Name Date Size #Lines LOC

..--

.github/workflows/H--147139

doc/H--316,469250,780

src/H--633,992472,446

NOTICEH A D05-Jun-202562.6 KiB1,3851,089

READMEH A D05-Jun-202513.8 KiB579506

README

1                   Kerberos Version 5, Release 1.21
2
3                            Release Notes
4                        The MIT Kerberos Team
5
6Copyright and Other Notices
7---------------------------
8
9Copyright (C) 1985-2024 by the Massachusetts Institute of Technology
10and its contributors.  All rights reserved.
11
12Please see the file named NOTICE for additional notices.
13
14Documentation
15-------------
16
17Unified documentation for Kerberos V5 is available in both HTML and
18PDF formats.  The table of contents of the HTML format documentation
19is at doc/html/index.html, and the PDF format documentation is in the
20doc/pdf directory.
21
22Additionally, you may find copies of the HTML format documentation
23online at
24
25    https://web.mit.edu/kerberos/krb5-latest/doc/
26
27for the most recent supported release, or at
28
29    https://web.mit.edu/kerberos/krb5-devel/doc/
30
31for the release under development.
32
33More information about Kerberos may be found at
34
35    https://web.mit.edu/kerberos/
36
37and at the MIT Kerberos Consortium web site
38
39    https://kerberos.org/
40
41Building and Installing Kerberos 5
42----------------------------------
43
44Build documentation is in doc/html/build/index.html or
45doc/pdf/build.pdf.
46
47The installation guide is in doc/html/admin/install.html or
48doc/pdf/install.pdf.
49
50If you are attempting to build under Windows, please see the
51src/windows/README file.
52
53Reporting Bugs
54--------------
55
56Please report any problems/bugs/comments by sending email to
57krb5-bugs@mit.edu.
58
59You may view bug reports by visiting
60
61https://krbdev.mit.edu/rt/
62
63and using the "Guest Login" button.  Please note that the web
64interface to our bug database is read-only for guests, and the primary
65way to interact with our bug database is via email.
66
67PAC transitions
68---------------
69
70Beginning with release 1.20, the KDC will include minimal PACs in
71tickets instead of AD-SIGNEDPATH authdata.  S4U requests (protocol
72transition and constrained delegation) must now contain valid PACs in
73the incoming tickets.  Beginning with release 1.21, service ticket
74PACs will contain a new KDC checksum buffer, to mitigate a hash
75collision attack against the old KDC checksum.  If only some KDCs in a
76realm have been upgraded across versions 1.20 or 1.21, the upgraded
77KDCs will reject S4U requests containing tickets from non-upgraded
78KDCs and vice versa.
79
80Triple-DES and RC4 transitions
81------------------------------
82
83Beginning with the krb5-1.21 release, the KDC will not issue tickets
84with triple-DES or RC4 session keys unless explicitly configured using
85the new allow_des3 and allow_rc4 variables in [libdefaults].  To
86facilitate the negotiation of session keys, the KDC will assume that
87all services can handle aes256-sha1 session keys unless the service
88principal has a session_enctypes string attribute.
89
90Beginning with the krb5-1.19 release, a warning will be issued if
91initial credentials are acquired using the des3-cbc-sha1 encryption
92type.  Beginning with the krb5-1.21 release, a warning will also be
93issued for the arcfour-hmac encryption type.  In future releases,
94these encryption types will be disabled by default and eventually
95removed.
96
97Beginning with the krb5-1.18 release, all support for single-DES
98encryption types has been removed.
99
100Major changes in 1.21.3 (2024-06-26)
101------------------------------------
102
103This is a bug fix release.
104
105* Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
106  CVE-2024-37371].
107
108* Fix a potential bad pointer free in krb5_cccol_have_contents().
109
110* Fix a memory leak in the macOS ccache type.
111
112krb5-1.21.2 changes by ticket ID
113--------------------------------
