+Release Notes - Heimdal - Version Heimdal 7.3
+
+ Security
+
+ - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
+ caused the previous hop realm to not be added to the transit path
+ of issued tickets. This may, in some cases, enable bypass of capath
+ policy in Heimdal versions 1.5 through 7.2.
+
+ Note, this may break sites that rely on the bug. With the bug some
+ incomplete [capaths] worked, that should not have. These may now break
+ authentication in some cross-realm configurations.
+ (CVE-2017-6594)
+
+Release Notes - Heimdal - Version Heimdal 7.2
+
+ Bug fixes
+ - Portability improvements
+ - More strict parsing of encoded URI components in HTTP KDC
+ - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
+ - Avoid overly specific CPU info in krb5-config in aid of reproducible builds
+ - Don't do AFS string-to-key tests when feature is disabled
+ - Skip mdb_stat test when the command is not available
+ - Windows: update SHA2 timestamp server
+ - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
+ - Fix signature of hdb_generate_key_set_password()
+ - Windows: enable KX509 support in the KDC
+ - kdc: fix kx509 service principal match
+ - iprop: handle case where master sends nothing new
+ - ipropd-slave: fix incorrect error codes
+ - Allow choice of sqlite for HDB pref
+ - check-iprop: don't fail to kill daemons
+ - roken: pidfile -> rk_pidfile
+ - kdc: _kdc_do_kx509 fix use after free error
+ - Do not detect x32 as 64-bit platform.
+ - No sys/ttydefaults.h on CYGWIN
+ - Fix check-iprop races
+ - roken_detach_prep() close pipe
+
+Release Notes - Heimdal - Version Heimdal 7.1
+
+ Security
+
+ - kx509 realm-chopping security bug
+ - non-authorization of alias additions/removals in kadmind
+ (CVE-2016-2400)
+
+ Feature
+
+ - iprop has been revamped to fix a number of race conditions that could
+ lead to inconsistent replication
+ - Hierarchical capath support
+ - AES Encryption with HMAC-SHA2 for Kerberos 5
+ draft-ietf-kitten-aes-cts-hmac-sha2-11
+ - hcrypto is now thread safe on all platforms
+ - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
+ Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend.
+ OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
+ backend
+ - HDB now supports LMDB
+ - Thread support on Windows
+ - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST)
+ - New GSS APIs:
+ . gss_localname
+ - Allow setting what encryption types a principal should have with
+ [kadmin] default_key_rules, see krb5.conf manpage for more info
+ - Unify libhcrypto with LTC (libtomcrypto)
+ - asn1_compile 64-bit INTEGER functionality
+ - HDB key history support including --keepold kadmin password option
+ - Improved cross-realm key rollover safety
+ - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
+ - Improved MIT compatibility
+ . kadm5 API
+ . Migration from MIT KDB via "mitdb" HDB backend
+ . Capable of writing the HDB in MIT dump format
+ - Improved Active Directory interoperability
+ . Enctype selection issues for PAC and other authz-data signatures
+ . Cross realm key rollover (kvno 0)
+ - New [kdc] enctype negotiation configuration:
+ . tgt-use-strongest-session-key
+ . svc-use-strongest-session-key
+ . preauth-use-strongest-session-key
+ . use-strongest-server-key
+ - The KDC process now uses a multi-process model improving
+ resiliency and performance
+ - Allow batch-mode kinit with password file
+ - SIGINFO support added to kinit cmd
+ - New kx509 configuration options:
+ . kx509_ca
+ . kca_service
+ . kx509_include_pkinit_san
+ . kx509_template
+ - Improved Heimdal library/plugin version safety
+ - Name canonicalization
+ . DNS resolver searchlist
+ . Improved referral support
+ . Support host:port host-based services
+ - Pluggable libheimbase interface for DBs
+ - Improve IPv6 Support
+ - LDAP
+ . Bind DN and password
+ . Start TLS
+ - klist --json
+ - DIR credential cache type
+ - Updated upstream SQLite and libedit
+ - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
+ telnet, xnlock
+ - Completely remove RAND_egd support
+ - Moved kadmin and ktutil to /usr/bin
+ - Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
+ . use O_NOFOLLOW
