- Kerberos Version 5, Release 1.9
+ Kerberos Version 5, Release 1.10
Release Notes
The MIT Kerberos Team
-Unpacking the Source Distribution
----------------------------------
+Copyright and Other Notices
+---------------------------
-The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.9.tar.gz. Instructions on how to extract the entire
-distribution follow.
+Copyright (C) 1985-2011 by the Massachusetts Institute of Technology
+and its contributors. All rights reserved.
-If you have the GNU tar program and gzip installed, you can simply do:
+Please see the file named NOTICE for additional notices.
- gtar zxpf krb5-1.9.tar.gz
+MIT Kerberos is a project of the MIT Kerberos Consortium. For more
+information about the Kerberos Consortium, see http://kerberos.org/
-If you don't have GNU tar, you will need to get the FSF gzip
-distribution and use gzcat:
+For more information about the MIT Kerberos software, see
+ http://web.mit.edu/kerberos/
- gzcat krb5-1.9.tar.gz | tar xpf -
-
-Both of these methods will extract the sources into krb5-1.9/src and
-the documentation into krb5-1.9/doc.
+People interested in participating in the MIT Kerberos development
+effort should visit http://k5wiki.kerberos.org/
Building and Installing Kerberos 5
----------------------------------
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.
+Please keep in mind that unencrypted e-mail is not secure. If you need
+to report a security vulnerability, or send sensitive information,
+please PGP-encrypt it to krbcore-security@mit.edu.
+
You may view bug reports by visiting
-http://krbdev.mit.edu/rt/
+ http://krbdev.mit.edu/rt/
and logging in as "guest" with password "guest".
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
-Major changes in 1.9
---------------------
-
-krb5-1.9 changes by ticket ID
------------------------------
-
-Copyright and Other Legal Notices
----------------------------------
-
-Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
-
-All rights reserved.
-
-Export of this software from the United States of America may require
-a specific license from the United States Government. It is the
-responsibility of any person or organization contemplating export to
-obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of M.I.T. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission. Furthermore if you modify this software you must label
-your software as modified software and not distribute it in such a
-fashion that it might be confused with the original MIT software.
-M.I.T. makes no representations about the suitability of this software
-for any purpose. It is provided "as is" without express or implied
-warranty.
-
-THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
-Individual source code files are copyright MIT, Cygnus Support,
-Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
-FundsXpress, and others.
-
-Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
-and Zephyr are trademarks of the Massachusetts Institute of Technology
-(MIT). No commercial use of these trademarks may be made without
-prior written permission of MIT.
-
-"Commercial use" means use of a name in a product or other for-profit
-manner. It does NOT prevent a commercial firm from referring to the
-MIT trademarks in order to convey information (although in doing so,
-recognition of their trademark status should be given).
-
- --------------------
-
-Portions of src/lib/crypto have the following copyright:
-
- Copyright (C) 1998 by the FundsXpress, INC.
-
- All rights reserved.
-
- Export of this software from the United States of America may require
- a specific license from the United States Government. It is the
- responsibility of any person or organization contemplating export to
- obtain such a license before exporting.
-
- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- distribute this software and its documentation for any purpose and
- without fee is hereby granted, provided that the above copyright
- notice appear in all copies and that both that copyright notice and
- this permission notice appear in supporting documentation, and that
- the name of FundsXpress. not be used in advertising or publicity pertaining
- to distribution of the software without specific, written prior
- permission. FundsXpress makes no representations about the suitability of
- this software for any purpose. It is provided "as is" without express
- or implied warranty.
-
- THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
-
- --------------------
-
-The following copyright and permission notice applies to the
-OpenVision Kerberos Administration system located in kadmin/create,
-kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
-of lib/rpc:
+Major changes in 1.10
+---------------------
+
+Additional background information on these changes may be found at
+
+ http://k5wiki.kerberos.org/wiki/Release_1.10
+
+and
+
+ http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects
+
+Code quality:
+
+* Fix MITKRB5-SA-2011-006 and MITKRB5SA-2011-007 KDC denial of service
+ vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
+ CVE-2011-1530].