114
1159102    Eliminate sim_client include of getopt.h
1169103    segfault trying to free a garbage pointer
1179104    Work around Doxygen 1.9.7 change
1189107    In PKINIT, check for null PKCS7 enveloped fields
1199109    memory leak on macos
1209115    Fix leak in KDC NDR encoding
1219125    Formatting error in realm_config.rst
1229128    Fix vulnerabilities in GSS message token handling
123
124Major changes in 1.21.2 (2023-08-14)
125------------------------------------
126
127This is a bug fix release.
128
129* Fix double-free in KDC TGS processing [CVE-2023-39975].
130
131krb5-1.21.2 changes by ticket ID
132--------------------------------
133
1349101    Fix double-free in KDC TGS processing
135
136Major changes in 1.21.1 (2023-07-10)
137------------------------------------
138
139This is a bug fix release.
140
141* Fix potential uninitialized pointer free in kadm5 XDR parsing
142  [CVE-2023-36054].
143
144krb5-1.21.1 changes by ticket ID
145--------------------------------
146
1479099    Ensure array count consistency in kadm5 RPC
148
149Major changes in 1.21 (2023-06-05)
150----------------------------------
151
152User experience:
153
154* Added a credential cache type providing compatibility with the macOS
155  11 native credential cache.
156
157Developer experience:
158
159* libkadm5 will use the provided krb5_context object to read
160  configuration values, instead of creating its own.
161
162* Added an interface to retrieve the ticket session key from a GSS
163  context.
164
165Protocol evolution:
166
167* The KDC will no longer issue tickets with RC4 or triple-DES session
168  keys unless explicitly configured with the new allow_rc4 or
169  allow_des3 variables respectively.
170
171* The KDC will assume that all services can handle aes256-sha1 session
172  keys unless the service principal has a session_enctypes string
173  attribute.
174
175* Support for PAC full KDC checksums has been added to mitigate an
176  S4U2Proxy privilege escalation attack.
177
178* The PKINIT client will advertise a more modern set of supported CMS
179  algorithms.
180
181Code quality:
182
183* Removed unused code in libkrb5, libkrb5support, and the PKINIT
184  module.
185
186* Modernized the KDC code for processing TGS requests, the code for
187  encrypting and decrypting key data, the PAC handling code, and the
188  GSS library packet parsing and composition code.
189
190* Improved the test framework's detection of memory errors in daemon
191  processes when used with asan.
192
193krb5-1.21 changes by ticket ID
194------------------------------
195
1969052    Support macOS 11 native credential cache
1979053    Make kprop work for dump files larger than 4GB
1989054    Replace macros with typedefs in gssrpc types.h
1999055    Use SHA-256 instead of SHA-1 for PKINIT CMS digest
2009057    Omit LDFLAGS from krb5-config --libs output
2019058    Add configure variable for default PKCS#11 module
2029059    Use context profile for libkadm5 configuration
2039066    Set reasonable supportedCMSTypes in PKINIT
2049069    Update error checking for OpenSSL CMS_verify
2059071    Add and use ts_interval() helper
2069072    Avoid small read overrun in UTF8 normalization
2079076    Use memmove() in Unicode functions
2089077    Fix aclocal.m4 syntax error for autoconf 2.72
2099078    Fix profile crash on memory exhaustion
2109079    Fix preauth crash on memory exhaustion
2119080    Fix gic_keytab crash on memory exhaustion
2129082    Fix policy DB fallback error handling
2139083    Fix kpropd crash with unrecognized option
2149084    Add PAC full checksums
2159085    Fix read overruns in SPNEGO parsing
2169086    Fix possible double-free during KDB creation
2179087    Fix meridian type in getdate.y
2189088    Use control flow guard flag in Windows builds
2199089    Add pac_privsvr_enctype string attribute
2209090    Convey realm names to certauth modules
2219091    Add GSS_C_INQ_ODBC_SESSION_KEY
2229092    Fix maintainer-mode build for binutils 2.37
