xref: /freebsd/crypto/heimdal/NEWS (revision 6be3386466ab79a84b48429ae66244f21526d3df)
1Release Notes - Heimdal - Version Heimdal 1.5.2
2
3 Security fixes
4 - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
5 - Check that key types strictly match - denial of service
6
7Release Notes - Heimdal - Version Heimdal 1.5.1
8
9 Bug fixes
10 - Fix building on Solaris, requires c99
11 - Fix building on Windows
12 - Build system updates
13
14Release Notes - Heimdal - Version Heimdal 1.5
15
16New features
17
18 - Support GSS name extensions/attributes
19 - SHA512 support
20 - No Kerberos 4 support
21 - Basic support for MIT Admin protocol (SECGSS flavor)
22   in kadmind (extract keytab)
23 - Replace editline with libedit
24
25Release Notes - Heimdal - Version Heimdal 1.4
26
27 New features
28
29 - Support for reading MIT database file directly
30 - KCM is polished up and now used in production
31 - NTLM first class citizen, credentials stored in KCM
32 - Table driven ASN.1 compiler, smaller!, not enabled by default
33 - Native Windows client support
34
35Notes
36
37 - Disabled write support NDBM hdb backend (read still in there) since
38   it can't handle large records, please migrate to a diffrent backend
39   (like BDB4)
40
41Release Notes - Heimdal - Version Heimdal 1.3.3
42
43 Bug fixes
44 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
45 - Check NULL pointers before dereference them [kdc]
46
47Release Notes - Heimdal - Version Heimdal 1.3.2
48
49 Bug fixes
50
51 - Don't mix length when clearing hmac (could memset too much)
52 - More paranoid underrun checking when decrypting packets
53 - Check the password change requests and refuse to answer empty packets
54 - Build on OpenSolaris
55 - Renumber AD-SIGNED-TICKET since it was stolen from US
56 - Don't cache /dev/*random file descriptor, it doesn't get unloaded
57 - Make C++ safe
58 - Misc warnings
59
60Release Notes - Heimdal - Version Heimdal 1.3.1
61
62 Bug fixes
63
64 - Store KDC offset in credentials
65 - Many many more bug fixes
66
67Release Notes - Heimdal - Version Heimdal 1.3.1
68
69 New features
70
71 - Make work with OpenLDAPs krb5 overlay
72
73Release Notes - Heimdal - Version Heimdal 1.3
74
75 New features
76
77 - Partial support for MIT kadmind rpc protocol in kadmind
78 - Better support for finding keytab entries when using SPN aliases in the KDC
79 - Support BER in ASN.1 library (needed for CMS)
80 - Support decryption in Keychain private keys
81 - Support for new sqlite based credential cache
82 - Try both KDC referals and the common DNS reverse lookup in GSS-API
83 - Fix the KCM to not leak resources on failure
84 - Add IPv6 support to iprop
85 - Support localization of error strings in
86   kinit/klist/kdestroy and Kerberos library
87 - Remove Kerberos 4 support in application (still in KDC)
88 - Deprecate DES
89 - Support i18n password in windows domains (using UTF-8)
90 - More complete API emulation of OpenSSL in hcrypto
91 - Support for ECDSA and ECDH when linking with OpenSSL
92
93 API changes
94
95 - Support for settin friendly name on credential caches
96 - Move to using doxygen to generate documentation.
97 - Sprinkling __attribute__((depricated)) for old function to be removed
98 - Support to export LAST-REQUST information in AS-REQ
99 - Support for client deferrals in in AS-REQ
100 - Add seek support for krb5_storage.
101 - Support for split AS-REQ, first step for IA-KERB
102 - Fix many memory leaks and bugs
103 - Improved regression test
104 - Support krb5_cccol
105 - Switch to krb5_set_error_message
106 - Support krb5_crypto_*_iov
107 - Switch to use EVP for most function
108 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
109 - Add support for GSS_C_DELEG_POLICY_FLAG
110 - Add krb5_cc_[gs]et_config to store data in the credential caches
111 - PTY testing application
112
113Bugfixes
114 - Make building on AIX6 possible.