+
+* Update the Fortuna implementation to more accurately implement the
+ description in _Cryptography Engineering_, and make it the default
+ PRNG.
+
+* Add an alternative PRNG that relies on the OS native PRNG.
+
+Developer experience:
- Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
-
- WARNING: Retrieving the OpenVision Kerberos Administration system
- source code, as described below, indicates your acceptance of the
- following terms. If you do not agree to the following terms, do not
- retrieve the OpenVision Kerberos administration system.
-
- You may freely use and distribute the Source Code and Object Code
- compiled from it, with or without modification, but this Source
- Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
- INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
- FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
- EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
- FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
- CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
- WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
- CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
- OTHER REASON.
-
- OpenVision retains all copyrights in the donated Source Code. OpenVision
- also retains copyright to derivative works of the Source Code, whether
- created by OpenVision or by a third party. The OpenVision copyright
- notice must be preserved if derivative works are made based on the
- donated Source Code.
-
- OpenVision Technologies, Inc. has donated this Kerberos
- Administration system to MIT for inclusion in the standard
- Kerberos 5 distribution. This donation underscores our
- commitment to continuing Kerberos technology development
- and our gratitude for the valuable work which has been
- performed by MIT and the Kerberos community.
-
- --------------------
-
- Portions contributed by Matt Crawford <crawdad@fnal.gov> were
- work performed at Fermi National Accelerator Laboratory, which is
- operated by Universities Research Association, Inc., under
- contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
- --------------------
-
-The implementation of the Yarrow pseudo-random number generator in
-src/lib/crypto/yarrow has the following copyright:
-
- Copyright 2000 by Zero-Knowledge Systems, Inc.
-
- Permission to use, copy, modify, distribute, and sell this software
- and its documentation for any purpose is hereby granted without fee,
- provided that the above copyright notice appear in all copies and that
- both that copyright notice and this permission notice appear in
- supporting documentation, and that the name of Zero-Knowledge Systems,
- Inc. not be used in advertising or publicity pertaining to
- distribution of the software without specific, written prior
- permission. Zero-Knowledge Systems, Inc. makes no representations
- about the suitability of this software for any purpose. It is
- provided "as is" without express or implied warranty.
-
- ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
- THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
- FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
- ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
- OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- --------------------
-
-The implementation of the AES encryption algorithm in
-src/lib/crypto/aes has the following copyright:
-
- Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
- All rights reserved.
-
- LICENSE TERMS
-
- The free distribution and use of this software in both source and binary
- form is allowed (with or without changes) provided that:
-
- 1. distributions of this source code include the above copyright
- notice, this list of conditions and the following disclaimer;
-
- 2. distributions in binary form include the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other associated materials;
-
- 3. the copyright holder's name is not used to endorse products
- built using this software without specific written permission.
-
- DISCLAIMER
-
- This software is provided 'as is' with no explcit or implied warranties
- in respect of any properties, including, but not limited to, correctness
- and fitness for purpose.
-
- --------------------
-
-Portions contributed by Red Hat, including the pre-authentication
-plug-ins framework, contain the following copyright:
-
- Copyright (c) 2006 Red Hat, Inc.
- Portions copyright (c) 2006 Massachusetts Institute of Technology
- All Rights Reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution.