2239093    Add PA-REDHAT-PASSKEY padata type
224
225Acknowledgements
226----------------
227
228Past Sponsors of the MIT Kerberos Consortium:
229
230    Apple
231    Carnegie Mellon University
232    Centrify Corporation
233    Columbia University
234    Cornell University
235    The Department of Defense of the United States of America (DoD)
236    Fidelity Investments
237    Google
238    Iowa State University
239    MIT
240    Michigan State University
241    Microsoft
242    MITRE Corporation
243    Morgan-Stanley
244    The National Aeronautics and Space Administration
245        of the United States of America (NASA)
246    Network Appliance (NetApp)
247    Nippon Telephone and Telegraph (NTT)
248    US Government Office of the National Coordinator for Health
249        Information Technology (ONC)
250    Oracle
251    Pennsylvania State University
252    Red Hat
253    Stanford University
254    TeamF1, Inc.
255    The University of Alaska
256    The University of Michigan
257    The University of Pennsylvania
258
259Past and present members of the Kerberos Team at MIT:
260
261    Danilo Almeida
262    Jeffrey Altman
263    Justin Anderson
264    Richard Basch
265    Mitch Berger
266    Jay Berkenbilt
267    Andrew Boardman
268    Bill Bryant
269    Steve Buckley
270    Joe Calzaretta
271    John Carr
272    Mark Colan
273    Don Davis
274    Sarah Day
275    Alexandra Ellwood
276    Carlos Garay
277    Dan Geer
278    Nancy Gilman
279    Matt Hancher
280    Thomas Hardjono
281    Sam Hartman
282    Paul Hill
283    Marc Horowitz
284    Eva Jacobus
285    Miroslav Jurisic
286    Barry Jaspan
287    Benjamin Kaduk
288    Geoffrey King
289    Kevin Koch
290    John Kohl
291    HaoQi Li
292    Jonathan Lin
293    Peter Litwack
294    Scott McGuire
295    Steve Miller
296    Kevin Mitchell
297    Cliff Neuman
298    Paul Park
299    Ezra Peisach
300    Chris Provenzano
301    Ken Raeburn
302    Jon Rochlis
303    Jeff Schiller
304    Jen Selby
305    Robert Silk
306    Bill Sommerfeld
307    Jennifer Steiner
308    Ralph Swick
309    Brad Thompson
310    Harry Tsai
311    Zhanna Tsitkova
312    Ted Ts'o
313    Marshall Vale
314    Taylor Yu
315
316The following external contributors have provided code, patches, bug
317reports, suggestions, and valuable resources:
318
319    Ian Abbott
320    Daniel Albers
321    Brandon Allbery
322    Russell Allbery
323    Brian Almeida
324    Michael B Allen
325    Pooja Anil
326    Jeffrey Arbuckle
327    Heinz-Ado Arnolds
328    Derek Atkins
329    Mark Bannister
330    David Bantz
331    Alex Baule
332    Nikhil Benesch
333    David Benjamin
334    Thomas Bernard
335    Adam Bernstein
336    Arlene Berry
337    Jeff Blaine
338    Toby Blake
339    Radoslav Bodo
340    Alexander Bokovoy
341    Sumit Bose
342    Emmanuel Bouillon
343    Isaac Boukris
344    Ulf Bremer
345    Pavel Březina
346    Philip Brown
347    Samuel Cabrero
348    Michael Calmer
349    Andrea Campi
350    Julien Chaffraix
351    Jacob Champion
352    Puran Chand
353    Ravi Channavajhala
354    Srinivas Cheruku
355    Leonardo Chiquitto
356    Rachit Chokshi
357    Seemant Choudhary
358    Howard Chu
359    Andrea Cirulli
360    Christopher D. Clausen
361    Kevin Coffman
362    Simon Cooper
363    Sylvain Cortes
364    Ian Crowther
365    Arran Cudbard-Bell
366    Adam Dabrowski
367    Jeff D'Angelo
368    Nalin Dahyabhai
369    Mark Davies
370    Dennis Davis
371    Alex Dehnert
372    Misty De Meo
373    Mark Deneen
374    Günther Deschner
375    John Devitofranceschi
376    Marc Dionne
377    Roland Dowdeswell
378    Ken Dreyer
379    Dorian Ducournau
380    Viktor Dukhovni
381    Jason Edgecombe
382    Mark Eichin
383    Shawn M. Emery
384    Douglas E. Engert
385    Peter Eriksson
386    Juha Erkkilä
387    Gilles Espinasse
388    Sergey Fedorov
389    Ronni Feldt
390    Bill Fellows
391    JC Ferguson
392    Remi Ferrand
393    Paul Fertser
394    Fabiano Fidêncio
395    Frank Filz
