+Release Notes - Heimdal - Version Heimdal 1.3
+
+ New features
+
+ - Partital support for MIT kadmind rpc protocol in kadmind
+ - Better support for finding keytab entries when using SPN aliases in the KDC
+ - Support BER in ASN.1 library (needed for CMS)
+ - Support decryption in Keychain private keys
+ - Support for new sqlite based credential cache
+ - Try both to KDC referals the the common DNS reverse lookup in GSS-API
+ - Fix the KCM not not leak resources on failure
+ - Add IPv6 support to iprop
+ - Support localization of error strings in
+ kinit/klist/kdestroy and Kerberos library
+ - Remove Kerberos 4 support in application (still in KDC)
+ - Deprecate DES
+ - Support i18n password in windows domains (using UTF-8)
+ - More complete API emulation of OpenSSL in hcrypto
+ - Support for ECDSA and ECDH when linking with OpenSSL
+
+ API changes
+
+ - Support for settin friendly name on credential caches
+ - Move to using doxygen to generate documentation.
+ - Sprinkling __attribute__((depricated)) for old function to be removed
+ - Support to export LAST-REQUST information in AS-REQ
+ - Support for client deferrals in in AS-REQ
+ - Add seek support for krb5_storage.
+ - Support for split AS-REQ, first step for IA-KERB
+ - Fix many memory leaks and bugs
+ - Improved regression test
+ - Support krb5_cccol
+ - Switch to krb5_set_error_message
+ - Support krb5_crypto_*_iov
+ - Switch to use EVP for most function
+ - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
+ - Add support for GSS_C_DELEG_POLICY_FLAG
+ - Add krb5_cc_[gs]et_config to store data in the credential caches
+ - PTY testing application
+
+Bugfixes
+ - Make building on AIX6 possible.
+ - Bugfixes in LDAP KDC code to make it more stable
+ - Make ipropd-slave reconnect when master down gown
+
+
+Release Notes - Heimdal - Version Heimdal 1.2.1
+
+* Bug
+
+ [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
+ [HEIMDAL-151] - Make canned tests work again after cert expired
+ [HEIMDAL-152] - iprop test: use full hostname to avoid realm
+ resolving errors
+ [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
+
+Release Notes - Heimdal - Version Heimdal 1.2
+
+* Bug
+
+ [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
+ gss_display_name/gss_export_name when using SPNEGO
+ [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
+ [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
+ [HEIMDAL-52] - hdb overwrite aliases for db databases
+ [HEIMDAL-54] - Two issues which affect credentials delegation
+ [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
+ [HEIMDAL-62] - Fix printing of sig_atomic_t
+ [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
+ [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
+ [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
+
+* Improvement
+ [HEIMDAL-67] - Fix locking and store credential in atomic writes
+ in the FILE credential cache
+ [HEIMDAL-106] - make compile on cygwin again
+ [HEIMDAL-107] - Replace old random key generation in des module
+ and use it with RAND_ function instead
+ [HEIMDAL-115] - Better documentation and compatibility in hcrypto
+ in regards to OpenSSL
+
+* New Feature
+ [HEIMDAL-3] - pkinit alg agility PRF test vectors
+ [HEIMDAL-14] - Add libwind to Heimdal
+ [HEIMDAL-16] - Use libwind in hx509
+ [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
+ the negotiation
+ [HEIMDAL-74] - Add support to report extended error message back
+ in AS-REQ to support windows clients
+ [HEIMDAL-116] - test pty based application (using rkpty)
+ [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
+
+* Task
+ [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
+ This drop compatibility with pre 0.3d KDCs.
+ [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
+ [HEIMDAL-65] - Failed to compile with --disable-pk-init
+ [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
+ wraparound checks doesn't apply to Heimdal
+
+Changes in release 1.1
+
+ * Read-only PKCS11 provider built-in to hx509.
+
+ * Documentation for hx509, hcrypto and ntlm libraries improved.
+
+ * Better compatibilty with Windows 2008 Server pre-releases and Vista.
+
+ * Mac OS X 10.5 support for native credential cache.
+
+ * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
+
+ * Bug fixes.
+
+Changes in release 1.0.2
+
+* Ubuntu packages.
+
+* Bug fixes.
+
+Changes in release 1.0.1
+
+ * Serveral bug fixes to iprop.
+
+ * Make work on platforms without dlopen.
+
+ * Add RFC3526 modp group14 as default.