-
- * Neither the name of Red Hat, Inc., nor the names of its
- contributors may be used to endorse or promote products derived
- from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- --------------------
-
-The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
-src/lib/gssapi, including the following files:
-
- lib/gssapi/generic/gssapi_err_generic.et
- lib/gssapi/mechglue/g_accept_sec_context.c
- lib/gssapi/mechglue/g_acquire_cred.c
- lib/gssapi/mechglue/g_canon_name.c
- lib/gssapi/mechglue/g_compare_name.c
- lib/gssapi/mechglue/g_context_time.c
- lib/gssapi/mechglue/g_delete_sec_context.c
- lib/gssapi/mechglue/g_dsp_name.c
- lib/gssapi/mechglue/g_dsp_status.c
- lib/gssapi/mechglue/g_dup_name.c
- lib/gssapi/mechglue/g_exp_sec_context.c
- lib/gssapi/mechglue/g_export_name.c
- lib/gssapi/mechglue/g_glue.c
- lib/gssapi/mechglue/g_imp_name.c
- lib/gssapi/mechglue/g_imp_sec_context.c
- lib/gssapi/mechglue/g_init_sec_context.c
- lib/gssapi/mechglue/g_initialize.c
- lib/gssapi/mechglue/g_inquire_context.c
- lib/gssapi/mechglue/g_inquire_cred.c
- lib/gssapi/mechglue/g_inquire_names.c
- lib/gssapi/mechglue/g_process_context.c
- lib/gssapi/mechglue/g_rel_buffer.c
- lib/gssapi/mechglue/g_rel_cred.c
- lib/gssapi/mechglue/g_rel_name.c
- lib/gssapi/mechglue/g_rel_oid_set.c
- lib/gssapi/mechglue/g_seal.c
- lib/gssapi/mechglue/g_sign.c
- lib/gssapi/mechglue/g_store_cred.c
- lib/gssapi/mechglue/g_unseal.c
- lib/gssapi/mechglue/g_userok.c
- lib/gssapi/mechglue/g_utils.c
- lib/gssapi/mechglue/g_verify.c
- lib/gssapi/mechglue/gssd_pname_to_uid.c
- lib/gssapi/mechglue/mglueP.h
- lib/gssapi/mechglue/oid_ops.c
- lib/gssapi/spnego/gssapiP_spnego.h
- lib/gssapi/spnego/spnego_mech.c
-
-and the initial implementation of incremental propagation, including
-the following new or changed files:
-
- include/iprop_hdr.h
- kadmin/server/ipropd_svc.c
- lib/kdb/iprop.x
- lib/kdb/kdb_convert.c
- lib/kdb/kdb_log.c
- lib/kdb/kdb_log.h
- lib/krb5/error_tables/kdb5_err.et
- slave/kpropd_rpc.c
- slave/kproplog.c
-
-and marked portions of the following files:
-
- lib/krb5/os/hst_realm.c
-
-are subject to the following license:
-
- Copyright (c) 2004 Sun Microsystems, Inc.
-
- Permission is hereby granted, free of charge, to any person obtaining a
- copy of this software and associated documentation files (the
- "Software"), to deal in the Software without restriction, including
- without limitation the rights to use, copy, modify, merge, publish,
- distribute, sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so, subject to
- the following conditions:
-
- The above copyright notice and this permission notice shall be included
- in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
- --------------------
-
-MIT Kerberos includes documentation and software developed at the
-University of California at Berkeley, which includes this copyright
-notice:
-
- Copyright (C) 1983 Regents of the University of California.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution.
-
- 3. Neither the name of the University nor the names of its
- contributors may be used to endorse or promote products derived
- from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
- --------------------
-
-Portions contributed by Novell, Inc., including the LDAP database
-backend, are subject to the following license:
-
- Copyright (c) 2004-2005, Novell, Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- * The copyright holder's name is not used to endorse or promote products
- derived from this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- --------------------
-
-Portions funded by Sandia National Laboratory and developed by the
-University of Michigan's Center for Information Technology
-Integration, including the PKINIT implementation, are subject to the
-following license:
-
- COPYRIGHT (C) 2006-2007
- THE REGENTS OF THE UNIVERSITY OF MICHIGAN
- ALL RIGHTS RESERVED
-
- Permission is granted to use, copy, create derivative works
- and redistribute this software and such derivative works
- for any purpose, so long as the name of The University of
- Michigan is not used in any advertising or publicity
- pertaining to the use of distribution of this software
- without specific, written prior authorization. If the
- above copyright notice or any other identification of the
- University of Michigan is included in any copy of any
- portion of this software, then the disclaimer below must
- also be included.
-
- THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
- FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
- PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
- MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
- WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
- REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
- FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
- CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
- OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
- IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGES.
