have. These may now break + authentication in some cross-realm configurations. + (CVE-2017-6594) + +Release Notes - Heimdal - Version Heimdal 7.2 + + Bug fixes + - Portability improvements + - More strict parsing of encoded URI components in HTTP KDC + - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism + - Avoid overly specific CPU info in krb5-config in aid of reproducible builds + - Don't do AFS string-to-key tests when feature is disabled + - Skip mdb_stat test when the command is not available + - Windows: update SHA2 timestamp server + - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple + - Fix signature of hdb_generate_key_set_password() + - Windows: enable KX509 support in the KDC + - kdc: fix kx509 service principal match + - iprop: handle case where master sends nothing new + - ipropd-slave: fix incorrect error codes + - Allow choice of sqlite for HDB pref + - check-iprop: don't fail to kill daemons + - roken: pidfile -> rk_pidfile + - kdc: _kdc_do_kx509 fix use after free error + - Do not detect x32 as 64-bit platform. + - No sys/ttydefaults.h on CYGWIN + - Fix check-iprop races + - roken_detach_prep() close pipe + +Release Notes - Heimdal - Version Heimdal 7.1 + + Security + + - kx509 realm-chopping security bug + - non-authorization of alias additions/removals in kadmind + (CVE-2016-2400) + + Feature + + - iprop has been revamped to fix a number of race conditions that could + lead to inconsistent replication + - Hierarchical capath support + - AES Encryption with HMAC-SHA2 for Kerberos 5 + draft-ietf-kitten-aes-cts-hmac-sha2-11 + - hcrypto is now thread safe on all platforms + - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for + Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. + OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by + backend + - HDB now supports LMDB + - Thread support on Windows + - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) + - New GSS APIs: + . gss_localname + - Allow setting what encryption types a principal should have with + [kadmin] default_key_rules, see krb5.conf manpage for more info + - Unify libhcrypto with LTC (libtomcrypto) + - asn1_compile 64-bit INTEGER functionality + - HDB key history support including --keepold kadmin password option + - Improved cross-realm key rollover safety + - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces + - Improved MIT compatibility + . kadm5 API + . Migration from MIT KDB via "mitdb" HDB backend + . Capable of writing the HDB in MIT dump format + - Improved Active Directory interoperability + . Enctype selection issues for PAC and other authz-data signatures + . Cross realm key rollover (kvno 0) + - New [kdc] enctype negotiation configuration: + . tgt-use-strongest-session-key + . svc-use-strongest-session-key + . preauth-use-strongest-session-key + . use-strongest-server-key + - The KDC process now uses a multi-process model improving + resiliency and performance + - Allow batch-mode kinit with password file + - SIGINFO support added to kinit cmd + - New kx509 configuration options: + . kx509_ca + . kca_service + . kx509_include_pkinit_san + . kx509_template + - Improved Heimdal library/plugin version safety + - Name canonicalization + . DNS resolver searchlist + . Improved referral support + . Support host:port host-based services + - Pluggable libheimbase interface for DBs + - Improve IPv6 Support + - LDAP + . Bind DN and password + . Start TLS + - klist --json + - DIR credential cache type + - Updated upstream SQLite and libedit + - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, + telnet, xnlock + - Completely remove RAND_egd support + - Moved kadmin and ktutil to /usr/bin + - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) + . use O_NOFOLLOW + . don't follow symlinks + . require cache files to be owned by the user + . require sensible permissions (not group/other readable) + - Implemented gss_store_cred() + - Many more + + Bug fixes + - iprop has been revamped to fix a number of race conditions that could + lead to data loss + - Include non-loopback addresses assigned to loopback interfaces + when requesting tickets with addresses + - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) + - Keytab file descriptor and lock leak + - Credential cache corruption bugs + (NOTE: The FILE ccache is still not entirely safe due to the + fundamentally unsafe design of POSIX file locking) + - gss_pseudo_random() interop bug + - Plugins are now preferentially loaded from the run-time install tree + - Reauthentication after password change in init_creds_password + - Memory leak in the client kadmin library + - TGS client requests renewable/forwardable/proxiable when possible + - Locking issues in DB1 and DB3 HDB backends + - Master HDB can remain locked while waiting for network I/O + - Renewal/refresh logic when kinit is provided with a command + - KDC handling of enterprise principals + - Use correct bit for anon-pkinit + - Many more + + Acknowledgements + + This release of Heimdal includes contributions from: + + Abhinav Upadhyay Heath Kehoe Nico Williams + Andreas Schneider Henry Jacques Patrik Lundin + Andrew Bartlett Howard Chu Philip Boulain + Andrew Tridgell Igor Sobrado Ragnar Sundblad + Antoine Jacoutot Ingo Schwarze Remi Ferrand + Arran Cudbard-Bell Jakub Čajka Rod Widdowson + Arvid Requate James Le Cuirot Rok Papež + Asanka Herath James Lee Roland C. Dowdeswell + Ben Kaduk Jeffrey Altman Ross L Richardson + Benjamin Kaduk Jeffrey Clark Russ Allbery + Bernard Spil Jeffrey Hutzelman Samuel Cabrero + Brian May Jelmer Vernooij Samuel Thibault + Chas Williams Ken Dreyer Santosh Kumar Pradhan + Chaskiel Grundman Kiran S J Sean Davis + Dana Koch Kumar Thangavelu Sergio Gelato + Daniel Schepler Landon Fuller Simon Wilkinson + David Mulder Linus Nordberg Stef Walter + Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher + Ed Maste Luke Howard Steffen Jaeckel + Eray Aslan Magnus Ahltorp Timothy Pearson + Florian Best Marc Balmer Tollef Fog Heen + Fredrik Pettai Marcin Cieślak Tony Acero + Greg Hudson Marco Molteni Uri Simchoni + Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni + Günther Deschner Michael Meffie Volker Lendecke + Harald Barth Moritz Lenz + +Release Notes - Heimdal - Version Heimdal 1.5.3 + + Bug fixes + - Fix leaking file descriptors in KDC + - Better socket/timeout handling in libkrb5 + - General bug fixes + - Build fixes + +Release Notes - Heimdal - Version Heimdal 1.5.2 + + Security fixes + - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege + - Check that key types strictly match - denial of service + +Release Notes - Heimdal - Version Heimdal 1.5.1 + + Bug fixes + - Fix building on Solaris, requires c99 + - Fix building on Windows + - Build system updates + +Release Notes - Heimdal - Version Heimdal 1.5 + +New features + + - Support GSS name extensions/attributes + - SHA512 support + - No Kerberos 4 support + - Basic support for MIT Admin protocol (SECGSS flavor) + in kadmind (extract keytab) + - Replace editline with libedit + +Release Notes - Heimdal - Version Heimdal 1.4 + + New features + + - Support for reading MIT database file directly + - KCM is polished up and now used in production + - NTLM first class citizen, credentials stored in KCM + - Table driven ASN.1 compiler, smaller!, not enabled by default + - Native Windows client support + +Notes + + - Disabled write support NDBM hdb backend (read still in there) since + it can't handle large records, please migrate to a diffrent backend + (like BDB4) + +Release Notes - Heimdal - Version Heimdal 1.3.3 + + Bug fixes + - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] + - Check NULL pointers before dereference them [kdc] + +Release Notes - Heimdal - Version Heimdal 1.3.2 + + Bug fixes + + - Don't mix length when clearing hmac (could memset too much) + - More paranoid underrun checking when decrypting packets + - Check the password change requests and refuse to answer empty packets + - Build on OpenSolaris + - Renumber AD-SIGNED-TICKET since it was stolen from US + - Don't cache /dev/*random file descriptor, it doesn't get unloaded + - Make C++ safe + - Misc warnings + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + Bug fixes + + - Store KDC offset in credentials + - Many many more bug fixes + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + New features + + - Make work with OpenLDAPs krb5 overlay + +Release Notes - Heimdal - Version Heimdal 1.3 + + New features + + - Partial support for MIT kadmind rpc protocol in kadmind + - Better support for finding keytab entries when using SPN aliases in the KDC + - Support BER in ASN.1 library (needed for CMS) + - Support decryption in Keychain private keys + - Support for new sqlite based credential cache + - Try both KDC referals and the common DNS reverse lookup in GSS-API + - Fix the KCM to not leak resources on failure + - Add IPv6 support to iprop + - Support localization of error strings in + kinit/klist/kdestroy and Kerberos library + - Remove Kerberos 4 support in