diff options
Diffstat (limited to 'third_party/heimdal/NEWS')
-rw-r--r-- | third_party/heimdal/NEWS | 1494 |
1 files changed, 1494 insertions, 0 deletions
diff --git a/third_party/heimdal/NEWS b/third_party/heimdal/NEWS new file mode 100644 index 0000000..4bb5a70 --- /dev/null +++ b/third_party/heimdal/NEWS @@ -0,0 +1,1494 @@ + +Partial news for a future Heimdal 8.0 release -- but NOTE WELL that this is NOT +a release at this time! + +Bug fixes + + - Errors found by the Coverity static analysis. + - Errors found by the LLVM scan-build static analyzer. + - Errors found by the valgrind memory debugger. + - Fix out-of-tree SQLite3 ccache permissions / umask issues. + - iprop bugs, race conditions, and performance + - Many misc. bugs + +Features: + + - KDC: Add FAST support for TGS. + - KDC: Greatly improved plugin facility for Samba. + - KDC: Add httpkadmind service providing a subset of kadmin + functionality over HTTP. + - KDC: Add support for virtual service principal namespaces. + - KDC: Add support for synthetic client principals that exist if the + pre-authentication mechanism (e.g., PKINIT) can authenticate + them, thus not requiring an HDB entry. + - KDC: Add experimental GSS-API pre-authentication support. + - KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509). + - KDC: Better support for aliases and referrals. + - KDC: Always return the salt in the PA-ETYPE-INFO[2]. + - KDC: Add warn_ticket_addresses configuration parameter. + - KDC: allow anonymous AS requests with long-term keys. + - KDC: Do not include PAC for anonymous AS requests. + - KDC: Enable keepalive mode on incoming sockets. + - KDC: Greatly improved logging. + - KDC: Remove KRB5SignedPath, to be replaced with PAC. + - PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API. + - kadmin: Add HTTP-based kadmin protocol. + - kadmin: Add add_alias, del_alias. + - kadmin: Add command aliases to man page. + - kadmin: Add disallow-client attribute. + - kadmin: add --hdb / -H argument. + - kadmin: Allow enforcing password quality on admin password change. + - kadmin: Improve ext_keytab usage. + - kadmin: Selective pruning of historic key for principal. + - krb5: Add client_aware_channel_bindings option. + - krb5: Add constrained credential delegation option "destination TGT" + - krb5: Add "EFILE:" target for logging. + - krb5: Add include/includedir directives for krb5.conf. + - krb5: Complete DIR ccache collection support. + - krb5: Add FILE ccache collection support. + - krb5: Improved FILE ccache performance. + - krb5: Add KEYRING ccache support. + - krb5: Add kx509 client. + - krb5: Improve FILE keytab performance. + - krb5: Implement KRB5_TRACE environment variable. + - krb5: Add experimental name canonicalization rules configuration. + - krb5: Support start_realm ccconfig entry type. + - kinit: Add --default-for option for ccache collection support. + - kinit: Add --pk-anon-fast-armor option. + - kinit: Don't leave dangling temporary ccaches. + - klist: Better --json + - iprop: Many performance and scaling enhancements. + - iprop: Support hierarchical propagation. + - ASN.1: Document fuzzing process. + - ASN.1: Complete template backend. + - ASN.1: Add partial Information Object System support (template backend + only). This means that open type holes can be decoded recursively + with one codec function call. + - ASN.1: Add JSON encoder functionality (template backend only). + - ASN.1: Greatly enhanced asn1_print(1) command, which can now print a + JSON representation of any DER-encoded value of any type exported + by ASN.1 modules in Heimdal. + - ASN.1: Support circular types. + - ASN.1: Topographically sort declarations. + - ASN.1: Proper support for IMPLICIT tags. + - GSS: Import gss-token(1) command. + - GSS: Add advanced credential store / load functionality. + - GSS: Add name attributes support, with support for many basic attributes + and PAC buffer accessors too. + - GSS: Add SANON mechanism for anonymous-only key exchange using + elliptic curve Diffie-Hellman (ECDH) with Curve25519. + - GSS: Add gss_acquire_cred_from() and credential store extensions. + - GSS: Support fragmented tokens reassembly (for SMB). + - GSS: Support client keytab. + - GSS: Add NegoEx support. + - libhx509: Lots of improvements. + - hxtool: Add "acert" (assert cert contents) command + - hxtool: add cert type: https-negotiate-server + - hxtool: add generate-key command + - hxtool: Add OID symbol resolution and printing of OIDs known to hxtool. + - hxtool: Add print --raw-json option that shows certificates in JSON, with + all extensions and attributes known to Heimdal fully decoded. + - hxtool: Improved SAN support. + - hxtool: Improved CSR support. + - Improved plugin interfaces. + - hcrypto: Add X25519. + - hcrypto: Better RSA key generation. + - hcrypto: import libtommath v1.2.0. + - roken: Add secure_getenv() and issuid(), use them extensively. + +Release Notes - Heimdal - Version Heimdal 7.8 + + Bug fixes + + - CVE-2022-42898 PAC parse integer overflows + + - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour + - Pass correct length to _gssapi_verify_pad() + - Check for overflow in _gsskrb5_get_mech() + - Check buffer length against overflow for DES{,3} unwrap + - Check the result of _gsskrb5_get_mech() + - Avoid undefined behaviour in _gssapi_verify_pad() + - Don't pass NULL pointers to memcpy() in DES unwrap + - Use constant-time memcmp() in unwrap_des3() + - Use constant-time memcmp() for arcfour unwrap + + - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors + + - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec + + This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3. + + Heimdal's ASN.1 compiler generates code that allows specially + crafted DER encodings of CHOICEs to invoke the wrong free function + on