-Notes, Major Changes, and Known Bugs for 1.3
-------------------------------------
-
-* We now install the compile_et program, so other packages can use the
- installed com_err library with their own error tables.
-
-* The header files we install now assume ANSI/ISO C ('89, not '99).
- If you're using a pre-ANSI system, like SunOS 4, try using gcc. In
- fact, SunOS 4 with gcc is what we use at MIT as the oldest pre-POSIX
- system we test against, and even that testing is fairly minimal.
-
-* Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
- Insert list of (non-)supporting programs and libraries here.]]
-
-Notes, Major Changes, and Known Bugs for 1.2, delete before shipping 1.3
-------------------------------------
-
-* Triple DES support, for session keys as well as user or service
- keys, should be nearly complete in this release. Much of the work
- that has been needed is generic multiple-cryptosystem support, so
- the addition of another cryptosystem should be much easier.
-
- * GSSAPI support for 3DES has been added. An Internet Draft is
- being worked on that will describe how this works; it is not
- currently standardized. Some backwards-compatibility issues in
- this area mean that enabling 3DES support must be done with
- caution; service keys that are used for GSSAPI must not be updated
- to 3DES until the services themselves are upgraded to support 3DES
- under GSSAPI.
-
-* DNS support for locating KDCs is enabled by default. DNS support
- for looking up the realm of a host is compiled in but disabled by
- default (due to some concerns with DNS spoofing).
-
- We recommend that you publish your KDC information through DNS even
- if you intend to rely on config files at your own site; otherwise,
- sites that wish to communicate with you will have to keep their
- config files updated with your information. One of the goals of
- this code is to reduce the client-side configuration maintenance
- requirements as much as is possible, without compromising security.
-
- See the administrator's guide for information on setting up DNS
- information for your realm.
-
- One important effect of this for developers is that on many systems,
- "-lresolv" must be added to the compiler command line when linking
- Kerberos programs.
-
- Configure-time options are available to control the inclusion of the
- DNS code and the setting of the defaults. Entries in krb5.conf will
- also modify the behavior if the code has been compiled in.
-
-* Numerous buffer-overrun problems have been found and fixed. Many of
- these were in locations we don't expect can be exploited in any
- useful way (for example, overrunning a buffer of MAXPATHLEN bytes if
- a compiled-in pathname is too long, in a program that has no special
- privileges). It may be possible to exploit a few of these to
- compromise system security.
-
-* Partial support for IPv6 addresses has been added. It can be
- enabled or disabled at configure time with --enable-ipv6 or
- --disable-ipv6; by default, the configure script will search for
- certain types and macros, and enable the IPv6 code if they're found.
- The IPv6 support at this time mostly consists of including the
- addresses in credentials.
-
-* A protocol change has been made to the "rcmd" suite (rlogin, rsh,
- rcp) to address several security problems described in Kris
- Hildrum's paper presented at NDSS 2000. New command-line options
- have been added to control the selection of protocol, since the
- revised protocol is not compatible with the old one.
-
-* A security problem in login.krb5 has been fixed. This problem was
- only present if the krb4 compatibility code was not compiled in.
-
-* A security problem with ftpd has been fixed. An error in the in the
- yacc grammar permitted potential root access.
-
-* The client programs kinit, klist and kdestroy have been changed to
- incorporate krb4 support. New command-line options control whether
- krb4 behavior, krb5 behavior, or both are used.
-
-* Patches from Frank Cusack for much better hardware preauth support
- have been incorporated.
-
-* Patches from Matt Crawford extend the kadmin ACL syntax so that
- restrictions can be imposed on what certain administrators may do to
- certain accounts.
-
-* A KDC on a host with multiple network addresses will now respond to
- a client from the address that the client used to contact it. The
- means used to implement this will however cause the KDC not to
- listen on network addresses configured after the KDC has started.
-
-Minor changes
--------------
-
-* New software using com_err should use the {add,remove}_error_table
- interface rather than init_XXX_error_table; in fact, the latter
- function in the generate C files will now call add_error_table
- instead of messing with unprotected global variables.
-
- Karl Ramm has offered to look into reconciling the various
- extensions and changes that have been made in different versions of
- the MIT library, and the API used in the Heimdal equivalent. No
- timeline is set for this work.
-
-* Some source files (including some header files we install) now have
- annotations for use with the LCLint package from the University of
- Virginia. LCLint, as of version 2.5q, is not capable of handling
- much of the Kerberos code in its current form, at least not without
- significantly restructuring the Kerberos code, but it has been used
- in limited cases and has uncovered some bugs. We may try adding
- more annotations in the future.
-
-Minor changes for 1.2, delete this section before shipping 1.3
--------------
-
-* The shell code for searching for the Tcl package at configure time
- has been modified. If a tclConfig.sh can be found, the information
- it contains is used, otherwise the old searching method is tried.
- Let us know if this new scheme causes any problems.
-
-* Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer
- Alpha systems now.
-
-* The Windows build will now include kvno and gss-sample.
-
-* The routine krb5_secure_config_files has been disabled. A new
- routine, krb5_init_secure_context, has been added in its place.
-
-* The routine decode_krb5_ticket is now being exported as
- krb5_decode_ticket. Any programs that used the old name (which
- should be few) should be changed to use the new name; we will
- probably eliminate the old name in the future.
-
-* The CCAPI-based credentials cache code has been changed to store the
- local-clock time of issue and expiration rather than the KDC-clock
- times.
-
-* On systems with large numbers of IP addresses, "kinit" should do a
- better job of acquiring those addresses to put in the user's
- credentials.
-
-* Several memory leaks in error cases in the gssrpc code have been
- fixed.
-
-* A bug with login clobbering some internal static storage on AIX has
- been fixed.