115 - Bugfixes in LDAP KDC code to make it more stable
116 - Make ipropd-slave reconnect when master down gown
117
118
119Release Notes - Heimdal - Version Heimdal 1.2.1
120
121* Bug
122
123  [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
124  [HEIMDAL-151] - Make canned tests work again after cert expired
125  [HEIMDAL-152] - iprop test: use full hostname to avoid realm
126                  resolving errors
127  [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
128
129Release Notes - Heimdal - Version Heimdal 1.2
130
131* Bug
132
133  [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
134  		 gss_display_name/gss_export_name when using SPNEGO
135  [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
136  [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
137  [HEIMDAL-52] - hdb overwrite aliases for db databases
138  [HEIMDAL-54] - Two issues which affect credentials delegation
139  [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
140  [HEIMDAL-62] - Fix printing of sig_atomic_t
141  [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
142  [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
143  [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
144
145* Improvement
146  [HEIMDAL-67] - Fix locking and store credential in atomic writes
147                 in the FILE credential cache
148  [HEIMDAL-106] - make compile on cygwin again
149  [HEIMDAL-107] - Replace old random key generation in des module
150                  and use it with RAND_ function instead
151  [HEIMDAL-115] - Better documentation and compatibility in hcrypto
152                  in regards to OpenSSL
153
154* New Feature
155  [HEIMDAL-3] - pkinit alg agility PRF test vectors
156  [HEIMDAL-14] - Add libwind to Heimdal
157  [HEIMDAL-16] - Use libwind in hx509
158  [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
159                 the negotiation
160  [HEIMDAL-74] - Add support to report extended error message back
161                 in AS-REQ to support windows clients
162  [HEIMDAL-116] - test pty based application (using rkpty)
163  [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
164
165* Task
166  [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
167                 This drop compatibility with pre 0.3d KDCs.
168  [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
169  [HEIMDAL-65] - Failed to compile with --disable-pk-init
170  [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
171                 wraparound checks doesn't apply to Heimdal
172
173Changes in release 1.1
174
175 * Read-only PKCS11 provider built-in to hx509.
176
177 * Documentation for hx509, hcrypto and ntlm libraries improved.
178
179 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
180
181 * Mac OS X 10.5 support for native credential cache.
182
183 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
184
185 * Bug fixes.
186
187Changes in release 1.0.2
188
189* Ubuntu packages.
190
191* Bug fixes.
192
193Changes in release 1.0.1
194
195 * Serveral bug fixes to iprop.
196
197 * Make work on platforms without dlopen.
198
199 * Add RFC3526 modp group14 as default.
200
201 * Handle [kdc] database = { } entries without realm = stanzas.
202
203 * Make krb5_get_renewed_creds work.
204
205 * Make kaserver preauth work again.
206
207 * Bug fixes.
208
209Changes in release 1.0
210
211 * Add gss_pseudo_random() for mechglue and krb5.
212
213 * Make session key for the krbtgt be selected by the best encryption
214   type of the client.
215
216 * Better interoperability with other PK-INIT implementations.
217
218 * Inital support for Mac OS X Keychain for hx509.
219
220 * Alias support for inital ticket requests.
221
222 * Add symbol versioning to selected libraries on platforms that uses
223   GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
224
225 * New version of imath included in hcrypto.
226
227 * Fix memory leaks.
228
229 * Bugs fixes.
230
231Changes in release 0.8.1
232
233 * Make ASN.1 library less paranoid to with regard to NUL in string to
234   make it inter-operate with MIT Kerberos again.
235
236 * Make GSS-API library work again when using gss_acquire_cred
237
238 * Add symbol versioning to libgssapi when using GNU ld.
239
240 * Fix memory leaks
241
242 * Bugs fixes
243
244Changes in release 0.8
245
246 * PK-INIT support.