application (still in KDC) + - Deprecate DES + - Support i18n password in windows domains (using UTF-8) + - More complete API emulation of OpenSSL in hcrypto + - Support for ECDSA and ECDH when linking with OpenSSL + + API changes + + - Support for settin friendly name on credential caches + - Move to using doxygen to generate documentation. + - Sprinkling __attribute__((__deprecated__)) for old function to be removed + - Support to export LAST-REQUST information in AS-REQ + - Support for client deferrals in in AS-REQ + - Add seek support for krb5_storage. + - Support for split AS-REQ, first step for IA-KERB + - Fix many memory leaks and bugs + - Improved regression test + - Support krb5_cccol + - Switch to krb5_set_error_message + - Support krb5_crypto_*_iov + - Switch to use EVP for most function + - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) + - Add support for GSS_C_DELEG_POLICY_FLAG + - Add krb5_cc_[gs]et_config to store data in the credential caches + - PTY testing application + +Bugfixes + - Make building on AIX6 possible. + - Bugfixes in LDAP KDC code to make it more stable + - Make ipropd-slave reconnect when master down gown + + +Release Notes - Heimdal - Version Heimdal 1.2.1 + +* Bug + + [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris + [HEIMDAL-151] - Make canned tests work again after cert expired + [HEIMDAL-152] - iprop test: use full hostname to avoid realm + resolving errors + [HEIMDAL-153] - ftp: Use the correct length for unmap, msync + +Release Notes - Heimdal - Version Heimdal 1.2 + +* Bug + + [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in + gss_display_name/gss_export_name when using SPNEGO + [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 + [HEIMDAL-17] - Remove support for depricated [libdefaults]capath + [HEIMDAL-52] - hdb overwrite aliases for db databases + [HEIMDAL-54] - Two issues which affect credentials delegation + [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args + [HEIMDAL-62] - Fix printing of sig_atomic_t + [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto + [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase + [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) + +* Improvement + [HEIMDAL-67] - Fix locking and store credential in atomic writes + in the FILE credential cache + [HEIMDAL-106] - make compile on cygwin again + [HEIMDAL-107] - Replace old random key generation in des module + and use it with RAND_ function instead + [HEIMDAL-115] - Better documentation and compatibility in hcrypto + in regards to OpenSSL + +* New Feature + [HEIMDAL-3] - pkinit alg agility PRF test vectors + [HEIMDAL-14] - Add libwind to Heimdal + [HEIMDAL-16] - Use libwind in hx509 + [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to + the negotiation + [HEIMDAL-74] - Add support to report extended error message back + in AS-REQ to support windows clients + [HEIMDAL-116] - test pty based application (using rkpty) + [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) + +* Task + [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. + This drop compatibility with pre 0.3d KDCs. + [HEIMDAL-64] - kcm: first implementation of kcm-move-cache + [HEIMDAL-65] - Failed to compile with --disable-pk-init + [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some + wraparound checks doesn't apply to Heimdal + +Changes in release 1.1 + + * Read-only PKCS11 provider built-in to hx509. + + * Documentation for hx509, hcrypto and ntlm libraries improved. + + * Better compatibilty with Windows 2008 Server pre-releases and Vista. + + * Mac OS X 10.5 support for native credential cache. + + * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). + + * Bug fixes. + +Changes in release 1.0.2 + +* Ubuntu packages. + +* Bug fixes. + +Changes in release 1.0.1 + + * Serveral bug fixes to iprop. + + * Make work on platforms without dlopen. + + * Add RFC3526 modp group14 as default. + + * Handle [kdc] database = { } entries without realm = stanzas. + + * Make krb5_get_renewed_creds work. + + * Make kaserver preauth work again. + + * Bug fixes. + +Changes in release 1.0 + + * Add gss_pseudo_random() for mechglue and krb5. + + * Make session key for the krbtgt be selected by the best encryption + type of the client. + + * Better interoperability with other PK-INIT implementations. + + * Inital support for Mac OS X Keychain for hx509. + + * Alias support for inital ticket requests. + + * Add symbol versioning to selected libraries on platforms that uses + GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. + + * New version of imath included in hcrypto. + + * Fix memory leaks. + + * Bugs fixes. + +Changes in release 0.8.1 + + * Make ASN.1 library less paranoid to with regard to NUL in string to + make it inter-operate with MIT Kerberos again. + + * Make GSS-API library work again when using gss_acquire_cred + + * Add symbol versioning to libgssapi when using GNU ld. + + * Fix memory leaks + + * Bugs fixes + +Changes in release 0.8 + + * PK-INIT support. + + * HDB extensions support, used by PK-INIT. + + * New ASN.1 compiler. + + * GSS-API mechglue from FreeBSD. + + * Updated SPNEGO to support RFC4178. + + * Support for Cryptosystem Negotiation Extension (RFC 4537). + + * A new X.509 library (hx509) and related crypto functions. + + * A new ntlm library (heimntlm) and related crypto functions. + + * Updated the built-in crypto library with bignum support using + imath, support for RSA and DH and renamed it to libhcrypto. + + * Subsystem in the KDC, digest, that will perform the digest + operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL + DIGEST-MD5 NTLMv1 and NTLMv2. + + * KDC will return the "response too big" error to force TCP retries + for large (default 1400 bytes) UDP replies. This is common for + PK-INIT requests. + + * Libkafs defaults to use 2b tokens. + + * Default to use the API cache on Mac OS X. + + * krb5_kuserok() also checks ~/.k5login.d directory for acl files, + see manpage for krb5_kuserok for description. + + * Many, many, other updates to code and info manual and manual pages. + + * Bug fixes + +Changes in release 0.7.2 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name + exists in the keytab before returning success. This allows servers + to check if its even possible to use GSSAPI. + +* Fix receiving end of token delegation for GSS-API. It still wrongly + uses subkey for sending for compatibility reasons, this will change + in 0.8. + +* telnetd, login and rshd are now more verbose in logging failed and + successful logins. + +* Bug fixes + +Changes in release 0.7.1 + +* Bug fixes + +Changes in release 0.7 + + * Support for KCM, a process based credential cache + + * Support CCAPI credential cache + + * SPNEGO support + + * AES (and the gssapi conterpart, CFX) support + + * Adding new and improve old documentation + + * Bug fixes + +Changes in release 0.6.6 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +Changes in release 0.6.5 + + * fix vulnerabilities in telnetd + + * unbreak Kerberos 4 and kaserver + +Changes in release 0.6.4 + + * fix vulnerabilities in telnet + + * rshd: encryption without a separate error socket should now work + + * telnet now uses appdefaults for the encrypt and forward/forwardable + settings + + * bug fixes + +Changes in release 0.6.3 + + * fix vulnerabilities in ftpd + + * support for linux AFS /proc "syscalls" + + * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in + kpasswdd + + * fix possible KDC denial of service + + * bug fixes + +Changes in release 0.6.2 + + * Fix possible buffer overrun in v4 kadmin (which now defaults to off) + +Changes in release 0.6.1 + + * Fixed ARCFOUR suppport + + * Cross realm vulnerability + + * kdc: fix denial of service attack + + * kdc: stop clients from renewing tickets into the future + + * bug fixes + +Changes in release 0.6 + +* The DES3 GSS-API mechanism has been changed to inter-operate with + other GSSAPI implementations. See man page for gssapi(3) how to turn + on generation of correct MIC messages. Next major release of heimdal + will generate correct MIC by default. + +* More complete GSS-API support + +* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS + support in applications no longer requires Kerberos 4 libs + +* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) + +* other bug fixes + +Changes in release 0.5.2 + + * kdc: add option for disabling v4 cross-realm (defaults to off) + + * bug fixes + +Changes in release 0.5.1 + + * kadmind: fix remote exploit + + * kadmind: add option to disable kerberos 4 + + * kdc: make sure kaserver token life is positive + + * telnet: use the session key if there is no subkey + + * fix EPSV parsing in ftp + + * other bug fixes + +Changes in release 0.5 + + * add --detach option to kdc + + * allow setting forward and forwardable option in telnet from + .telnetrc, with override from command line + + * accept addresses with or without ports in krb5_rd_cred + + * make it work with modern openssl + + * use our own string2key