diff --git a/NEWS b/NEWS index a1d7f4468..b495ab29a 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,100 @@ +Release Notes - Heimdal - Version Heimdal 1.6 + + Security + - ... + - kx509 realm-chopping security bug + + Feature + + - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) + - New GSS APIs: + . gss_localname + - Allow setting what encryption types a principal should have with + [kadmin] default_key_rules, see krb5.conf manpage for more info + - Unify libhcrypto with LTC (libtomcrypto) + - asn1_compile 64-bit INTEGER functionality + - HDB key history support including --keepold kadmin password option + - Improved cross-realm key rollover safety + - New krb5_kuserok() plug-in interface + - Improved MIT compatibility + . kadm5 API + . Migration from MIT KDB via "mitdb" HDB backend. + . Capable of writing the HDB in MIT dump format + - Improved Active Directory interoperability + . Enctype selection issues for PAC and other authz-data signatures + . Cross realm key rollover (kvno 0) + - New [kdc] enctype negotiation configuration: + . tgt-use-strongest-session-key + . svc-use-strongest-session-key + . preauth-use-strongest-session-key + . use-strongest-server-key + - Allow batch-mode kinit with password file + - SIGINFO support added to kinit cmd + - New kx509 configuration options: + . kx509_ca + . kca_service + . kx509_include_pkinit_san + . kx509_template + - Improved Heimdal library/plugin version safety + - Name canonicalization + . DNS resolver searchlist + - Pluggable libheimbase interface for DBs + - Improve IPv6 Support + - LDAP + . Bind DN and password + . Start TLS + - klist --json + - DIR credential cache type + - Many more + + Bug fixes + - Include non-loopback addresses assigned to loopback interfaces + when requesting tickets with addresses + - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) + - Keytab file descriptor and lock leak + - Credential cache corruption bugs + (NOTE: The FILE ccache is still not entirely safe due to the + fundamentally unsafe design of POSIX file locking) + - gss_pseudo_random() interop bug + - Plugins are now preferentially loaded from the run-time install tree + - Reauthentication after password change in init_creds_password + - Memory leak in the client kadmin library + - TGS client requests renewable/forwardable/proxiable when possible. + - Locking issues in DB1 and DB3 HDB backends + - Master HDB can remain locked while waiting for network I/O + - Renewal/refresh logic when kinit is provided with a command + - KDC handling of enterprise principals + - Many more + + Acknowledgements + + This release of Heimdal includes contributions from: + Andrew Bartlett, Andrew Tridgell, Arran Cudbard-Bell, Arvid Requate, + Ben Kaduk, Dana Koch, Daniel Schepler, Eray Aslan, Fredrik Pettai, + Gustavo Zacarias, Harald Barth, Howard Chu, Igor Sobrado, Ingo Schwarze, + James Le Cuirot, James Lee, Jeffrey Altman, Jeffrey Clark, Jeffrey Hutzelman, + Jelmer Vernooij, Ken Dreyer, Kumar Thangavelu, Landon Fuller, Linus Nordberg, + Love Hörnquist Åstrand, Luke Howard, Magnus Ahltorp, Marco Molteni, + Michael Meffie, Moritz Lenz, Nico Williams, Nicolas Williams, Patrik Lundin, + Philip Boulain, Ragnar Sundblad, Rod Widdowson, Roland C. Dowdeswell, + Ross L Richardson, Russ Allbery, Samuel Thibault, Simon Wilkinson, + Stef Walter, Stefan Metzmacher, Steffen Jaeckel, Tollef Fog Heen, Tony Acero, + Viktor Dukhovni + +Release Notes - Heimdal - Version Heimdal 1.5.3 + + Bug fixes + - Fix leaking file descriptors in KDC + - Better socket/timeout handling in libkrb5 + - General bug fixes + - Build fixes + +Release Notes - Heimdal - Version Heimdal 1.5.2 + + Security fixes + - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege + - Check that key types strictly match - denial of service + Release Notes - Heimdal - Version Heimdal 1.5.1 Bug fixes