NEWS revision 225736 
1Changes in release 1.1
2
3 * Read-only PKCS11 provider built-in to hx509.
4
5 * Documentation for hx509, hcrypto and ntlm libraries improved.
6
7 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
8
9 * Mac OS X 10.5 support for native credential cache.
10
11 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
12
13 * Bug fixes.
14
15Changes in release 1.0.2
16
17* Ubuntu packages.
18
19* Bug fixes.
20
21Changes in release 1.0.1
22
23 * Serveral bug fixes to iprop.
24
25 * Make work on platforms without dlopen.
26
27 * Add RFC3526 modp group14 as default.
28
29 * Handle [kdc] database = { } entries without realm = stanzas.
30
31 * Make krb5_get_renewed_creds work.
32
33 * Make kaserver preauth work again.
34
35 * Bug fixes.
36
37Changes in release 1.0
38
39 * Add gss_pseudo_random() for mechglue and krb5.
40
41 * Make session key for the krbtgt be selected by the best encryption
42   type of the client.
43
44 * Better interoperability with other PK-INIT implementations.
45
46 * Inital support for Mac OS X Keychain for hx509.
47
48 * Alias support for inital ticket requests.
49
50 * Add symbol versioning to selected libraries on platforms that uses
51   GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
52
53 * New version of imath included in hcrypto.
54
55 * Fix memory leaks.
56
57 * Bugs fixes.
58
59Changes in release 0.8.1
60
61 * Make ASN.1 library less paranoid to with regard to NUL in string to
62   make it inter-operate with MIT Kerberos again.
63
64 * Make GSS-API library work again when using gss_acquire_cred
65
66 * Add symbol versioning to libgssapi when using GNU ld.
67
68 * Fix memory leaks 
69
70 * Bugs fixes
71
72Changes in release 0.8
73
74 * PK-INIT support.
75
76 * HDB extensions support, used by PK-INIT.
77
78 * New ASN.1 compiler.
79
80 * GSS-API mechglue from FreeBSD.
81
82 * Updated SPNEGO to support RFC4178.
83
84 * Support for Cryptosystem Negotiation Extension (RFC 4537).
85
86 * A new X.509 library (hx509) and related crypto functions.
87
88 * A new ntlm library (heimntlm) and related crypto functions.
89
90 * Updated the built-in crypto library with bignum support using
91   imath, support for RSA and DH and renamed it to libhcrypto.
92
93 * Subsystem in the KDC, digest, that will perform the digest
94   operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
95   DIGEST-MD5 NTLMv1 and NTLMv2.
96
97 * KDC will return the "response too big" error to force TCP retries
98   for large (default 1400 bytes) UDP replies.  This is common for
99   PK-INIT requests.
100
101 * Libkafs defaults to use 2b tokens.
102
103 * Default to use the API cache on Mac OS X.
104
105 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
106   see manpage for krb5_kuserok for description.
107
108 * Many, many, other updates to code and info manual and manual pages.
109
110 * Bug fixes
111
112Changes in release 0.7.2
113
114* Fix security problem in rshd that enable an attacker to overwrite
115  and change ownership of any file that root could write.
116
117* Fix a DOS in telnetd. The attacker could force the server to crash
118  in a NULL de-reference before the user logged in, resulting in inetd
119  turning telnetd off because it forked too fast.
120
121* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
122  exists in the keytab before returning success. This allows servers
123  to check if its even possible to use GSSAPI.
124
125* Fix receiving end of token delegation for GSS-API. It still wrongly
126  uses subkey for sending for compatibility reasons, this will change
127  in 0.8.
128
129* telnetd, login and rshd are now more verbose in logging failed and
130  successful logins.
131
132* Bug fixes
133
134Changes in release 0.7.1
135
136* Bug fixes
137
138Changes in release 0.7
139
140 * Support for KCM, a process based credential cache
141
142 * Support CCAPI credential cache
143
144 * SPNEGO support
145
146 * AES (and the gssapi conterpart, CFX) support
147
148 * Adding new and improve old documentation
149
150 * Bug fixes
151
152Changes in release 0.6.6
153
154* Fix security problem in rshd that enable an attacker to overwrite
155  and change ownership of any file that root could write.