function even with openssl (that handles weak + keys incorrectly) + + * more system-specific requirements in login + + * do not use getlogin() to determine root in su + + * telnet: abort if telnetd does not support encryption + + * update autoconf to 2.53 + + * update config.guess, config.sub + + * other bug fixes + +Changes in release 0.4e + + * improve libcrypto and database autoconf tests + + * do not care about salting of server principals when serving v4 requests + + * some improvements to gssapi library + + * test for existing compile_et/libcom_err + + * portability fixes + + * bug fixes + +Changes in release 0.4d + + * fix some problems when using libcrypto from openssl + + * handle /dev/ptmx `unix98' ptys on Linux + + * add some forgotten man pages + + * rsh: clean-up and add man page + + * fix -A and -a in builtin-ls in tpd + + * fix building problem on Irix + + * make `ktutil get' more efficient + + * bug fixes + +Changes in release 0.4c + + * fix buffer overrun in telnetd + + * repair some of the v4 fallback code in kinit + + * add more shared library dependencies + + * simplify and fix hprop handling of v4 databases + + * fix some building problems (osf's sia and osfc2 login) + + * bug fixes + +Changes in release 0.4b + + * update the shared library version numbers correctly + +Changes in release 0.4a + + * corrected key used for checksum in mk_safe, unfortunately this + makes it backwards incompatible + + * update to autoconf 2.50, libtool 1.4 + + * re-write dns/config lookups (krb5_krbhst API) + + * make order of using subkeys consistent + + * add man page links + + * add more man pages + + * remove rfc2052 support, now only rfc2782 is supported + + * always build with kaserver protocol support in the KDC (assuming + KRB4 is enabled) and support for reading kaserver databases in + hprop + +Changes in release 0.3f + + * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, + the new keytab type that tries both of these in order (SRVTAB is + also an alias for krb4:) + + * improve error reporting and error handling (error messages should + be more detailed and more useful) + + * improve building with openssl + + * add kadmin -K, rcp -F + + * fix two incorrect weak DES keys + + * fix building of kaserver compat in KDC + + * the API is closer to what MIT krb5 is using + + * more compatible with windows 2000 + + * removed some memory leaks + + * bug fixes + +Changes in release 0.3e + + * rcp program included + + * fix buffer overrun in ftpd + + * handle omitted sequence numbers as zeroes to handle MIT krb5 that + cannot generate zero sequence numbers + + * handle v4 /.k files better + + * configure/portability fixes + + * fixes in parsing of options to kadmin (sub-)commands + + * handle errors in kadmin load better + + * bug fixes + +Changes in release 0.3d + + * add krb5-config + + * fix a bug in 3des gss-api mechanism, making it compatible with the + specification and the MIT implementation + + * make telnetd only allow a specific list of environment variables to + stop it from setting `sensitive' variables + + * try to use an existing libdes + + * lib/krb5, kdc: use correct usage type for ap-req messages. This + should improve compatability with MIT krb5 when using 3DES + encryption types + + * kdc: fix memory allocation problem + + * update config.guess and config.sub + + * lib/roken: more stuff implemented + + * bug fixes and portability enhancements + +Changes in release 0.3c + + * lib/krb5: memory caches now support the resolve operation + + * appl/login: set PATH to some sane default + + * kadmind: handle several realms + + * bug fixes (including memory leaks) + +Changes in release 0.3b + + * kdc: prefer default-salted keys on v5 requests + + * kdc: lowercase hostnames in v4 mode + + * hprop: handle more types of MIT salts + + * lib/krb5: fix memory leak + + * bug fixes + +Changes in release 0.3a: + + * implement arcfour-hmac-md5 to interoperate with W2K + + * modularise the handling of the master key, and allow for other + encryption types. This makes it easier to import a database from + some other source without having to re-encrypt all keys. + + * allow for better control over which encryption types are created + + * make kinit fallback to v4 if given a v4 KDC + + * make klist work better with v4 and v5, and add some more MIT + compatibility options + + * make the kdc listen on the krb524 (4444) port for compatibility + with MIT krb5 clients + + * implement more DCE/DFS support, enabled with --enable-dce, see + lib/kdfs and appl/dceutils + + * make the sequence numbers work correctly + + * bug fixes + +Changes in release 0.2t: + + * bug fixes + +Changes in release 0.2s: + + * add OpenLDAP support in hdb + + * login will get v4 tickets when it receives forwarded tickets + + * xnlock supports both v5 and v4 + + * repair source routing for telnet + + * fix building problems with krb4 (krb_mk_req) + + * bug fixes + +Changes in release 0.2r: + + * fix realloc memory corruption bug in kdc + + * `add --key' and `cpw --key' in kadmin + + * klist supports listing v4 tickets + + * update config.guess and config.sub + + * make v4 -> v5 principal name conversion more robust + + * support for anonymous tickets + + * new man-pages + + * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. + + * use and set expiration and not password expiration when dumping + to/from ka server databases / krb4 databases + + * make the code happier with 64-bit time_t + + * follow RFC2782 and by default do not look for non-underscore SRV names + +Changes in release 0.2q: + + * bug fix in tcp-handling in kdc + + * bug fix in expand_hostname + +Changes in release 0.2p: + + * bug fix in `kadmin load/merge' + + * bug fix in krb5_parse_address + +Changes in release 0.2o: + + * gss_{import,export}_sec_context added to libgssapi + + * new option --addresses to kdc (for listening on an explicit set of + addresses) + + * bug fixes in the krb4 and kaserver emulation part of the kdc + + * other bug fixes + +Changes in release 0.2n: + + * more robust parsing of dump files in kadmin + * changed default timestamp format for log messages to extended ISO + 8601 format (Y-M-DTH:M:S) + * changed md4/md5/sha1 APIes to be de-facto `standard' + * always make hostname into lower-case before creating principal + * small bits of more MIT-compatability + * bug fixes + +Changes in release 0.2m: + + * handle glibc's getaddrinfo() that returns several ai_canonname + + * new endian test + + * man pages fixes + +Changes in release 0.2l: + + * bug fixes + +Changes in release 0.2k: + + * better IPv6 test + + * make struct sockaddr_storage in roken work better on alphas + + * some missing [hn]to[hn]s fixed. + + * allow users to change their own passwords with kadmin (with initial + tickets) + + * fix stupid bug in parsing KDC specification + + * add `ktutil change' and `ktutil purge' + +Changes in release 0.2j: + + * builds on Irix + + * ftpd works in passive mode + + * should build on cygwin + + * work around broken IPv6-code on OpenBSD 2.6, also add configure + option --disable-ipv6 + +Changes in release 0.2i: + + * use getaddrinfo in the missing places. + + * fix SRV lookup for admin server + + * use get{addr,name}info everywhere. and implement it in terms of + getipnodeby{name,addr} (which uses gethostbyname{,2} and + gethostbyaddr) + +Changes in release 0.2h: + + * fix typo in kx (now compiles) + +Changes in release 0.2g: + + * lots of bug fixes: + * push works + * repair appl/test programs + * sockaddr_storage works on solaris (alignment issues) + * works better with non-roken getaddrinfo + * rsh works + * some non standard C constructs removed + +Changes in release 0.2f: + + * support SRV records for kpasswd + * look for both _kerberos and krb5-realm when doing host -> realm mapping + +Changes in release 0.2e: + + * changed copyright notices to remove `advertising'-clause. + * get{addr,name}info added to roken and used in the other code + (this makes things work much better with hosts with both v4 and v6 + addresses, among other things) + * do pre-auth for both password and key-based get_in_tkt + * support for having several databases + * new command `del_enctype' in kadmin + * strptime (and new strftime) add to roken + * more paranoia about finding libdb + * bug fixes + +Changes in release 0.2d: + + * new configuration option [libdefaults]default_etypes_des + * internal ls in ftpd builds without KRB4 + * kx/rsh/push/pop_debug tries v5 and v4 consistenly + * build bug fixes + * other bug fixes + +Changes in release 0.2c: + + * bug fixes (see ChangeLog's for details) + +Changes in release 0.2b: + + * bug fixes + * actually bump shared library versions + +Changes in release 0.2a: + + * a new program verify_krb5_conf for checking your /etc/krb5.conf + * add 3DES keys when changing password + * support null keys in database + * support multiple local realms + * implement a keytab backend for AFS KeyFile's + * implement a keytab backend for v4 srvtabs + * implement `ktutil copy' + * support password