247
248 * HDB extensions support, used by PK-INIT.
249
250 * New ASN.1 compiler.
251
252 * GSS-API mechglue from FreeBSD.
253
254 * Updated SPNEGO to support RFC4178.
255
256 * Support for Cryptosystem Negotiation Extension (RFC 4537).
257
258 * A new X.509 library (hx509) and related crypto functions.
259
260 * A new ntlm library (heimntlm) and related crypto functions.
261
262 * Updated the built-in crypto library with bignum support using
263   imath, support for RSA and DH and renamed it to libhcrypto.
264
265 * Subsystem in the KDC, digest, that will perform the digest
266   operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
267   DIGEST-MD5 NTLMv1 and NTLMv2.
268
269 * KDC will return the "response too big" error to force TCP retries
270   for large (default 1400 bytes) UDP replies.  This is common for
271   PK-INIT requests.
272
273 * Libkafs defaults to use 2b tokens.
274
275 * Default to use the API cache on Mac OS X.
276
277 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
278   see manpage for krb5_kuserok for description.
279
280 * Many, many, other updates to code and info manual and manual pages.
281
282 * Bug fixes
283
284Changes in release 0.7.2
285
286* Fix security problem in rshd that enable an attacker to overwrite
287  and change ownership of any file that root could write.
288
289* Fix a DOS in telnetd. The attacker could force the server to crash
290  in a NULL de-reference before the user logged in, resulting in inetd
291  turning telnetd off because it forked too fast.
292
293* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
294  exists in the keytab before returning success. This allows servers
295  to check if its even possible to use GSSAPI.
296
297* Fix receiving end of token delegation for GSS-API. It still wrongly
298  uses subkey for sending for compatibility reasons, this will change
299  in 0.8.
300
301* telnetd, login and rshd are now more verbose in logging failed and
302  successful logins.
303
304* Bug fixes
305
306Changes in release 0.7.1
307
308* Bug fixes
309
310Changes in release 0.7
311
312 * Support for KCM, a process based credential cache
313
314 * Support CCAPI credential cache
315
316 * SPNEGO support
317
318 * AES (and the gssapi conterpart, CFX) support
319
320 * Adding new and improve old documentation
321
322 * Bug fixes
323
324Changes in release 0.6.6
325
326* Fix security problem in rshd that enable an attacker to overwrite
327  and change ownership of any file that root could write.
328
329* Fix a DOS in telnetd. The attacker could force the server to crash
330  in a NULL de-reference before the user logged in, resulting in inetd
331  turning telnetd off because it forked too fast.
332
333Changes in release 0.6.5
334
335 * fix vulnerabilities in telnetd
336
337 * unbreak Kerberos 4 and kaserver
338
339Changes in release 0.6.4
340
341 * fix vulnerabilities in telnet
342
343 * rshd: encryption without a separate error socket should now work
344
345 * telnet now uses appdefaults for the encrypt and forward/forwardable
346   settings
347
348 * bug fixes
349
350Changes in release 0.6.3
351
352 * fix vulnerabilities in ftpd
353
354 * support for linux AFS /proc "syscalls"
355
356 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
357   kpasswdd
358
359 * fix possible KDC denial of service
360
361 * bug fixes
362
363Changes in release 0.6.2
364
365 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
366
367Changes in release 0.6.1
368
369 * Fixed ARCFOUR suppport
370
371 * Cross realm vulnerability
372
373 * kdc: fix denial of service attack
374
375 * kdc: stop clients from renewing tickets into the future
376
377 * bug fixes
378
379Changes in release 0.6
380
381* The DES3 GSS-API mechanism has been changed to inter-operate with
382  other GSSAPI implementations. See man page for gssapi(3) how to turn
383  on generation of correct MIC messages. Next major release of heimdal
384  will generate correct MIC by default.