+ . don't follow symlinks
+ . require cache files to be owned by the user
+ . require sensible permissions (not group/other readable)
+ - Implemented gss_store_cred()
+ - Many more
+
+ Bug fixes
+ - iprop has been revamped to fix a number of race conditions that could
+ lead to data loss
+ - Include non-loopback addresses assigned to loopback interfaces
+ when requesting tickets with addresses
+ - KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
+ - Keytab file descriptor and lock leak
+ - Credential cache corruption bugs
+ (NOTE: The FILE ccache is still not entirely safe due to the
+ fundamentally unsafe design of POSIX file locking)
+ - gss_pseudo_random() interop bug
+ - Plugins are now preferentially loaded from the run-time install tree
+ - Reauthentication after password change in init_creds_password
+ - Memory leak in the client kadmin library
+ - TGS client requests renewable/forwardable/proxiable when possible
+ - Locking issues in DB1 and DB3 HDB backends
+ - Master HDB can remain locked while waiting for network I/O
+ - Renewal/refresh logic when kinit is provided with a command
+ - KDC handling of enterprise principals
+ - Use correct bit for anon-pkinit
+ - Many more
+
+ Acknowledgements
+
+ This release of Heimdal includes contributions from:
+
+ Abhinav Upadhyay Heath Kehoe Nico Williams
+ Andreas Schneider Henry Jacques Patrik Lundin
+ Andrew Bartlett Howard Chu Philip Boulain
+ Andrew Tridgell Igor Sobrado Ragnar Sundblad
+ Antoine Jacoutot Ingo Schwarze Remi Ferrand
+ Arran Cudbard-Bell Jakub Čajka Rod Widdowson
+ Arvid Requate James Le Cuirot Rok Papež
+ Asanka Herath James Lee Roland C. Dowdeswell
+ Ben Kaduk Jeffrey Altman Ross L Richardson
+ Benjamin Kaduk Jeffrey Clark Russ Allbery
+ Bernard Spil Jeffrey Hutzelman Samuel Cabrero
+ Brian May Jelmer Vernooij Samuel Thibault
+ Chas Williams Ken Dreyer Santosh Kumar Pradhan
+ Chaskiel Grundman Kiran S J Sean Davis
+ Dana Koch Kumar Thangavelu Sergio Gelato
+ Daniel Schepler Landon Fuller Simon Wilkinson
+ David Mulder Linus Nordberg Stef Walter
+ Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher
+ Ed Maste Luke Howard Steffen Jaeckel
+ Eray Aslan Magnus Ahltorp Timothy Pearson
+ Florian Best Marc Balmer Tollef Fog Heen
+ Fredrik Pettai Marcin Cieślak Tony Acero
+ Greg Hudson Marco Molteni Uri Simchoni
+ Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni
+ Günther Deschner Michael Meffie Volker Lendecke
+ Harald Barth Moritz Lenz
+
+Release Notes - Heimdal - Version Heimdal 1.5.3
+
+ Bug fixes
+ - Fix leaking file descriptors in KDC
+ - Better socket/timeout handling in libkrb5
+ - General bug fixes
+ - Build fixes
+
+Release Notes - Heimdal - Version Heimdal 1.5.2
+
+ Security fixes
+ - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
+ - Check that key types strictly match - denial of service
+
+Release Notes - Heimdal - Version Heimdal 1.5.1
+
+ Bug fixes
+ - Fix building on Solaris, requires c99
+ - Fix building on Windows
+ - Build system updates
+
+Release Notes - Heimdal - Version Heimdal 1.5
+
+New features
+
+ - Support GSS name extensions/attributes
+ - SHA512 support
+ - No Kerberos 4 support
+ - Basic support for MIT Admin protocol (SECGSS flavor)
+ in kadmind (extract keytab)
+ - Replace editline with libedit
+
+Release Notes - Heimdal - Version Heimdal 1.4
+
+ New features
+
+ - Support for reading MIT database file directly
+ - KCM is polished up and now used in production
+ - NTLM first class citizen, credentials stored in KCM
+ - Table driven ASN.1 compiler, smaller!, not enabled by default
+ - Native Windows client support
+
+Notes
+
+ - Disabled write support NDBM hdb backend (read still in there) since
+ it can't handle large records, please migrate to a diffrent backend
+ (like BDB4)
+
+Release Notes - Heimdal - Version Heimdal 1.3.3
+
+ Bug fixes
+ - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
+ - Check NULL pointers before dereference them [kdc]
+
+Release Notes - Heimdal - Version Heimdal 1.3.2
+
+ Bug fixes
+
+ - Don't mix length when clearing hmac (could memset too much)
+ - More paranoid underrun checking when decrypting packets
+ - Check the password change requests and refuse to answer empty packets