the decoded structure upon decode error. This is known to impact + the Heimdal KDC, leading to an invalid free() of an address partly + or wholly under the control of the attacker, in turn leading to a + potential remote code execution (RCE) vulnerability. + + This error affects the DER codec for all CHOICE types used in + Heimdal, though not all cases will be exploitable. We have not + completed a thorough analysis of all the Heimdal components + affected, thus the Kerberos client, the X.509 library, and other + parts, may be affected as well. + + This bug has been in Heimdal since 2005. It was first reported by + Douglas Bagnall, though it had been found independently by the + Heimdal maintainers via fuzzing. + + While no zero-day exploit is known, such an exploit will likely be + available soon after public disclosure. + + - Errors found by the LLVM scan-build static analyzer. + + - Errors found by the valgrind memory debugger. + + - Work around GCC Bug 95189 (memcmp wrongly stripped like strcmp). + + - Fix Unicode normalization read of 1 bytes past end of array. + + - Correct ASN.1 OID typo for SHA-384 + + - Fix a deadlock in in the MEMORY ccache type. + + - TGS: strip forwardable and proxiable flags if the server is + disallowed. + + - CVE-2019-14870: Validate client attributes in protocol-transition + - CVE-2019-14870: Apply forwardable policy in protocol-transition + - CVE-2019-14870: Always lookup impersonate client in DB + + - Incremental HDB propagation improvements + + - Refactor send_diffs making it progressive + - Handle partial writes on non-blocking sockets + - Disable Nagle in iprop master and slave + - Use async I/O + - Don't send I_HAVE in response to AYT + - Do not recover log in kadm5_get_principal() + - Don't send diffs to slaves with not yet known version + - Don't stutter in send_diffs + + - Optional backwards-compatible anon-pkinit behaviour + +Release Notes - Heimdal - Version Heimdal 7.7 + + Bug fixes + + - PKCS#11 hcrypto back-end + . initialize the p11_module_load function list + . verify that not only is a mechanism present but that its mechanism + info states that it offers the required encryption, decryption or + digest services + - krb5: + . Starting with 7.6, Heimdal permitted requesting authenticated + anonymous tickets. However, it did not verify that a KDC in fact + returned an anonymous ticket when one was requested. + - Cease setting the KDCOption reaquest_anonymous flag when issuing + S4UProxy (constrained delegation) TGS requests. + . when the Win2K PKINIT compatibility option is set, do + not require krbtgt otherName to match when validating KDC + certificate. + . set PKINIT_BTMM flag per Apple implementation + . use memset_s() instead of memset() + - kdc: + . When generating KRB5SignedPath in the AS, use the reply client name + rather than the one from the request, so validation will work + correctly in the TGS. + . allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used + an enctype with a different checksum. Per [MS-SFU] 2.2.1 + PA-FOR-USER the checksum is always HMAC_MD5, and that's what + Windows and MIT clients send. + + In heimdal both the client and kdc use instead the + checksum of the tgt, and therefore work with each other + but Windows and MIT clients fail against heimdal KDC. + + Both Windows and MIT KDCs would allow any keyed checksum + to be used so Heimdal client interoperates with them. + + Change Heimdal KDC to allow HMAC_MD5 even for non RC4 + based tgt in order to support per-spec clients. + . use memset_s() instead of memset(). + - Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy + (constrained delegation) TGS Requests with the request + anonymous flag set. These requests will be treated as + S4UProxy requests and not anonymous requests. + - HDB: + . Set SQLite3 backend default page size to 8KB. + . Add hdb_set_sync() method + - kadmind: + . disable HDB sync during database load avoiding unnecessary disk i/o. + - ipropd: + . disable HDB sync during receive_everything. Doing an fsync + per-record when receiving the complete HDB is a performance + disaster. Among other things, if the HDB is very large, then + one slave receving a full HDB can cause other slaves to timeout + and, if HDB write activity is high enough to cause iprop log + truncation, then also need full syncs, which leads to a cycle of + full syncs for all slaves until HDB write activity drops. + Allowing the iprop log to be larger helps, but improving + receive_everything() performance helps even more. + - kinit: + . Anonymous PKINIT tickets discard the realm information used + to locate the issuing AS. Store the issuing realm in the + credentials cache in order to locate a KDC which can renew them. + . Do not leak the result of krb5_cc_get_config() when determining + anonymous PKINIT start realm. + - klist: + . Show transited-policy-checked, ok-as-delegate and anonymous + flags when listing credentials. + - tests: + . Regenerate certs so that they expire before the 2038 armageddon + so the test suite will pass on 32-bit operating systems until the + underlying issues can be resolved. + - Solaris: + . Define _STDC_C11_BCI for memset_s prototype + - build tooling: + . Convert from python 2 to python 3 + - documentation + . rename verify-password to verify-password-quality + . hprop default mode is encrypt + . kadmind "all" permission does not include "get-keys" + . verify-password-quality might not be stateless + +Release Notes - Heimdal - Version Heimdal 7.6 + + Security + + - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum + + When the Heimdal KDC checks the checksum that is placed on the + S4U2Self packet by the server to protect the requested principal + against modification, it does not confirm that the checksum + algorithm that protects the user name (principal) in the request + is keyed. This allows a man-in-the-middle attacker who can + intercept the request to the KDC to modify the packet by replacing + the user name (principal) in the request with any desired user + name (principal) that exists in the KDC and replace the checksum + protecting that name with a CRC32 checksum (which requires no + prior knowledge to compute). + + This would allow a S4U2Self ticket requested on behalf of user + name (principal) user@EXAMPLE.COM to any service to be changed + to a S4U2Self ticket with a user name (principal) of + Administrator@EXAMPLE.COM. This ticket would then contain the + PAC of the modified user name (principal). + + - CVE-2019-12098, client-only: + + RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge + when anonymous PKINIT is used. Failure to do so can permit an active + attacker to become a man-in-the-middle. + + Bug fixes + + - Happy eyeballs: Don't wait for responses from known-unreachable KDCs. + - kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey + - kinit: + . cleanup temporary ccaches + . see man page for "kinit --anonymous" command line syntax change + - kdc: Make anonymous AS-requests more RFC8062-compliant. + - Updated expired test certificates + - Solaris: + . PKCS#11 hcrypto backend broken since 7.0.1 + . Building with Sun Pro C + + Features + + - kuser: support authenticated anonymous AS-REQs in kinit + - kdc: support for anonymous TGS-REQs + - kgetcred support for anonymous service tickets + - Support builds with OpenSSL 1.1.1 + +Release Notes - Heimdal - Version Heimdal 7.5 + + Security + + - Fix CVE-2017-17439, which is a remote denial of service + vulnerability: + + In Heimdal 7.1 through 7.4, remote unauthenticated attackers + are able to crash the KDC by sending a crafted UDP packet + containing empty data fields for client name or realm. + + Bug fixes + + - Handle long input lines when reloading database dumps. + + - In pre-forked mode (default on Unix), correctly clear + the process ids of exited children, allowing new child processes + to replace the old. + + - Fixed incorrect KDC response when no-cross realm TGT exists, + allowing client requests to fail quickly rather than time + out after trying to get a correct answer from each KDC. + +Release Notes - Heimdal - Version Heimdal 7.4 + + Security + + - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + This is a critical vulnerability. + + In _krb5_extract_ticket() the KDC-REP service name must be obtained from + encrypted version stored in 'enc_part' instead of the unencrypted version + stored in 'ticket'. Use of the unecrypted version provides an + opportunity for successful server impersonation and other attacks. + + Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + + See https://www.orpheus-lyre.info/ for more details. + +Release Notes - Heimdal - Version Heimdal 7.3 + + Security + + - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently + caused the previous hop realm to not be added to the transit path + of issued tickets. This may, in some cases, enable bypass of capath + policy in Heimdal versions 1.5 through 7.2. + + Note, this may break sites that rely on the bug. With the bug some + incomplete [capaths] worked, that should not have. These may now break + authentication in some cross-realm configurations. + (CVE-2017-6594) + +Release Notes - Heimdal - Version Heimdal 7.2 + + Bug fixes + - Portability improvements + - More strict parsing of encoded URI components in HTTP KDC + - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism + - Avoid overly specific CPU info in krb5-config in aid of reproducible builds + - Don't do AFS string-to-key tests when feature is disabled + - Skip mdb_stat test when the command is not available + - Windows: update SHA2 timestamp server + - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple + - Fix signature of hdb_generate_key_set_password() + - Windows: enable KX509 support in the KDC + - kdc: fix kx509 service principal match + - iprop: handle case where master sends nothing new + - ipropd-slave: fix incorrect error codes + - Allow choice of sqlite for HDB pref + - check-iprop: don't fail to kill daemons + - roken: pidfile -> rk_pidfile + - kdc: _kdc_do_kx509 fix use after free error + - Do not detect x32 as 64-bit platform. + - No sys/ttydefaults.h on CYGWIN + - Fix check-iprop races + - roken_detach_prep() close pipe + +Release Notes - Heimdal - Version Heimdal 7.1 + + Security + + - kx509 realm-chopping security bug + - non-authorization of alias additions/removals in kadmind + (CVE-2016-2400) + + Feature + + - iprop has been revamped to fix a number of race conditions that could + lead to inconsistent replication + - Hierarchical capath support + - AES Encryption with HMAC-SHA2 for Kerberos 5 + draft-ietf-kitten-aes-cts-hmac-sha2-11 + - hcrypto is now thread safe on all platforms + - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for + Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. + OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by + backend + - HDB now supports LMDB + - Thread support on Windows + - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) + - New GSS APIs: + . gss_localname + - Allow setting what encryption types a principal should have with + [kadmin] default_key_rules, see krb5.conf manpage for more info + - Unify libhcrypto with LTC (libtomcrypto) + - asn1_compile 64-bit INTEGER functionality + - HDB key history support including --keepold kadmin password option + - Improved cross-realm key rollover safety + - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces + - Improved MIT compatibility + . kadm5 API + . Migration from MIT KDB via "mitdb" HDB backend + . Capable of writing the HDB in MIT dump format + - Improved Active Directory interoperability + . Enctype selection issues for PAC and other authz-data signatures + . Cross realm key rollover (kvno 0) + - New [kdc] enctype negotiation configuration: + . tgt-use-strongest-session-key + . svc-use-strongest-session-key + . preauth-use-strongest-session-key + . use-strongest-server-key + - The KDC process now uses a multi-process model improving + resiliency and performance + - Allow batch-mode kinit with password file + - SIGINFO support added to kinit cmd + - New kx509 configuration options: + . kx509_ca + . kca_service + . kx509_include_pkinit_san + . kx509_template + - Improved Heimdal library/plugin version safety + - Name canonicalization + . DNS resolver searchlist + . Improved referral support + . Support host:port host-based services + - Pluggable libheimbase interface for DBs + - Improve IPv6 Support + - LDAP + . Bind DN and password + . Start TLS + - klist --json + - DIR credential cache type + - Updated upstream SQLite and libedit + - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, + telnet, xnlock + - Completely remove RAND_egd support + - Moved kadmin and ktutil to /usr/bin + - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) + . use O_NOFOLLOW + . don't follow symlinks + . require cache files to be owned by the user + . require sensible permissions (not group/other readable) + - Implemented gss_store_cred() + - Many more + + Bug fixes + - iprop has been revamped to fix a number of race conditions that could + lead to data loss + - Include non-loopback addresses assigned to loopback interfaces + when requesting tickets with addresses + - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) + - Keytab file descriptor and lock leak + - Credential cache corruption bugs + (NOTE: The FILE ccache is still not entirely safe due to the + fundamentally unsafe design of POSIX file locking) + - gss_pseudo_random() interop bug + - Plugins are now preferentially loaded from the run-time install tree + - Reauthentication after password change in init_creds_password + - Memory leak in the client kadmin library + - TGS client requests renewable/forwardable/proxiable when possible + - Locking issues in DB1 and DB3 HDB backends + - Master HDB can remain locked while waiting for network I/O + - Renewal/refresh logic when kinit is provided with a command + - KDC handling of enterprise principals + - Use correct bit for anon-pkinit + - Many more + + Acknowledgements + + This release of Heimdal includes contributions from: + + Abhinav Upadhyay Heath Kehoe Nico Williams + Andreas Schneider Henry Jacques Patrik Lundin + Andrew Bartlett Howard Chu Philip Boulain + Andrew Tridgell Igor Sobrado Ragnar Sundblad + Antoine Jacoutot Ingo Schwarze Remi Ferrand + Arran Cudbard-Bell Jakub Čajka Rod Widdowson + Arvid Requate James Le Cuirot Rok Papež + Asanka Herath James Lee Roland C. Dowdeswell + Ben Kaduk Jeffrey Altman Ross L Richardson + Benjamin Kaduk Jeffrey Clark Russ Allbery + Bernard Spil Jeffrey Hutzelman Samuel Cabrero + Brian May Jelmer Vernooij Samuel Thibault + Chas Williams Ken Dreyer Santosh Kumar Pradhan + Chaskiel Grundman Kiran S J Sean Davis + Dana Koch Kumar Thangavelu Sergio Gelato + Daniel Schepler Landon Fuller Simon Wilkinson + David Mulder Linus Nordberg Stef Walter + Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher + Ed Maste Luke Howard Steffen Jaeckel + Eray Aslan Magnus Ahltorp Timothy Pearson + Florian Best Marc Balmer Tollef Fog Heen + Fredrik Pettai Marcin Cieślak Tony Acero + Greg Hudson Marco Molteni Uri Simchoni + Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni + Günther Deschner Michael Meffie Volker Lendecke + Harald Barth Moritz Lenz + +Release Notes - Heimdal - Version Heimdal 1.5.3 + + Bug fixes + - Fix leaking file descriptors in KDC + - Better socket/timeout handling in libkrb5 + - General bug fixes + - Build fixes + +Release Notes - Heimdal - Version Heimdal 1.5.2 + + Security fixes + - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege + - Check that key types strictly match - denial of service + +Release Notes - Heimdal - Version Heimdal 1.5.1 + + Bug fixes + - Fix building on Solaris, requires c99 + - Fix building on Windows + - Build system updates + +Release Notes - Heimdal - Version Heimdal 1.5 + +New features + + - Support GSS name extensions/attributes + - SHA512 support + - No Kerberos 4 support + - Basic support for MIT Admin protocol (SECGSS flavor) + in kadmind (extract keytab) + - Replace editline with libedit + +Release Notes - Heimdal - Version Heimdal 1.4 + + New features + + - Support for reading MIT database file directly + - KCM is polished up and now used in production + - NTLM first class citizen, credentials stored in KCM + - Table driven ASN.1 compiler, smaller!, not enabled by default + - Native Windows client support + +Notes + + - Disabled write support NDBM hdb backend (read still in there) since + it can't handle large records, please migrate to a diffrent backend + (like BDB4) + +Release Notes - Heimdal - Version Heimdal 1.3.3 + + Bug fixes + - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] + - Check NULL pointers before dereference them [kdc] + +Release Notes - Heimdal - Version Heimdal 1.3.2 + + Bug fixes + + - Don't mix length when clearing hmac (could memset too much) + - More paranoid underrun checking when decrypting packets + - Check the password change requests and refuse to answer empty packets + - Build on OpenSolaris + - Renumber AD-SIGNED-TICKET since it was stolen from US + - Don't cache /dev/*random file descriptor, it doesn't get unloaded + - Make C++ safe + - Misc warnings + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + Bug fixes + + - Store KDC offset in credentials + - Many many more bug fixes + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + New features + + - Make