385
386* More complete GSS-API support
387
388* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
389  support in applications no longer requires Kerberos 4 libs
390
391* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
392
393* other bug fixes
394
395Changes in release 0.5.2
396
397 * kdc: add option for disabling v4 cross-realm (defaults to off)
398
399 * bug fixes
400
401Changes in release 0.5.1
402
403 * kadmind: fix remote exploit
404
405 * kadmind: add option to disable kerberos 4
406
407 * kdc: make sure kaserver token life is positive
408
409 * telnet: use the session key if there is no subkey
410
411 * fix EPSV parsing in ftp
412
413 * other bug fixes
414
415Changes in release 0.5
416
417 * add --detach option to kdc
418
419 * allow setting forward and forwardable option in telnet from
420   .telnetrc, with override from command line
421
422 * accept addresses with or without ports in krb5_rd_cred
423
424 * make it work with modern openssl
425
426 * use our own string2key function even with openssl (that handles weak
427   keys incorrectly)
428
429 * more system-specific requirements in login
430
431 * do not use getlogin() to determine root in su
432
433 * telnet: abort if telnetd does not support encryption
434
435 * update autoconf to 2.53
436
437 * update config.guess, config.sub
438
439 * other bug fixes
440
441Changes in release 0.4e
442
443 * improve libcrypto and database autoconf tests
444
445 * do not care about salting of server principals when serving v4 requests
446
447 * some improvements to gssapi library
448
449 * test for existing compile_et/libcom_err
450
451 * portability fixes
452
453 * bug fixes
454
455Changes in release 0.4d
456
457 * fix some problems when using libcrypto from openssl
458
459 * handle /dev/ptmx `unix98' ptys on Linux
460
461 * add some forgotten man pages
462
463 * rsh: clean-up and add man page
464
465 * fix -A and -a in builtin-ls in tpd
466
467 * fix building problem on Irix
468
469 * make `ktutil get' more efficient
470
471 * bug fixes
472
473Changes in release 0.4c
474
475 * fix buffer overrun in telnetd
476
477 * repair some of the v4 fallback code in kinit
478
479 * add more shared library dependencies
480
481 * simplify and fix hprop handling of v4 databases
482
483 * fix some building problems (osf's sia and osfc2 login)
484
485 * bug fixes
486
487Changes in release 0.4b
488
489 * update the shared library version numbers correctly
490
491Changes in release 0.4a
492
493 * corrected key used for checksum in mk_safe, unfortunately this
494   makes it backwards incompatible
495
496 * update to autoconf 2.50, libtool 1.4
497
498 * re-write dns/config lookups (krb5_krbhst API)
499
500 * make order of using subkeys consistent
501
502 * add man page links
503
504 * add more man pages
505
506 * remove rfc2052 support, now only rfc2782 is supported
507
508 * always build with kaserver protocol support in the KDC (assuming
509   KRB4 is enabled) and support for reading kaserver databases in
510   hprop
511
512Changes in release 0.3f
513
514 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
515   the new keytab type that tries both of these in order (SRVTAB is
516   also an alias for krb4:)
517
518 * improve error reporting and error handling (error messages should
519   be more detailed and more useful)
520
521 * improve building with openssl
522
523 * add kadmin -K, rcp -F
524
525 * fix two incorrect weak DES keys
526
527 * fix building of kaserver compat in KDC
528
529 * the API is closer to what MIT krb5 is using
530
531 * more compatible with windows 2000
532
533 * removed some memory leaks
534
535 * bug fixes
536
537Changes in release 0.3e
538
539 * rcp program included
540
541 * fix buffer overrun in ftpd
542
543 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
544   cannot generate zero sequence numbers
545
546 * handle v4 /.k files better
547
548 * configure/portability fixes
549
550 * fixes in parsing of options to kadmin (sub-)commands
551
552 * handle errors in kadmin load better
553
554 * bug fixes
555
556Changes in release 0.3d
557
558 * add krb5-config
559
560 * fix a bug in 3des gss-api mechanism, making it compatible with the