+ - Build on OpenSolaris
+ - Renumber AD-SIGNED-TICKET since it was stolen from US
+ - Don't cache /dev/*random file descriptor, it doesn't get unloaded
+ - Make C++ safe
+ - Misc warnings
+
+Release Notes - Heimdal - Version Heimdal 1.3.1
+
+ Bug fixes
+
+ - Store KDC offset in credentials
+ - Many many more bug fixes
+
+Release Notes - Heimdal - Version Heimdal 1.3.1
+
+ New features
+
+ - Make work with OpenLDAPs krb5 overlay
+
+Release Notes - Heimdal - Version Heimdal 1.3
+
+ New features
+
+ - Partial support for MIT kadmind rpc protocol in kadmind
+ - Better support for finding keytab entries when using SPN aliases in the KDC
+ - Support BER in ASN.1 library (needed for CMS)
+ - Support decryption in Keychain private keys
+ - Support for new sqlite based credential cache
+ - Try both KDC referals and the common DNS reverse lookup in GSS-API
+ - Fix the KCM to not leak resources on failure
+ - Add IPv6 support to iprop
+ - Support localization of error strings in
+ kinit/klist/kdestroy and Kerberos library
+ - Remove Kerberos 4 support in application (still in KDC)
+ - Deprecate DES
+ - Support i18n password in windows domains (using UTF-8)
+ - More complete API emulation of OpenSSL in hcrypto
+ - Support for ECDSA and ECDH when linking with OpenSSL
+
+ API changes
+
+ - Support for settin friendly name on credential caches
+ - Move to using doxygen to generate documentation.
+ - Sprinkling __attribute__((__deprecated__)) for old function to be removed
+ - Support to export LAST-REQUST information in AS-REQ
+ - Support for client deferrals in in AS-REQ
+ - Add seek support for krb5_storage.
+ - Support for split AS-REQ, first step for IA-KERB
+ - Fix many memory leaks and bugs
+ - Improved regression test
+ - Support krb5_cccol
+ - Switch to krb5_set_error_message
+ - Support krb5_crypto_*_iov
+ - Switch to use EVP for most function
+ - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
+ - Add support for GSS_C_DELEG_POLICY_FLAG
+ - Add krb5_cc_[gs]et_config to store data in the credential caches
+ - PTY testing application
+
+Bugfixes
+ - Make building on AIX6 possible.
+ - Bugfixes in LDAP KDC code to make it more stable
+ - Make ipropd-slave reconnect when master down gown
+
+
+Release Notes - Heimdal - Version Heimdal 1.2.1
+
+* Bug
+
+ [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
+ [HEIMDAL-151] - Make canned tests work again after cert expired
+ [HEIMDAL-152] - iprop test: use full hostname to avoid realm
+ resolving errors
+ [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
+
+Release Notes - Heimdal - Version Heimdal 1.2
+
+* Bug
+
+ [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
+ gss_display_name/gss_export_name when using SPNEGO
+ [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
+ [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
+ [HEIMDAL-52] - hdb overwrite aliases for db databases
+ [HEIMDAL-54] - Two issues which affect credentials delegation
+ [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
+ [HEIMDAL-62] - Fix printing of sig_atomic_t
+ [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
+ [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
+ [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
+
+* Improvement
+ [HEIMDAL-67] - Fix locking and store credential in atomic writes
+ in the FILE credential cache
+ [HEIMDAL-106] - make compile on cygwin again
+ [HEIMDAL-107] - Replace old random key generation in des module
+ and use it with RAND_ function instead
+ [HEIMDAL-115] - Better documentation and compatibility in hcrypto
+ in regards to OpenSSL
+
+* New Feature
+ [HEIMDAL-3] - pkinit alg agility PRF test vectors
+ [HEIMDAL-14] - Add libwind to Heimdal
+ [HEIMDAL-16] - Use libwind in hx509
+ [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
+ the negotiation
+ [HEIMDAL-74] - Add support to report extended error message back
+ in AS-REQ to support windows clients
+ [HEIMDAL-116] - test pty based application (using rkpty)
+ [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
+
+* Task
+ [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
+ This drop compatibility with pre 0.3d KDCs.