156
157* Fix a DOS in telnetd. The attacker could force the server to crash
158  in a NULL de-reference before the user logged in, resulting in inetd
159  turning telnetd off because it forked too fast.
160
161Changes in release 0.6.5
162
163 * fix vulnerabilities in telnetd
164
165 * unbreak Kerberos 4 and kaserver
166
167Changes in release 0.6.4
168
169 * fix vulnerabilities in telnet
170
171 * rshd: encryption without a separate error socket should now work
172
173 * telnet now uses appdefaults for the encrypt and forward/forwardable
174   settings
175
176 * bug fixes
177
178Changes in release 0.6.3
179
180 * fix vulnerabilities in ftpd
181
182 * support for linux AFS /proc "syscalls"
183
184 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
185   kpasswdd
186
187 * fix possible KDC denial of service
188
189 * bug fixes
190
191Changes in release 0.6.2
192
193 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
194
195Changes in release 0.6.1
196
197 * Fixed ARCFOUR suppport
198
199 * Cross realm vulnerability
200
201 * kdc: fix denial of service attack
202
203 * kdc: stop clients from renewing tickets into the future
204
205 * bug fixes
206	
207Changes in release 0.6
208
209* The DES3 GSS-API mechanism has been changed to inter-operate with
210  other GSSAPI implementations. See man page for gssapi(3) how to turn
211  on generation of correct MIC messages. Next major release of heimdal 
212  will generate correct MIC by default.
213
214* More complete GSS-API support
215
216* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
217  support in applications no longer requires Kerberos 4 libs
218
219* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
220
221* other bug fixes
222
223Changes in release 0.5.2
224
225 * kdc: add option for disabling v4 cross-realm (defaults to off)
226
227 * bug fixes
228
229Changes in release 0.5.1
230
231 * kadmind: fix remote exploit
232
233 * kadmind: add option to disable kerberos 4
234
235 * kdc: make sure kaserver token life is positive
236
237 * telnet: use the session key if there is no subkey
238
239 * fix EPSV parsing in ftp
240
241 * other bug fixes
242
243Changes in release 0.5
244
245 * add --detach option to kdc
246
247 * allow setting forward and forwardable option in telnet from
248   .telnetrc, with override from command line
249
250 * accept addresses with or without ports in krb5_rd_cred
251
252 * make it work with modern openssl
253
254 * use our own string2key function even with openssl (that handles weak
255   keys incorrectly)
256
257 * more system-specific requirements in login
258
259 * do not use getlogin() to determine root in su
260
261 * telnet: abort if telnetd does not support encryption
262
263 * update autoconf to 2.53
264
265 * update config.guess, config.sub
266
267 * other bug fixes
268
269Changes in release 0.4e
270
271 * improve libcrypto and database autoconf tests
272
273 * do not care about salting of server principals when serving v4 requests
274
275 * some improvements to gssapi library
276
277 * test for existing compile_et/libcom_err
278
279 * portability fixes
280
281 * bug fixes
282
283Changes in release 0.4d
284
285 * fix some problems when using libcrypto from openssl
286
287 * handle /dev/ptmx `unix98' ptys on Linux
288
289 * add some forgotten man pages
290
291 * rsh: clean-up and add man page
292
293 * fix -A and -a in builtin-ls in tpd
294
295 * fix building problem on Irix
296
297 * make `ktutil get' more efficient
298
299 * bug fixes
300
301Changes in release 0.4c
302
303 * fix buffer overrun in telnetd
304
305 * repair some of the v4 fallback code in kinit
306
307 * add more shared library dependencies
308
309 * simplify and fix hprop handling of v4 databases
310
311 * fix some building problems (osf's sia and osfc2 login)
312
313 * bug fixes
314
315Changes in release 0.4b
316
317 * update the shared library version numbers correctly
318
319Changes in release 0.4a
320
321 * corrected key used for checksum in mk_safe, unfortunately this
322   makes it backwards incompatible
323
324 * update to autoconf 2.50, libtool 1.4
325
326 * re-write dns/config lookups (krb5_krbhst API)
327
328 * make order of using subkeys consistent
329
330 * add man page links
331
332 * add more man pages
333
334 * remove rfc2052 support, now only rfc2782 is supported
335
336 * always build with kaserver protocol support in the KDC (assuming
337   KRB4 is enabled) and support for reading kaserver databases in
338   hprop
339
340Changes in release 0.3f
341
342 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
343   the new keytab type that tries both of these in order (SRVTAB is
344   also an alias for krb4:)
345
346 * improve error reporting and error handling (error messages should
347   be more detailed and more useful)
348
349 * improve building with openssl
350
351 * add kadmin -K, rcp -F 
352