561   specification and the MIT implementation
562
563 * make telnetd only allow a specific list of environment variables to
564   stop it from setting `sensitive' variables
565
566 * try to use an existing libdes
567
568 * lib/krb5, kdc: use correct usage type for ap-req messages.  This
569   should improve compatability with MIT krb5 when using 3DES
570   encryption types
571
572 * kdc: fix memory allocation problem
573
574 * update config.guess and config.sub
575
576 * lib/roken: more stuff implemented
577
578 * bug fixes and portability enhancements
579
580Changes in release 0.3c
581
582 * lib/krb5: memory caches now support the resolve operation
583
584 * appl/login: set PATH to some sane default
585
586 * kadmind: handle several realms
587
588 * bug fixes (including memory leaks)
589
590Changes in release 0.3b
591
592 * kdc: prefer default-salted keys on v5 requests
593
594 * kdc: lowercase hostnames in v4 mode
595
596 * hprop: handle more types of MIT salts
597
598 * lib/krb5: fix memory leak
599
600 * bug fixes
601
602Changes in release 0.3a:
603
604 * implement arcfour-hmac-md5 to interoperate with W2K
605
606 * modularise the handling of the master key, and allow for other
607   encryption types. This makes it easier to import a database from
608   some other source without having to re-encrypt all keys.
609
610 * allow for better control over which encryption types are created
611
612 * make kinit fallback to v4 if given a v4 KDC
613
614 * make klist work better with v4 and v5, and add some more MIT
615   compatibility options
616
617 * make the kdc listen on the krb524 (4444) port for compatibility
618   with MIT krb5 clients
619
620 * implement more DCE/DFS support, enabled with --enable-dce, see
621   lib/kdfs and appl/dceutils
622
623 * make the sequence numbers work correctly
624
625 * bug fixes
626
627Changes in release 0.2t:
628
629 * bug fixes
630
631Changes in release 0.2s:
632
633 * add OpenLDAP support in hdb
634
635 * login will get v4 tickets when it receives forwarded tickets
636
637 * xnlock supports both v5 and v4
638
639 * repair source routing for telnet
640
641 * fix building problems with krb4 (krb_mk_req)
642
643 * bug fixes
644
645Changes in release 0.2r:
646
647 * fix realloc memory corruption bug in kdc
648
649 * `add --key' and `cpw --key' in kadmin
650
651 * klist supports listing v4 tickets
652
653 * update config.guess and config.sub
654
655 * make v4 -> v5 principal name conversion more robust
656
657 * support for anonymous tickets
658
659 * new man-pages
660
661 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
662
663 * use and set expiration and not password expiration when dumping
664   to/from ka server databases / krb4 databases
665
666 * make the code happier with 64-bit time_t
667
668 * follow RFC2782 and by default do not look for non-underscore SRV names
669
670Changes in release 0.2q:
671
672 * bug fix in tcp-handling in kdc
673
674 * bug fix in expand_hostname
675
676Changes in release 0.2p:
677
678 * bug fix in `kadmin load/merge'
679
680 * bug fix in krb5_parse_address
681
682Changes in release 0.2o:
683
684 * gss_{import,export}_sec_context added to libgssapi
685
686 * new option --addresses to kdc (for listening on an explicit set of
687   addresses)
688
689 * bug fixes in the krb4 and kaserver emulation part of the kdc
690
691 * other bug fixes
692
693Changes in release 0.2n:
694
695 * more robust parsing of dump files in kadmin
696 * changed default timestamp format for log messages to extended ISO
697   8601 format (Y-M-DTH:M:S)
698 * changed md4/md5/sha1 APIes to be de-facto `standard'
699 * always make hostname into lower-case before creating principal
700 * small bits of more MIT-compatability
701 * bug fixes
702
703Changes in release 0.2m:
704
705 * handle glibc's getaddrinfo() that returns several ai_canonname
706
707 * new endian test
708
709 * man pages fixes
710
711Changes in release 0.2l:
712
713 * bug fixes
714
715Changes in release 0.2k:
716
717 * better IPv6 test
718
719 * make struct sockaddr_storage in roken work better on alphas
720
721 * some missing [hn]to[hn]s fixed.