+
+ * Handle [kdc] database = { } entries without realm = stanzas.
+
+ * Make krb5_get_renewed_creds work.
+
+ * Make kaserver preauth work again.
+
+ * Bug fixes.
+
+Changes in release 1.0
+
+ * Add gss_pseudo_random() for mechglue and krb5.
+
+ * Make session key for the krbtgt be selected by the best encryption
+ type of the client.
+
+ * Better interoperability with other PK-INIT implementations.
+
+ * Inital support for Mac OS X Keychain for hx509.
+
+ * Alias support for inital ticket requests.
+
+ * Add symbol versioning to selected libraries on platforms that uses
+ GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
+
+ * New version of imath included in hcrypto.
+
+ * Fix memory leaks.
+
+ * Bugs fixes.
+
+Changes in release 0.8.1
+
+ * Make ASN.1 library less paranoid to with regard to NUL in string to
+ make it inter-operate with MIT Kerberos again.
+
+ * Make GSS-API library work again when using gss_acquire_cred
+
+ * Add symbol versioning to libgssapi when using GNU ld.
+
+ * Fix memory leaks
+
+ * Bugs fixes
+
+Changes in release 0.8
+
+ * PK-INIT support.
+
+ * HDB extensions support, used by PK-INIT.
+
+ * New ASN.1 compiler.
+
+ * GSS-API mechglue from FreeBSD.
+
+ * Updated SPNEGO to support RFC4178.
+
+ * Support for Cryptosystem Negotiation Extension (RFC 4537).
+
+ * A new X.509 library (hx509) and related crypto functions.
+
+ * A new ntlm library (heimntlm) and related crypto functions.
+
+ * Updated the built-in crypto library with bignum support using
+ imath, support for RSA and DH and renamed it to libhcrypto.
+
+ * Subsystem in the KDC, digest, that will perform the digest
+ operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
+ DIGEST-MD5 NTLMv1 and NTLMv2.
+
+ * KDC will return the "response too big" error to force TCP retries
+ for large (default 1400 bytes) UDP replies. This is common for
+ PK-INIT requests.
+
+ * Libkafs defaults to use 2b tokens.
+
+ * Default to use the API cache on Mac OS X.
+
+ * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
+ see manpage for krb5_kuserok for description.
+
+ * Many, many, other updates to code and info manual and manual pages.
+
+ * Bug fixes
+
+Changes in release 0.7.2
+
+* Fix security problem in rshd that enable an attacker to overwrite
+ and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+ in a NULL de-reference before the user logged in, resulting in inetd
+ turning telnetd off because it forked too fast.
+
+* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
+ exists in the keytab before returning success. This allows servers
+ to check if its even possible to use GSSAPI.
+
+* Fix receiving end of token delegation for GSS-API. It still wrongly
+ uses subkey for sending for compatibility reasons, this will change
+ in 0.8.
+
+* telnetd, login and rshd are now more verbose in logging failed and
+ successful logins.
+
+* Bug fixes
+
+Changes in release 0.7.1
+
+* Bug fixes
+
Changes in release 0.7
- * SPENGO support
+ * Support for KCM, a process based credential cache
+
+ * Support CCAPI credential cache
+
+ * SPNEGO support
* AES (and the gssapi conterpart, CFX) support
+ * Adding new and improve old documentation
+
* Bug fixes
+Changes in release 0.6.6
+
+* Fix security problem in rshd that enable an attacker to overwrite
+ and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+ in a NULL de-reference before the user logged in, resulting in inetd
+ turning telnetd off because it forked too fast.
+
+Changes in release 0.6.5
+
+ * fix vulnerabilities in telnetd
+
+ * unbreak Kerberos 4 and kaserver
+
+Changes in release 0.6.4
+
+ * fix vulnerabilities in telnet
+
+ * rshd: encryption without a separate error socket should now work
+
+ * telnet now uses appdefaults for the encrypt and forward/forwardable
+ settings
+
+ * bug fixes
+
+Changes in release 0.6.3
+
+ * fix vulnerabilities in ftpd
+
+ * support for linux AFS /proc "syscalls"
+
+ * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
+ kpasswdd
+
+ * fix possible KDC denial of service
+
+ * bug fixes
+
+Changes in release 0.6.2
+
+ * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
+
Changes in release 0.6.1
* Fixed ARCFOUR suppport
git.samba.org / metze / heimdal / wip.git / blobdiff