work with OpenLDAPs krb5 overlay + +Release Notes - Heimdal - Version Heimdal 1.3 + + New features + + - Partial support for MIT kadmind rpc protocol in kadmind + - Better support for finding keytab entries when using SPN aliases in the KDC + - Support BER in ASN.1 library (needed for CMS) + - Support decryption in Keychain private keys + - Support for new sqlite based credential cache + - Try both KDC referals and the common DNS reverse lookup in GSS-API + - Fix the KCM to not leak resources on failure + - Add IPv6 support to iprop + - Support localization of error strings in + kinit/klist/kdestroy and Kerberos library + - Remove Kerberos 4 support in application (still in KDC) + - Deprecate DES + - Support i18n password in windows domains (using UTF-8) + - More complete API emulation of OpenSSL in hcrypto + - Support for ECDSA and ECDH when linking with OpenSSL + + API changes + + - Support for settin friendly name on credential caches + - Move to using doxygen to generate documentation. + - Sprinkling __attribute__((__deprecated__)) for old function to be removed + - Support to export LAST-REQUST information in AS-REQ + - Support for client deferrals in in AS-REQ + - Add seek support for krb5_storage. + - Support for split AS-REQ, first step for IA-KERB + - Fix many memory leaks and bugs + - Improved regression test + - Support krb5_cccol + - Switch to krb5_set_error_message + - Support krb5_crypto_*_iov + - Switch to use EVP for most function + - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) + - Add support for GSS_C_DELEG_POLICY_FLAG + - Add krb5_cc_[gs]et_config to store data in the credential caches + - PTY testing application + +Bugfixes + - Make building on AIX6 possible. + - Bugfixes in LDAP KDC code to make it more stable + - Make ipropd-slave reconnect when master down gown + + +Release Notes - Heimdal - Version Heimdal 1.2.1 + +* Bug + + [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris + [HEIMDAL-151] - Make canned tests work again after cert expired + [HEIMDAL-152] - iprop test: use full hostname to avoid realm + resolving errors + [HEIMDAL-153] - ftp: Use the correct length for unmap, msync + +Release Notes - Heimdal - Version Heimdal 1.2 + +* Bug + + [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in + gss_display_name/gss_export_name when using SPNEGO + [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 + [HEIMDAL-17] - Remove support for depricated [libdefaults]capath + [HEIMDAL-52] - hdb overwrite aliases for db databases + [HEIMDAL-54] - Two issues which affect credentials delegation + [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args + [HEIMDAL-62] - Fix printing of sig_atomic_t + [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto + [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase + [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) + +* Improvement + [HEIMDAL-67] - Fix locking and store credential in atomic writes + in the FILE credential cache + [HEIMDAL-106] - make compile on cygwin again + [HEIMDAL-107] - Replace old random key generation in des module + and use it with RAND_ function instead + [HEIMDAL-115] - Better documentation and compatibility in hcrypto + in regards to OpenSSL + +* New Feature + [HEIMDAL-3] - pkinit alg agility PRF test vectors + [HEIMDAL-14] - Add libwind to Heimdal + [HEIMDAL-16] - Use libwind in hx509 + [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to + the negotiation + [HEIMDAL-74] - Add support to report extended error message back + in AS-REQ to support windows clients + [HEIMDAL-116] - test pty based application (using rkpty) + [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) + +* Task + [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. + This drop compatibility with pre 0.3d KDCs. + [HEIMDAL-64] - kcm: first implementation of kcm-move-cache + [HEIMDAL-65] - Failed to compile with --disable-pk-init + [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some + wraparound checks doesn't apply to Heimdal + +Changes in release 1.1 + + * Read-only PKCS11 provider built-in to hx509. + + * Documentation for hx509, hcrypto and ntlm libraries improved. + + * Better compatibilty with Windows 2008 Server pre-releases and Vista. + + * Mac OS X 10.5 support for native credential cache. + + * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). + + * Bug fixes. + +Changes in release 1.0.2 + +* Ubuntu packages. + +* Bug fixes. + +Changes in release 1.0.1 + + * Serveral bug fixes to iprop. + + * Make work on platforms without dlopen. + + * Add RFC3526 modp group14 as default. + + * Handle [kdc] database = { } entries without realm = stanzas. + + * Make krb5_get_renewed_creds work. + + * Make kaserver preauth work again. + + * Bug fixes. + +Changes in release 1.0 + + * Add gss_pseudo_random() for mechglue and krb5. + + * Make session key for the krbtgt be selected by the best encryption + type of the client. + + * Better interoperability with other PK-INIT implementations. + + * Inital support for Mac OS X Keychain for hx509. + + * Alias support for inital ticket requests. + + * Add symbol versioning to selected libraries on platforms that uses + GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. + + * New version of imath included in hcrypto. + + * Fix memory leaks. + + * Bugs fixes. + +Changes in release 0.8.1 + + * Make ASN.1 library less paranoid to with regard to NUL in string to + make it inter-operate with MIT Kerberos again. + + * Make GSS-API library work again when using gss_acquire_cred + + * Add symbol versioning to libgssapi when using GNU ld. + + * Fix memory leaks + + * Bugs fixes + +Changes in release 0.8 + + * PK-INIT support. + + * HDB extensions support, used by PK-INIT. + + * New ASN.1 compiler. + + * GSS-API mechglue from FreeBSD. + + * Updated SPNEGO to