353 * fix two incorrect weak DES keys
354
355 * fix building of kaserver compat in KDC
356
357 * the API is closer to what MIT krb5 is using
358
359 * more compatible with windows 2000
360
361 * removed some memory leaks
362
363 * bug fixes
364
365Changes in release 0.3e
366
367 * rcp program included
368
369 * fix buffer overrun in ftpd
370
371 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
372   cannot generate zero sequence numbers
373
374 * handle v4 /.k files better
375
376 * configure/portability fixes
377
378 * fixes in parsing of options to kadmin (sub-)commands
379
380 * handle errors in kadmin load better
381
382 * bug fixes
383
384Changes in release 0.3d
385
386 * add krb5-config
387
388 * fix a bug in 3des gss-api mechanism, making it compatible with the
389   specification and the MIT implementation
390
391 * make telnetd only allow a specific list of environment variables to
392   stop it from setting `sensitive' variables
393
394 * try to use an existing libdes
395
396 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
397   should improve compatability with MIT krb5 when using 3DES
398   encryption types
399
400 * kdc: fix memory allocation problem
401
402 * update config.guess and config.sub
403
404 * lib/roken: more stuff implemented
405
406 * bug fixes and portability enhancements
407
408Changes in release 0.3c
409
410 * lib/krb5: memory caches now support the resolve operation
411
412 * appl/login: set PATH to some sane default
413
414 * kadmind: handle several realms
415
416 * bug fixes (including memory leaks)
417
418Changes in release 0.3b
419
420 * kdc: prefer default-salted keys on v5 requests
421
422 * kdc: lowercase hostnames in v4 mode
423
424 * hprop: handle more types of MIT salts
425
426 * lib/krb5: fix memory leak
427
428 * bug fixes
429
430Changes in release 0.3a:
431
432 * implement arcfour-hmac-md5 to interoperate with W2K
433
434 * modularise the handling of the master key, and allow for other
435   encryption types. This makes it easier to import a database from
436   some other source without having to re-encrypt all keys.
437
438 * allow for better control over which encryption types are created
439
440 * make kinit fallback to v4 if given a v4 KDC
441
442 * make klist work better with v4 and v5, and add some more MIT
443   compatibility options
444
445 * make the kdc listen on the krb524 (4444) port for compatibility
446   with MIT krb5 clients
447
448 * implement more DCE/DFS support, enabled with --enable-dce, see
449   lib/kdfs and appl/dceutils
450
451 * make the sequence numbers work correctly
452
453 * bug fixes
454
455Changes in release 0.2t:
456
457 * bug fixes
458
459Changes in release 0.2s:
460
461 * add OpenLDAP support in hdb
462
463 * login will get v4 tickets when it receives forwarded tickets
464
465 * xnlock supports both v5 and v4
466
467 * repair source routing for telnet
468
469 * fix building problems with krb4 (krb_mk_req)
470
471 * bug fixes
472
473Changes in release 0.2r:
474
475 * fix realloc memory corruption bug in kdc
476
477 * `add --key' and `cpw --key' in kadmin
478
479 * klist supports listing v4 tickets
480
481 * update config.guess and config.sub
482
483 * make v4 -> v5 principal name conversion more robust
484
485 * support for anonymous tickets
486
487 * new man-pages
488
489 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
490
491 * use and set expiration and not password expiration when dumping
492   to/from ka server databases / krb4 databases
493
494 * make the code happier with 64-bit time_t
495
496 * follow RFC2782 and by default do not look for non-underscore SRV names
497
498Changes in release 0.2q:
499
500 * bug fix in tcp-handling in kdc
501
502 * bug fix in expand_hostname
503
504Changes in release 0.2p:
505
506 * bug fix in `kadmin load/merge'
507
508 * bug fix in krb5_parse_address
509
510Changes in release 0.2o:
511
512 * gss_{import,export}_sec_context added to libgssapi
513
514 * new option --addresses to kdc (for listening on an explicit set of
515   addresses)
516
517 * bug fixes in the krb4 and kaserver emulation part of the kdc
518
519 * other bug fixes
520
521Changes in release 0.2n:
522
523 * more robust parsing of dump files in kadmin
524 * changed default timestamp format for log messages to extended ISO
525   8601 format (Y-M-DTH:M:S)
526 * changed md4/md5/sha1 APIes to be de-facto `standard'
527 * always make hostname into lower-case before creating principal
528 * small bits of more MIT-compatability
529 * bug fixes
530
531Changes in release 0.2m:
532
533 * handle glibc's getaddrinfo() that returns several ai_canonname
534
535 * new endian test
536
537 * man pages fixes
538
539Changes in release 0.2l:
540
541 * bug fixes
542
543Changes in release 0.2k:
544
545 * better IPv6 test
546
547 * make struct sockaddr_storage in roken work better on alphas
548
549 * some missing [hn]to[hn]s fixed.