+ [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
+ [HEIMDAL-65] - Failed to compile with --disable-pk-init
+ [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
+ wraparound checks doesn't apply to Heimdal
+
+Changes in release 1.1
+
+ * Read-only PKCS11 provider built-in to hx509.
+
+ * Documentation for hx509, hcrypto and ntlm libraries improved.
+
+ * Better compatibilty with Windows 2008 Server pre-releases and Vista.
+
+ * Mac OS X 10.5 support for native credential cache.
+
+ * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
+
+ * Bug fixes.
+
+Changes in release 1.0.2
+
+* Ubuntu packages.
+
+* Bug fixes.
+
+Changes in release 1.0.1
+
+ * Serveral bug fixes to iprop.
+
+ * Make work on platforms without dlopen.
+
+ * Add RFC3526 modp group14 as default.
+
+ * Handle [kdc] database = { } entries without realm = stanzas.
+
+ * Make krb5_get_renewed_creds work.
+
+ * Make kaserver preauth work again.
+
+ * Bug fixes.
+
+Changes in release 1.0
+
+ * Add gss_pseudo_random() for mechglue and krb5.
+
+ * Make session key for the krbtgt be selected by the best encryption
+ type of the client.
+
+ * Better interoperability with other PK-INIT implementations.
+
+ * Inital support for Mac OS X Keychain for hx509.
+
+ * Alias support for inital ticket requests.
+
+ * Add symbol versioning to selected libraries on platforms that uses
+ GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
+
+ * New version of imath included in hcrypto.
+
+ * Fix memory leaks.
+
+ * Bugs fixes.
+
+Changes in release 0.8.1
+
+ * Make ASN.1 library less paranoid to with regard to NUL in string to
+ make it inter-operate with MIT Kerberos again.
+
+ * Make GSS-API library work again when using gss_acquire_cred
+
+ * Add symbol versioning to libgssapi when using GNU ld.
+
+ * Fix memory leaks
+
+ * Bugs fixes
+
+Changes in release 0.8
+
+ * PK-INIT support.
+
+ * HDB extensions support, used by PK-INIT.
+
+ * New ASN.1 compiler.
+
+ * GSS-API mechglue from FreeBSD.
+
+ * Updated SPNEGO to support RFC4178.
+
+ * Support for Cryptosystem Negotiation Extension (RFC 4537).
+
+ * A new X.509 library (hx509) and related crypto functions.
+
+ * A new ntlm library (heimntlm) and related crypto functions.
+
+ * Updated the built-in crypto library with bignum support using
+ imath, support for RSA and DH and renamed it to libhcrypto.
+
+ * Subsystem in the KDC, digest, that will perform the digest
+ operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
+ DIGEST-MD5 NTLMv1 and NTLMv2.
+
+ * KDC will return the "response too big" error to force TCP retries
+ for large (default 1400 bytes) UDP replies. This is common for
+ PK-INIT requests.
+
+ * Libkafs defaults to use 2b tokens.
+
+ * Default to use the API cache on Mac OS X.
+
+ * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
+ see manpage for krb5_kuserok for description.
+
+ * Many, many, other updates to code and info manual and manual pages.
+
+ * Bug fixes
+
+Changes in release 0.7.2
+
+* Fix security problem in rshd that enable an attacker to overwrite
+ and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+ in a NULL de-reference before the user logged in, resulting in inetd
+ turning telnetd off because it forked too fast.
+
+* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
+ exists in the keytab before returning success. This allows servers
+ to check if its even possible to use GSSAPI.