support RFC4178. + + * Support for Cryptosystem Negotiation Extension (RFC 4537). + + * A new X.509 library (hx509) and related crypto functions. + + * A new ntlm library (heimntlm) and related crypto functions. + + * Updated the built-in crypto library with bignum support using + imath, support for RSA and DH and renamed it to libhcrypto. + + * Subsystem in the KDC, digest, that will perform the digest + operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL + DIGEST-MD5 NTLMv1 and NTLMv2. + + * KDC will return the "response too big" error to force TCP retries + for large (default 1400 bytes) UDP replies. This is common for + PK-INIT requests. + + * Libkafs defaults to use 2b tokens. + + * Default to use the API cache on Mac OS X. + + * krb5_kuserok() also checks ~/.k5login.d directory for acl files, + see manpage for krb5_kuserok for description. + + * Many, many, other updates to code and info manual and manual pages. + + * Bug fixes + +Changes in release 0.7.2 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name + exists in the keytab before returning success. This allows servers + to check if its even possible to use GSSAPI. + +* Fix receiving end of token delegation for GSS-API. It still wrongly + uses subkey for sending for compatibility reasons, this will change + in 0.8. + +* telnetd, login and rshd are now more verbose in logging failed and + successful logins. + +* Bug fixes + +Changes in release 0.7.1 + +* Bug fixes + +Changes in release 0.7 + + * Support for KCM, a process based credential cache + + * Support CCAPI credential cache + + * SPNEGO support + + * AES (and the gssapi conterpart, CFX) support + + * Adding new and improve old documentation + + * Bug fixes + +Changes in release 0.6.6 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +Changes in release 0.6.5 + + * fix vulnerabilities in telnetd + + * unbreak Kerberos 4 and kaserver + +Changes in release 0.6.4 + + * fix vulnerabilities in telnet + + * rshd: encryption without a separate error socket should now work + + * telnet now uses appdefaults for the encrypt and forward/forwardable + settings + + * bug fixes + +Changes in release 0.6.3 + + * fix vulnerabilities in ftpd + + * support for linux AFS /proc "syscalls" + + * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in + kpasswdd + + * fix possible KDC denial of service + + * bug fixes + +Changes in release 0.6.2 + + * Fix possible buffer overrun in v4 kadmin (which now defaults to off) + +Changes in release 0.6.1 + + * Fixed ARCFOUR suppport + + * Cross realm vulnerability + + * kdc: fix denial of service attack + + * kdc: stop clients from renewing tickets into the future + + * bug fixes + +Changes in release 0.6 + +* The DES3 GSS-API mechanism has been changed to inter-operate with + other GSSAPI implementations. See man page for gssapi(3) how to turn + on generation of correct MIC messages. Next major release of heimdal + will generate correct MIC by default. + +* More complete GSS-API support + +* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS + support in applications no longer requires Kerberos 4 libs + +* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) + +* other bug fixes + +Changes in release 0.5.2 + + * kdc: add option for disabling v4 cross-realm (defaults to off) + + * bug fixes + +Changes in release 0.5.1 + + * kadmind: fix remote exploit + + * kadmind: add option to disable kerberos 4 + + * kdc: make sure kaserver token life is positive + + * telnet: use the session key if there is no subkey + + * fix EPSV parsing in ftp + + * other bug fixes + +Changes in release 0.5 + + * add --detach option to kdc + + * allow setting forward and forwardable option in telnet from + .telnetrc, with override from command line + + * accept addresses with or without ports in krb5_rd_cred + + * make it work with modern openssl + + * use our own string2key function even with openssl (that handles weak + keys incorrectly) + + * more system-specific requirements in login + + * do not use getlogin() to determine root in su + + * telnet: abort if telnetd does not support encryption + + * update autoconf to 2.53 + + * update config.guess, config.sub + + * other bug fixes + +Changes in release 0.4e + + * improve libcrypto and database autoconf tests + + * do not care about salting of server principals when serving v4 requests + + * some improvements to gssapi library + + * test for existing compile_et/libcom_err + + * portability fixes + + * bug fixes + +Changes in release 0.4d + + * fix some problems when using libcrypto from openssl + + * handle /dev/ptmx `unix98' ptys on Linux + + * add some forgotten man pages + + * rsh: clean-up and add man page + + * fix -A and -a in builtin-ls in tpd + + * fix building problem on Irix + + * make `ktutil get' more efficient + + * bug fixes + +Changes in release 0.4c + + * fix buffer overrun in telnetd + + * repair some of the v4 fallback code in kinit + + * add more shared library dependencies + + * simplify and fix hprop handling of v4 databases + + * fix some building problems (osf's sia and osfc2 login) + + * bug fixes + +Changes in release 0.4b + + * update the shared library version numbers correctly + +Changes in release 0.4a + + * corrected key used for checksum in mk_safe, unfortunately this + makes it backwards incompatible + + * update to autoconf 2.50, libtool 1.4 + + * re-write dns/config lookups (krb5_krbhst API) + + * make order of using subkeys consistent + + * add man page links + + * add more man pages + + * remove rfc2052 support, now only rfc2782 is supported + + * always build with kaserver protocol support in the KDC (assuming + KRB4 is enabled) and support for reading kaserver databases in + hprop + +Changes in release 0.3f + + * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, + the new