550
551 * allow users to change their own passwords with kadmin (with initial
552   tickets)
553
554 * fix stupid bug in parsing KDC specification
555
556 * add `ktutil change' and `ktutil purge'
557
558Changes in release 0.2j:
559
560 * builds on Irix
561
562 * ftpd works in passive mode
563
564 * should build on cygwin
565
566 * work around broken IPv6-code on OpenBSD 2.6, also add configure
567   option --disable-ipv6
568
569Changes in release 0.2i:
570
571 * use getaddrinfo in the missing places.
572
573 * fix SRV lookup for admin server
574
575 * use get{addr,name}info everywhere.  and implement it in terms of
576   getipnodeby{name,addr} (which uses gethostbyname{,2} and
577   gethostbyaddr)
578
579Changes in release 0.2h:
580
581 * fix typo in kx (now compiles)
582
583Changes in release 0.2g:
584
585 * lots of bug fixes:
586   * push works
587   * repair appl/test programs
588   * sockaddr_storage works on solaris (alignment issues)
589   * works better with non-roken getaddrinfo
590   * rsh works
591   * some non standard C constructs removed
592
593Changes in release 0.2f:
594
595 * support SRV records for kpasswd
596 * look for both _kerberos and krb5-realm when doing host -> realm mapping
597
598Changes in release 0.2e:
599
600 * changed copyright notices to remove `advertising'-clause.
601 * get{addr,name}info added to roken and used in the other code
602   (this makes things work much better with hosts with both v4 and v6
603    addresses, among other things)
604 * do pre-auth for both password and key-based get_in_tkt
605 * support for having several databases
606 * new command `del_enctype' in kadmin
607 * strptime (and new strftime) add to roken
608 * more paranoia about finding libdb
609 * bug fixes
610
611Changes in release 0.2d:
612
613 * new configuration option [libdefaults]default_etypes_des
614 * internal ls in ftpd builds without KRB4
615 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
616 * build bug fixes
617 * other bug fixes
618
619Changes in release 0.2c:
620
621 * bug fixes (see ChangeLog's for details)
622
623Changes in release 0.2b:
624
625 * bug fixes
626 * actually bump shared library versions
627
628Changes in release 0.2a:
629
630 * a new program verify_krb5_conf for checking your /etc/krb5.conf
631 * add 3DES keys when changing password
632 * support null keys in database
633 * support multiple local realms
634 * implement a keytab backend for AFS KeyFile's
635 * implement a keytab backend for v4 srvtabs
636 * implement `ktutil copy'
637 * support password quality control in v4 kadmind
638 * improvements in v4 compat kadmind
639 * handle the case of having the correct cred in the ccache but with
640   the wrong encryption type better
641 * v6-ify the remaining programs.