-
- --------------------
-
-The pkcs11.h file included in the PKINIT code has the following
-license:
-
- Copyright 2006 g10 Code GmbH
- Copyright 2006 Andreas Jellinghaus
-
- This file is free software; as a special exception the author gives
- unlimited permission to copy and/or distribute it, with or without
- modifications, as long as this notice is preserved.
-
- This file is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY, to the extent permitted by law; without even
- the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.
-
- --------------------
-
-Portions contributed by Apple Inc. are subject to the following license:
-
-Copyright 2004-2008 Apple Inc. All Rights Reserved.
-
-Export of this software from the United States of America may require
-a specific license from the United States Government. It is the
-responsibility of any person or organization contemplating export to
-obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of Apple Inc. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission. Apple Inc. makes no representations about the suitability of
-this software for any purpose. It is provided "as is" without express
-or implied warranty.
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
- --------------------
-
-The implementations of strlcpy and strlcat in
-src/util/support/strlcat.c have the following copyright and permission
-notice:
-
-Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- --------------------
-
-The implementations of UTF-8 string handling in src/util/support and
-src/lib/krb5/unicode are subject to the following copyright and
-permission notice:
-
-The OpenLDAP Public License
- Version 2.8, 17 August 2003
-
-Redistribution and use of this software and associated documentation
-("Software"), with or without modification, are permitted provided
-that the following conditions are met:
-
-1. Redistributions in source form must retain copyright statements
- and notices,
-
-2. Redistributions in binary form must reproduce applicable copyright
- statements and notices, this list of conditions, and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution, and
-
-3. Redistributions must contain a verbatim copy of this document.
-
-The OpenLDAP Foundation may revise this license from time to time.
-Each revision is distinguished by a version number. You may use
-this Software under terms of this license revision or under the
-terms of any subsequent revision of the license.
-
-THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
-CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
-OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
-ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-The names of the authors and copyright holders must not be used in
-advertising or otherwise to promote the sale, use or other dealing
-in this Software without specific, written prior permission. Title
-to copyright in this Software shall at all times remain with copyright
-holders.
-
-OpenLDAP is a registered trademark of the OpenLDAP Foundation.
-
-Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
-California, USA. All Rights Reserved. Permission to copy and
-distribute verbatim copies of this document is granted.
-
- --------------------
-
-Marked test programs in src/lib/krb5/krb have the following copyright:
-
-Copyright (c) 2006 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden).
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-3. Neither the name of KTH nor the names of its contributors may be
- used to endorse or promote products derived from this software without
- specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
-LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Acknowledgements for krb5-1.9
------------------------------
-
-Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
-Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
-Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
-Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
-Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
-Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
-Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
-Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.
+* Add the ability for GSSAPI servers to use any keytab key for a
+ specified service, if the server specifies a host-based name with no
+ hostname component.
+
+* In the build system, identify the source files needed for
+ per-message processing within a kernel and ensure that they remain
+ independent.
+
+* Allow rd_safe and rd_priv to ignore the remote address.
+
+* Rework KDC and kadmind networking code to use an event loop
+ architecture.
+
+* Add a plugin interface for providing configuration information.
+
+Administrator experience:
+
+* Add more complete support for renaming principals.
+
+* Add the profile variable ignore_acceptor_hostname in libdefaults. If
+ set, GSSAPI will ignore the hostname component of acceptor names
+ supplied by the server, allowing any keytab key matching the service
+ to be used.
+
+* Add support for string attributes on principal entries.
+
+* Allow password changes to work over NATs.
+
+End-user experience:
+
+* Add the DIR credential cache type, which can hold a collection of
+ credential caches.
+
+* Enhance kinit, klist, and kdestroy to support credential cache
+ collections if the cache type supports it.
+
+* Add the kswitch command, which changes the selected default cache
+ within a collection.
+
+* Add heuristic support for choosing client credentials based on the
+ service realm.
+
+* Add support for $HOME/.k5identity, which allows credential choice
+ based on configured rules.
+
+* Add support for localization. (No translations are provided in this
+ release, but the infrastructure is present for redistributors to
+ supply them.)
+
+Protocol evolution:
+
+* Make PKINIT work with FAST in the client library.