keytab type that tries both of these in order (SRVTAB is + also an alias for krb4:) + + * improve error reporting and error handling (error messages should + be more detailed and more useful) + + * improve building with openssl + + * add kadmin -K, rcp -F + + * fix two incorrect weak DES keys + + * fix building of kaserver compat in KDC + + * the API is closer to what MIT krb5 is using + + * more compatible with windows 2000 + + * removed some memory leaks + + * bug fixes + +Changes in release 0.3e + + * rcp program included + + * fix buffer overrun in ftpd + + * handle omitted sequence numbers as zeroes to handle MIT krb5 that + cannot generate zero sequence numbers + + * handle v4 /.k files better + + * configure/portability fixes + + * fixes in parsing of options to kadmin (sub-)commands + + * handle errors in kadmin load better + + * bug fixes + +Changes in release 0.3d + + * add krb5-config + + * fix a bug in 3des gss-api mechanism, making it compatible with the + specification and the MIT implementation + + * make telnetd only allow a specific list of environment variables to + stop it from setting `sensitive' variables + + * try to use an existing libdes + + * lib/krb5, kdc: use correct usage type for ap-req messages. This + should improve compatability with MIT krb5 when using 3DES + encryption types + + * kdc: fix memory allocation problem + + * update config.guess and config.sub + + * lib/roken: more stuff implemented + + * bug fixes and portability enhancements + +Changes in release 0.3c + + * lib/krb5: memory caches now support the resolve operation + + * appl/login: set PATH to some sane default + + * kadmind: handle several realms + + * bug fixes (including memory leaks) + +Changes in release 0.3b + + * kdc: prefer default-salted keys on v5 requests + + * kdc: lowercase hostnames in v4 mode + + * hprop: handle more types of MIT salts + + * lib/krb5: fix memory leak + + * bug fixes + +Changes in release 0.3a: + + * implement arcfour-hmac-md5 to interoperate with W2K + + * modularise the handling of the master key, and allow for other + encryption types. This makes it easier to import a database from + some other source without having to re-encrypt all keys. + + * allow for better control over which encryption types are created + + * make kinit fallback to v4 if given a v4 KDC + + * make klist work better with v4 and v5, and add some more MIT + compatibility options + + * make the kdc listen on the krb524 (4444) port for compatibility + with MIT krb5 clients + + * implement more DCE/DFS support, enabled with --enable-dce, see + lib/kdfs and appl/dceutils + + * make the sequence numbers work correctly + + * bug fixes + +Changes in release 0.2t: + + * bug fixes + +Changes in release 0.2s: + + * add OpenLDAP support in hdb + + * login will get v4 tickets when it receives forwarded tickets + + * xnlock supports both v5 and v4 + + * repair source routing for telnet + + * fix building problems with krb4 (krb_mk_req) + + * bug fixes + +Changes in release 0.2r: + + * fix realloc memory corruption bug in kdc + + * `add --key' and `cpw --key' in kadmin + + * klist supports listing v4 tickets + + * update config.guess and config.sub + + * make v4 -> v5 principal name conversion more robust + + * support for anonymous tickets + + * new man-pages + + * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. + + * use and set expiration and not password expiration when dumping + to/from ka server databases / krb4 databases + + * make the code happier with 64-bit time_t + + * follow RFC2782 and by default do not look for non-underscore SRV names + +Changes in release 0.2q: + + * bug fix in tcp-handling in kdc + + * bug fix in expand_hostname + +Changes in release 0.2p: + + * bug fix in `kadmin load/merge' + + * bug fix in krb5_parse_address + +Changes in release 0.2o: + + * gss_{import,export}_sec_context added to libgssapi + + * new option --addresses to kdc (for listening on an explicit set of + addresses) + + * bug fixes in the krb4 and kaserver emulation part of the kdc + + * other bug fixes + +Changes in release 0.2n: + + * more robust parsing of dump files in kadmin + * changed default timestamp format for log messages to extended ISO + 8601 format (Y-M-DTH:M:S) + * changed md4/md5/sha1 APIes to be de-facto `standard' + * always make hostname into lower-case before creating principal + * small bits of more MIT-compatability + * bug fixes + +Changes in release 0.2m: + + * handle glibc's getaddrinfo() that returns several ai_canonname + + * new endian test + + * man pages fixes + +Changes in release 0.2l: + + * bug fixes + +Changes in release 0.2k: + + * better IPv6 test + + * make struct sockaddr_storage in roken work better on alphas + + * some missing [hn]to[hn]s fixed. + + * allow users to change their own passwords with kadmin (with initial + tickets) + + * fix stupid bug in parsing KDC specification + + * add `ktutil change' and `ktutil purge' + +Changes in release 0.2j: + + * builds on Irix + + * ftpd works in passive mode + + * should build on cygwin + + * work around broken IPv6-code on OpenBSD 2.6, also add configure + option --disable-ipv6 + +Changes in release 0.2i: + + * use getaddrinfo in the missing places. + + * fix SRV lookup for admin server + + * use get{addr,name}info everywhere. and implement it in terms of + getipnodeby{name,addr} (which uses gethostbyname{,2} and + gethostbyaddr) + +Changes in release 0.2h: + + * fix typo in kx (now compiles) + +Changes in release 0.2g: + + * lots of bug fixes: + * push works + * repair appl/test programs + * sockaddr_storage works on solaris (alignment issues) + * works better with non-roken getaddrinfo + * rsh works + * some non standard C constructs removed + +Changes in release 0.2f: + + * support SRV records for kpasswd + * look for