+
+* Fix receiving end of token delegation for GSS-API. It still wrongly
+ uses subkey for sending for compatibility reasons, this will change
+ in 0.8.
+
+* telnetd, login and rshd are now more verbose in logging failed and
+ successful logins.
+
+* Bug fixes
+
+Changes in release 0.7.1
+
+* Bug fixes
+
+Changes in release 0.7
+
+ * Support for KCM, a process based credential cache
+
+ * Support CCAPI credential cache
+
+ * SPNEGO support
+
+ * AES (and the gssapi conterpart, CFX) support
+
+ * Adding new and improve old documentation
+
+ * Bug fixes
+
+Changes in release 0.6.6
+
+* Fix security problem in rshd that enable an attacker to overwrite
+ and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+ in a NULL de-reference before the user logged in, resulting in inetd
+ turning telnetd off because it forked too fast.
+
+Changes in release 0.6.5
+
+ * fix vulnerabilities in telnetd
+
+ * unbreak Kerberos 4 and kaserver
+
+Changes in release 0.6.4
+
+ * fix vulnerabilities in telnet
+
+ * rshd: encryption without a separate error socket should now work
+
+ * telnet now uses appdefaults for the encrypt and forward/forwardable
+ settings
+
+ * bug fixes
+
+Changes in release 0.6.3
+
+ * fix vulnerabilities in ftpd
+
+ * support for linux AFS /proc "syscalls"
+
+ * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
+ kpasswdd
+
+ * fix possible KDC denial of service
+
+ * bug fixes
+
+Changes in release 0.6.2
+
+ * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
+
+Changes in release 0.6.1
+
+ * Fixed ARCFOUR suppport
+
+ * Cross realm vulnerability
+
+ * kdc: fix denial of service attack
+
+ * kdc: stop clients from renewing tickets into the future
+
+ * bug fixes
+
+Changes in release 0.6
+
+* The DES3 GSS-API mechanism has been changed to inter-operate with
+ other GSSAPI implementations. See man page for gssapi(3) how to turn
+ on generation of correct MIC messages. Next major release of heimdal
+ will generate correct MIC by default.
+
+* More complete GSS-API support
+
+* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
+ support in applications no longer requires Kerberos 4 libs
+
+* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
+
+* other bug fixes
+
+Changes in release 0.5.2
+
+ * kdc: add option for disabling v4 cross-realm (defaults to off)
+
+ * bug fixes
+
+Changes in release 0.5.1
+
+ * kadmind: fix remote exploit
+
+ * kadmind: add option to disable kerberos 4
+
+ * kdc: make sure kaserver token life is positive
+
+ * telnet: use the session key if there is no subkey
+
+ * fix EPSV parsing in ftp
+
+ * other bug fixes
+
+Changes in release 0.5
+
+ * add --detach option to kdc
+
+ * allow setting forward and forwardable option in telnet from
+ .telnetrc, with override from command line
+
+ * accept addresses with or without ports in krb5_rd_cred
+
+ * make it work with modern openssl
+
+ * use our own string2key function even with openssl (that handles weak
+ keys incorrectly)
+
+ * more system-specific requirements in login
+
+ * do not use getlogin() to determine root in su
+
+ * telnet: abort if telnetd does not support encryption
+
+ * update autoconf to 2.53
+
+ * update config.guess, config.sub
+
+ * other bug fixes
+
Changes in release 0.4e
- * fix some problems when using libcrypto from openssl
+ * improve libcrypto and database autoconf tests
- * add some forgotten man pages
+ * do not care about salting of server principals when serving v4 requests
- * rsh: clean-up and add man page
+ * some improvements to gssapi library
- * fix -A and -a in builtin-ls in tpd
+ * test for existing compile_et/libcom_err
+
+ * portability fixes
* bug fixes
Changes in release 0.4d
+ * fix some problems when using libcrypto from openssl
+
+ * handle /dev/ptmx `unix98' ptys on Linux
+
+ * add some forgotten man pages
+
+ * rsh: clean-up and add man page
+
+ * fix -A and -a in builtin-ls in tpd
+
* fix building problem on Irix
* make `ktutil get' more efficient