722
723 * allow users to change their own passwords with kadmin (with initial
724   tickets)
725
726 * fix stupid bug in parsing KDC specification
727
728 * add `ktutil change' and `ktutil purge'
729
730Changes in release 0.2j:
731
732 * builds on Irix
733
734 * ftpd works in passive mode
735
736 * should build on cygwin
737
738 * work around broken IPv6-code on OpenBSD 2.6, also add configure
739   option --disable-ipv6
740
741Changes in release 0.2i:
742
743 * use getaddrinfo in the missing places.
744
745 * fix SRV lookup for admin server
746
747 * use get{addr,name}info everywhere.  and implement it in terms of
748   getipnodeby{name,addr} (which uses gethostbyname{,2} and
749   gethostbyaddr)
750
751Changes in release 0.2h:
752
753 * fix typo in kx (now compiles)
754
755Changes in release 0.2g:
756
757 * lots of bug fixes:
758   * push works
759   * repair appl/test programs
760   * sockaddr_storage works on solaris (alignment issues)
761   * works better with non-roken getaddrinfo
762   * rsh works
763   * some non standard C constructs removed
764
765Changes in release 0.2f:
766
767 * support SRV records for kpasswd
768 * look for both _kerberos and krb5-realm when doing host -> realm mapping
769
770Changes in release 0.2e:
771
772 * changed copyright notices to remove `advertising'-clause.
773 * get{addr,name}info added to roken and used in the other code
774   (this makes things work much better with hosts with both v4 and v6
775    addresses, among other things)
776 * do pre-auth for both password and key-based get_in_tkt
777 * support for having several databases
778 * new command `del_enctype' in kadmin
779 * strptime (and new strftime) add to roken
780 * more paranoia about finding libdb
781 * bug fixes
782
783Changes in release 0.2d:
784
785 * new configuration option [libdefaults]default_etypes_des
786 * internal ls in ftpd builds without KRB4
787 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
788 * build bug fixes
789 * other bug fixes
790
791Changes in release 0.2c:
792
793 * bug fixes (see ChangeLog's for details)
794
795Changes in release 0.2b:
796
797 * bug fixes
798 * actually bump shared library versions
799
800Changes in release 0.2a:
801
802 * a new program verify_krb5_conf for checking your /etc/krb5.conf
803 * add 3DES keys when changing password
804 * support null keys in database
805 * support multiple local realms
806 * implement a keytab backend for AFS KeyFile's
807 * implement a keytab backend for v4 srvtabs
808 * implement `ktutil copy'
809 * support password quality control in v4 kadmind
810 * improvements in v4 compat kadmind
811 * handle the case of having the correct cred in the ccache but with
812   the wrong encryption type better
813 * v6-ify the remaining programs.
814 * internal ls in ftpd
815 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
816 * add `ank --random-password' and `cpw --random-password' in kadmin
817 * some programs and documentation for trying to talk to a W2K KDC
818 * bug fixes
819
820Changes in release 0.1m:
821
822 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
823   From Miroslav Ruda <ruda@ics.muni.cz>
824 * v6-ify hprop and hpropd
825 * support numeric addresses in krb5_mk_req
826 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
827 * make rsh/rshd IPv6-aware
828 * make the gssapi sample applications better at reporting errors
829 * lots of bug fixes
830 * handle systems with v6-aware libc and non-v6 kernels (like Linux
831   with glibc 2.1) better
832 * hide failure of ERPT in ftp
833 * lots of bug fixes
834
835Changes in release 0.1l:
836
837 * make ftp and ftpd IPv6-aware
838 * add inet_pton to roken
839 * more IPv6-awareness
840 * make mini_inetd v6 aware
841
842Changes in release 0.1k:
843
844 * bump shared libraries versions
845 * add roken version of inet_ntop
846 * merge more changes to rshd
847
848Changes in release 0.1j:
849
850 * restore back to the `old' 3DES code.  This was supposed to be done
851   in 0.1h and 0.1i but I did a CVS screw-up.