642 * internal ls in ftpd
643 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
644 * add `ank --random-password' and `cpw --random-password' in kadmin
645 * some programs and documentation for trying to talk to a W2K KDC
646 * bug fixes
647
648Changes in release 0.1m:
649
650 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
651   From Miroslav Ruda <ruda@ics.muni.cz>
652 * v6-ify hprop and hpropd
653 * support numeric addresses in krb5_mk_req
654 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
655 * make rsh/rshd IPv6-aware
656 * make the gssapi sample applications better at reporting errors
657 * lots of bug fixes
658 * handle systems with v6-aware libc and non-v6 kernels (like Linux
659   with glibc 2.1) better
660 * hide failure of ERPT in ftp
661 * lots of bug fixes
662
663Changes in release 0.1l:
664
665 * make ftp and ftpd IPv6-aware
666 * add inet_pton to roken
667 * more IPv6-awareness
668 * make mini_inetd v6 aware
669
670Changes in release 0.1k:
671
672 * bump shared libraries versions
673 * add roken version of inet_ntop
674 * merge more changes to rshd
675
676Changes in release 0.1j:
677
678 * restore back to the `old' 3DES code.  This was supposed to be done
679   in 0.1h and 0.1i but I did a CVS screw-up.
680 * make telnetd handle v6 connections
681
682Changes in release 0.1i:
683
684 * start using `struct sockaddr_storage' which simplifies the code
685   (with a fallback definition if it's not defined)
686 * bug fixes (including in hprop and kf)
687 * don't use mawk which seems to mishandle roken.awk
688 * get_addrs should be able to handle v6 addresses on Linux (with the
689   required patch to the Linux kernel -- ask within)
690 * rshd builds with shadow passwords
691
692Changes in release 0.1h:
693
694 * kf: new program for forwarding credentials
695 * portability fixes
696 * make forwarding credentials work with MIT code
697 * better conversion of ka database
698 * add etc/services.append
699 * correct `modified by' from kpasswdd
700 * lots of bug fixes
701
702Changes in release 0.1g:
703
704 * kgetcred: new program for explicitly obtaining tickets
705 * configure fixes
706 * krb5-aware kx
707 * bug fixes
708
709Changes in release 0.1f;
710
711 * experimental support for v4 kadmin protokoll in kadmind
712 * bug fixes
713
714Changes in release 0.1e:
715
716 * try to handle old DCE and MIT kdcs
717 * support for older versions of credential cache files and keytabs
718 * postdated tickets work
719 * support for password quality checks in kpasswdd
720 * new flag --enable-kaserver for kdc
721 * renew fixes
722 * prototype su program
723 * updated (some) manpages
724 * support for KDC resource records
725 * should build with --without-krb4
726 * bug fixes
727
728Changes in release 0.1d:
729
730 * Support building with DB2 (uses 1.85-compat API)
731 * Support krb5-realm.DOMAIN in DNS
732 * new `ktutil srvcreate'
733 * v4/kafs support in klist/kdestroy
734 * bug fixes
735
736Changes in release 0.1c:
737
738 * fix ASN.1 encoding of signed integers
739 * somewhat working `ktutil get'
740 * some documentation updates
741 * update to Autoconf 2.13 and Automake 1.4
742 * the usual bug fixes
743
744Changes in release 0.1b:
745
746 * some old -> new crypto conversion utils
747 * bug fixes
748
749Changes in release 0.1a:
750
751 * new crypto code
752 * more bug fixes
753 * make sure we ask for DES keys in gssapi
754 * support signed ints in ASN1
755 * IPv6-bug fixes
756
757Changes in release 0.0u:
758
759 * lots of bug fixes
760
761Changes in release 0.0t:
762
763 * more robust parsing of krb5.conf
764 * include net{read,write} in lib/roken
765 * bug fixes
766
767Changes in release 0.0s:
768
769 * kludges for parsing options to rsh
770 * more robust parsing of krb5.conf
771 * removed some arbitrary limits
772 * bug fixes
773
774Changes in release 0.0r:
775
776 * default options for some programs
777 * bug fixes
778
779Changes in release 0.0q:
780
781 * support for building shared libraries with libtool
782 * bug fixes
783
784Changes in release 0.0p:
785
786 * keytab moved to /etc/krb5.keytab
787 * avoid false detection of IPv6 on Linux
788 * Lots of more functionality in the gssapi-library
789 * hprop can now read ka-server databases
790 * bug fixes
791
792Changes in release 0.0o:
793
794 * FTP with GSSAPI support.
795 * Bug fixes.
796
797Changes in release 0.0n:
798
799 * Incremental database propagation.
800 * Somewhat improved kadmin ui; the stuff in admin is now removed.
801 * Some support for using enctypes instead of keytypes.
802 * Lots of other improvement and bug fixes, see ChangeLog for details.
803