both _kerberos and krb5-realm when doing host -> realm mapping + +Changes in release 0.2e: + + * changed copyright notices to remove `advertising'-clause. + * get{addr,name}info added to roken and used in the other code + (this makes things work much better with hosts with both v4 and v6 + addresses, among other things) + * do pre-auth for both password and key-based get_in_tkt + * support for having several databases + * new command `del_enctype' in kadmin + * strptime (and new strftime) add to roken + * more paranoia about finding libdb + * bug fixes + +Changes in release 0.2d: + + * new configuration option [libdefaults]default_etypes_des + * internal ls in ftpd builds without KRB4 + * kx/rsh/push/pop_debug tries v5 and v4 consistenly + * build bug fixes + * other bug fixes + +Changes in release 0.2c: + + * bug fixes (see ChangeLog's for details) + +Changes in release 0.2b: + + * bug fixes + * actually bump shared library versions + +Changes in release 0.2a: + + * a new program verify_krb5_conf for checking your /etc/krb5.conf + * add 3DES keys when changing password + * support null keys in database + * support multiple local realms + * implement a keytab backend for AFS KeyFile's + * implement a keytab backend for v4 srvtabs + * implement `ktutil copy' + * support password quality control in v4 kadmind + * improvements in v4 compat kadmind + * handle the case of having the correct cred in the ccache but with + the wrong encryption type better + * v6-ify the remaining programs. + * internal ls in ftpd + * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat + * add `ank --random-password' and `cpw --random-password' in kadmin + * some programs and documentation for trying to talk to a W2K KDC + * bug fixes + +Changes in release 0.1m: + + * support for getting default from krb5.conf for kinit/kf/rsh/telnet. + From Miroslav Ruda <ruda@ics.muni.cz> + * v6-ify hprop and hpropd + * support numeric addresses in krb5_mk_req + * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz> + * make rsh/rshd IPv6-aware + * make the gssapi sample applications better at reporting errors + * lots of bug fixes + * handle systems with v6-aware libc and non-v6 kernels (like Linux + with glibc 2.1) better + * hide failure of ERPT in ftp + * lots of bug fixes + +Changes in release 0.1l: + + * make ftp and ftpd IPv6-aware + * add inet_pton to roken + * more IPv6-awareness + * make mini_inetd v6 aware + +Changes in release 0.1k: + + * bump shared libraries versions + * add roken version of inet_ntop + * merge more changes to rshd + +Changes in release 0.1j: + + * restore back to the `old' 3DES code. This was supposed to be done + in 0.1h and 0.1i but I did a CVS screw-up. + * make telnetd handle v6 connections + +Changes in release 0.1i: + + * start using `struct sockaddr_storage' which simplifies the code + (with a fallback definition if it's not defined) + * bug fixes (including in hprop and kf) + * don't use mawk which seems to mishandle roken.awk + * get_addrs should be able to handle v6 addresses on Linux (with the + required patch to the Linux kernel -- ask within) + * rshd builds with shadow passwords + +Changes in release 0.1h: + + * kf: new program for forwarding credentials + * portability fixes + * make forwarding credentials work with MIT code + * better conversion of ka database + * add etc/services.append + * correct `modified by' from kpasswdd + * lots of bug fixes + +Changes in release 0.1g: + + * kgetcred: new program for explicitly obtaining tickets + * configure fixes + * krb5-aware kx + * bug fixes + +Changes in release 0.1f; + + * experimental support for v4 kadmin protokoll in kadmind + * bug fixes + +Changes in release 0.1e: + + * try to handle old DCE and MIT kdcs + * support for older versions of credential cache files and keytabs + * postdated tickets work + * support for password quality checks in kpasswdd + * new flag --enable-kaserver for kdc + * renew fixes + * prototype su program + * updated (some) manpages + * support for KDC resource records + * should build with --without-krb4 + * bug fixes + +Changes in release 0.1d: + + * Support building with DB2 (uses 1.85-compat API) + * Support krb5-realm.DOMAIN in DNS + * new `ktutil srvcreate' + * v4/kafs support in klist/kdestroy + * bug fixes + +Changes in release 0.1c: + + * fix ASN.1 encoding of signed integers + * somewhat working `ktutil get' + * some documentation updates + * update to Autoconf 2.13 and Automake 1.4 + * the usual bug fixes + +Changes in release 0.1b: + + * some old -> new crypto conversion utils + * bug fixes + +Changes in release 0.1a: + + * new crypto code + * more bug fixes + * make sure we ask for DES keys in gssapi + * support signed ints in ASN1 + * IPv6-bug fixes + +Changes in release 0.0u: + + * lots of bug fixes + +Changes in release 0.0t: + + * more robust parsing of krb5.conf + * include net{read,write} in lib/roken + * bug fixes + +Changes in release 0.0s: + + * kludges for parsing options to rsh + * more robust parsing of krb5.conf + * removed some arbitrary limits + * bug fixes + +Changes in release 0.0r: + + * default options for some programs + * bug fixes + +Changes in release 0.0q: + + * support for building shared libraries with libtool + * bug fixes + +Changes in release 0.0p: + + * keytab moved to /etc/krb5.keytab + * avoid false detection of IPv6 on Linux + * Lots of more functionality in the gssapi-library + * hprop can now read ka-server databases + * bug fixes + +Changes in release 0.0o: + + * FTP with GSSAPI support. + * Bug fixes. + +Changes in release 0.0n: + + * Incremental database propagation. + * Somewhat improved kadmin ui; the stuff in admin is now removed. + * Some support for using enctypes instead of keytypes. + * Lots of other improvement and bug fixes, see ChangeLog for details. |