852 * make telnetd handle v6 connections
853
854Changes in release 0.1i:
855
856 * start using `struct sockaddr_storage' which simplifies the code
857   (with a fallback definition if it's not defined)
858 * bug fixes (including in hprop and kf)
859 * don't use mawk which seems to mishandle roken.awk
860 * get_addrs should be able to handle v6 addresses on Linux (with the
861   required patch to the Linux kernel -- ask within)
862 * rshd builds with shadow passwords
863
864Changes in release 0.1h:
865
866 * kf: new program for forwarding credentials
867 * portability fixes
868 * make forwarding credentials work with MIT code
869 * better conversion of ka database
870 * add etc/services.append
871 * correct `modified by' from kpasswdd
872 * lots of bug fixes
873
874Changes in release 0.1g:
875
876 * kgetcred: new program for explicitly obtaining tickets
877 * configure fixes
878 * krb5-aware kx
879 * bug fixes
880
881Changes in release 0.1f;
882
883 * experimental support for v4 kadmin protokoll in kadmind
884 * bug fixes
885
886Changes in release 0.1e:
887
888 * try to handle old DCE and MIT kdcs
889 * support for older versions of credential cache files and keytabs
890 * postdated tickets work
891 * support for password quality checks in kpasswdd
892 * new flag --enable-kaserver for kdc
893 * renew fixes
894 * prototype su program
895 * updated (some) manpages
896 * support for KDC resource records
897 * should build with --without-krb4
898 * bug fixes
899
900Changes in release 0.1d:
901
902 * Support building with DB2 (uses 1.85-compat API)
903 * Support krb5-realm.DOMAIN in DNS
904 * new `ktutil srvcreate'
905 * v4/kafs support in klist/kdestroy
906 * bug fixes
907
908Changes in release 0.1c:
909
910 * fix ASN.1 encoding of signed integers
911 * somewhat working `ktutil get'
912 * some documentation updates
913 * update to Autoconf 2.13 and Automake 1.4
914 * the usual bug fixes
915
916Changes in release 0.1b:
917
918 * some old -> new crypto conversion utils
919 * bug fixes
920
921Changes in release 0.1a:
922
923 * new crypto code
924 * more bug fixes
925 * make sure we ask for DES keys in gssapi
926 * support signed ints in ASN1
927 * IPv6-bug fixes
928
929Changes in release 0.0u:
930
931 * lots of bug fixes
932
933Changes in release 0.0t:
934
935 * more robust parsing of krb5.conf
936 * include net{read,write} in lib/roken
937 * bug fixes
938
939Changes in release 0.0s:
940
941 * kludges for parsing options to rsh
942 * more robust parsing of krb5.conf
943 * removed some arbitrary limits
944 * bug fixes
945
946Changes in release 0.0r:
947
948 * default options for some programs
949 * bug fixes
950
951Changes in release 0.0q:
952
953 * support for building shared libraries with libtool
954 * bug fixes
955
956Changes in release 0.0p:
957
958 * keytab moved to /etc/krb5.keytab
959 * avoid false detection of IPv6 on Linux
960 * Lots of more functionality in the gssapi-library
961 * hprop can now read ka-server databases
962 * bug fixes
963
964Changes in release 0.0o:
965
966 * FTP with GSSAPI support.
967 * Bug fixes.
968
969Changes in release 0.0n:
970
971 * Incremental database propagation.
972 * Somewhat improved kadmin ui; the stuff in admin is now removed.
973 * Some support for using enctypes instead of keytypes.
974 * Lots of other improvement and bug fixes, see ChangeLog for details.
975