396    William Fiveash
397    Jacques Florent
398    Oliver Freyermuth
399    Ákos Frohner
400    Sebastian Galiano
401    Marcus Granado
402    Dylan Gray
403    Norm Green
404    Scott Grizzard
405    Helmut Grohne
406    Steve Grubb
407    Philip Guenther
408    Timo Gurr
409    Dominic Hargreaves
410    Robbie Harwood
411    John Hascall
412    Jakob Haufe
413    Matthieu Hautreux
414    Jochen Hein
415    Paul B. Henson
416    Kihong Heo
417    Jeff Hodges
418    Christopher Hogan
419    Love Hörnquist Åstrand
420    Ken Hornstein
421    Henry B. Hotz
422    Luke Howard
423    Jakub Hrozek
424    Shumon Huque
425    Jeffrey Hutzelman
426    Sergey Ilinykh
427    Wyllys Ingersoll
428    Holger Isenberg
429    Spencer Jackson
430    Diogenes S. Jesus
431    Mike Jetzer
432    Pavel Jindra
433    Brian Johannesmeyer
434    Joel Johnson
435    Lutz Justen
436    Ganesh Kamath
437    Alexander Karaivanov
438    Anders Kaseorg
439    Bar Katz
440    Zentaro Kavanagh
441    Mubashir Kazia
442    W. Trevor King
443    Patrik Kis
444    Martin Kittel
445    Thomas Klausner
446    Tomasz Kłoczko
447    Matthew Krupcale
448    Mikkel Kruse
449    Reinhard Kugler
450    Harshawardhan Kulkarni
451    Tomas Kuthan
452    Pierre Labastie
453    Andreas Ladanyi
454    Chris Leick
455    Volker Lendecke
456    Jan iankko Lieskovsky
457    Todd Lipcon
458    Oliver Loch
459    Chris Long
460    Kevin Longfellow
461    Frank Lonigro
462    Jon Looney
463    Nuno Lopes
464    Todd Lubin
465    Ryan Lynch
466    Glenn Machin
467    Roland Mainz
468    Sorin Manolache
469    Robert Marshall
470    Andrei Maslennikov
471    Michael Mattioli
472    Nathaniel McCallum
473    Greg McClement
474    Cameron Meadors
475    Vipul Mehta
476    Alexey Melnikov
477    Ivan A. Melnikov
478    Franklyn Mendez
479    Mantas Mikulėnas
480    Markus Moeller
481    Kyle Moffett
482    Jon Moore
483    Paul Moore
484    Keiichi Mori
485    Michael Morony
486    Robert Morris
487    Sam Morris
488    Zbysek Mraz
489    Edward Murrell
490    Joshua Neuheisel
491    Nikos Nikoleris
492    Demi Obenour
493    Felipe Ortega
494    Michael Osipov
495    Andrej Ota
496    Dmitri Pal
497    Javier Palacios
498    Dilyan Palauzov
499    Tom Parker
500    Eric Pauly
501    Leonard Peirce
502    Ezra Peisach
503    Alejandro Perez
504    Zoran Pericic
505    W. Michael Petullo
506    Mark Phalan
507    Sharwan Ram
508    Brett Randall
509    Jonathan Reams
510    Jonathan Reed
511    Robert Relyea
512    Tony Reix
513    Martin Rex
514    Pat Riehecky
515    Julien Rische
516    Jason Rogers
517    Matt Rogers
518    Nate Rosenblum
519    Solly Ross
520    Mike Roszkowski
521    Guillaume Rousse
522    Joshua Schaeffer
523    Alexander Scheel
524    Jens Schleusener
525    Ryan Schmidt
526    Andreas Schneider
527    Paul Seyfert
528    Tom Shaw
529    Jim Shi
530    Jerry Shipman
531    Peter Shoults
532    Richard Silverman
533    Cel Skeggs
534    Simo Sorce
535    Anthony Sottile
536    Michael Spang
537    Michael Ströder
538    Bjørn Tore Sund
539    Ondřej Surý
540    Joseph Sutton
541    Joe Travaglini
542    Sergei Trofimovich
543    Greg Troxel
544    Fraser Tweedale
545    Tim Uglow
546    Rathor Vipin
547    Denis Vlasenko
548    Thomas Wagner
549    Jorgen Wahlsten
550    Stef Walter
551    Max (Weijun) Wang
552    John Washington
553    Stef Walter
554    Xi Wang
555    Nehal J Wani
556    Kevin Wasserman
557    Margaret Wasserman
558    Marcus Watts
559    Andreas Wiese
560    Simon Wilkinson
561    Nicolas Williams
562    Ross Wilper
563    Augustin Wolf
564    Garrett Wollman
565    David Woodhouse
566    Tsu-Phong Wu
567    Xu Qiang
568    Neng Xue
569    Zhaomo Yang
570    Tianjiao Yin
571    Nickolai Zeldovich
572    Bean Zhang
573    ChenChen Zhou
574    Hanz van Zijst
575    Gertjan Zwartjes
576
577The above is not an exhaustive list; many others have contributed in
578various ways to the MIT Kerberos development effort over the years.
579