quality control in v4 kadmind + * improvements in v4 compat kadmind + * handle the case of having the correct cred in the ccache but with + the wrong encryption type better + * v6-ify the remaining programs. + * internal ls in ftpd + * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat + * add `ank --random-password' and `cpw --random-password' in kadmin + * some programs and documentation for trying to talk to a W2K KDC + * bug fixes + +Changes in release 0.1m: + + * support for getting default from krb5.conf for kinit/kf/rsh/telnet. + From Miroslav Ruda <ruda@ics.muni.cz> + * v6-ify hprop and hpropd + * support numeric addresses in krb5_mk_req + * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> + * make rsh/rshd IPv6-aware + * make the gssapi sample applications better at reporting errors + * lots of bug fixes + * handle systems with v6-aware libc and non-v6 kernels (like Linux + with glibc 2.1) better + * hide failure of ERPT in ftp + * lots of bug fixes + +Changes in release 0.1l: + + * make ftp and ftpd IPv6-aware + * add inet_pton to roken + * more IPv6-awareness + * make mini_inetd v6 aware + +Changes in release 0.1k: + + * bump shared libraries versions + * add roken version of inet_ntop + * merge more changes to rshd + +Changes in release 0.1j: + + * restore back to the `old' 3DES code. This was supposed to be done + in 0.1h and 0.1i but I did a CVS screw-up. + * make telnetd handle v6 connections + +Changes in release 0.1i: + + * start using `struct sockaddr_storage' which simplifies the code + (with a fallback definition if it's not defined) + * bug fixes (including in hprop and kf) + * don't use mawk which seems to mishandle roken.awk + * get_addrs should be able to handle v6 addresses on Linux (with the + required patch to the Linux kernel -- ask within) + * rshd builds with shadow passwords + +Changes in release 0.1h: + + * kf: new program for forwarding credentials + * portability fixes + * make forwarding credentials work with MIT code + * better conversion of ka database + * add etc/services.append + * correct `modified by' from kpasswdd + * lots of bug fixes + +Changes in release 0.1g: + + * kgetcred: new program for explicitly obtaining tickets + * configure fixes + * krb5-aware kx + * bug fixes + +Changes in release 0.1f; + + * experimental support for v4 kadmin protokoll in kadmind + * bug fixes + +Changes in release 0.1e: + + * try to handle old DCE and MIT kdcs + * support for older versions of credential cache files and keytabs + * postdated tickets work + * support for password quality checks in kpasswdd + * new flag --enable-kaserver for kdc + * renew fixes + * prototype su program + * updated (some) manpages + * support for KDC resource records + * should build with --without-krb4 + * bug fixes + +Changes in release 0.1d: + + * Support building with DB2 (uses 1.85-compat API) + * Support krb5-realm.DOMAIN in DNS + * new `ktutil srvcreate' + * v4/kafs support in klist/kdestroy + * bug fixes + +Changes in release 0.1c: + + * fix ASN.1 encoding of signed integers + * somewhat working `ktutil get' + * some documentation updates + * update to Autoconf 2.13 and Automake 1.4 + * the usual bug fixes + +Changes in release 0.1b: + + * some old -> new crypto conversion utils + * bug fixes + +Changes in release 0.1a: + + * new crypto code + * more bug fixes + * make sure we ask for DES keys in gssapi + * support signed ints in ASN1 + * IPv6-bug fixes + +Changes in release 0.0u: + + * lots of bug fixes + +Changes in release 0.0t: + + * more robust parsing of krb5.conf + * include net{read,write} in lib/roken + * bug fixes + +Changes in release 0.0s: + + * kludges for parsing options to rsh + * more robust parsing of krb5.conf + * removed some arbitrary limits + * bug fixes + +Changes in release 0.0r: + + * default options for some programs + * bug fixes + +Changes in release 0.0q: + + * support for building shared libraries with libtool + * bug fixes + +Changes in release 0.0p: + + * keytab moved to /etc/krb5.keytab + * avoid false detection of IPv6 on Linux + * Lots of more functionality in the gssapi-library + * hprop can now read ka-server databases + * bug fixes + +Changes in release 0.0o: + + * FTP with GSSAPI support. + * Bug fixes. + +Changes in release 0.0n: + + * Incremental database propagation. + * Somewhat improved kadmin ui; the stuff in admin is now removed. + * Some support for using enctypes instead of keytypes. + * Lots of other improvement and bug fixes, see ChangeLog for details. |