+
+krb5-1.10 changes by ticket ID
+------------------------------
+
+6118 rename principals
+6323 kadmin: rename support
+6430 Avoid looping when preauth can't be generated
+6617 uninitialized values used in mkey-migration code
+6732 checks for openpty() aren't made using -lutil
+6770 kg_unseal leads to overlap of source and desitination in memcpy...
+6813 memory leak in gss_accept_sec_context
+6814 Improve kdb5_util load locking and recovery
+6816 potential memory leak in spnego
+6817 potential null dereference in gss mechglue
+6835 accept_sec_context RFC4121 support bug in 1.8.3
+6851 pkinit can't parse some valid cms messages
+6854 kadmin's ktremove can remove wrong entries when removing kvno 0
+6855 Improve acceptor name flexibility
+6857 missing ifdefs around IPv6 code
+6858 Assume ELF on FreeBSD if objformat doesn't exist
+6863 memory leak on SPNEGO error path
+6868 Defer hostname lookups in krb5_sendto_kdc
+6872 Fix memory leak in t_expire_warn
+6874 Fortuna as default PRNG
+6878 Add test script for user2user programs
+6887 Use first principal in keytab when verifying creds
+6890 Implement draft-josefsson-gss-capsulate
+6891 Add gss_userok and gss_pname_to_uid
+6892 Prevent bleed-through of mechglue symbols into loaded mechs
+6893 error codes from error responses can be discarded when there's e-data
+6894 More sensical mech selection for gss_acquire_cred/accept_sec_context
+6895 gss_duplicate_name SPI for SPNEGO
+6896 Allow anonymous name to be imported with empty name buffer
+6897 Default principal name in the acceptor cred corresponds to
+ first entry in associated keytab.
+6898 Set correct minor_status value in call to gss_display_status.
+6902 S4U impersonated credential KRB5_CC_NOT_FOUND
+6904 Install k5login(5) as well as .k5login(5)
+6905 support poll() in sendto_kdc.c
+6909 Kernel subset
+6910 Account lockout policy parameters not documented
+6911 Account lockout policy options time format
+6914 krb5-1.9.1 static compile error +preliminary patch (fwd)
+6915 klist -s trips over referral entries
+6918 Localize user interface strings using gettext
+6921 Convert preauth_plugin.h to new plugin framework
+6922 Work around glibc getaddrinfo PTR lookups
+6923 Use AI_ADDRCONFIG for more efficient getaddrinfo
+6924 Fix multiple libkdb_ldap memory leaks
+6927 chpass_util.c improvements
+6928 use timegm() for krb5int_gmt_mktime() when available
+6929 Pluggable configuration
+6931 Add libedit/readline support to ss.
+6933 blocking recv caused our server to hang
+6934 don't require a default realm
+6944 gss_acquire_cred erroneous failure and potential segfault for caller
+6945 spnego_gss_acquire_cred_impersonate_name incorrect usage of
+ impersonator_cred_handle
+6951 assertion failure when connections fail in service_fds()
+6953 Add the DIR ccache type
+6954 Add new cache collection APIs
+6955 Remove unneeded cccol behaviors
+6956 Add ccache collection support to tools
+6957 Add krb5_cc_select() API and pluggable interface
+6958 Make gss-krb5 use cache collection
+6961 Support pkinit: SignedData with no signers (KDC)
+6962 pkinit: client: Use SignedData for anonymous
+6964 Support special salt type in default krb5_dbe_cpw.
+6965 Remove CFLAGS and external deps from krb5-config --libs
+6966 Eliminate domain-based client realm walk
+6968 [PATCH] Man page fixes
+6969 Create e_data as pa_data in KDC interfaces.
+6971 Use type-safe callbacks in preauth interface
+6974 Make krb5_pac_sign public
+6975 Add PKINIT NSS support
+6976 Hide gak_fct interface and arguments in clpreauth
+6977 Install krb5/preauth_plugin.h
+6978 Allow rd_priv/rd_safe without remote address
+6979 Allow password changes over NATs
+6980 Ensure termination in Windows vsnprintf wrapper
+6981 SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
+6987 Fix krb5_cc_set_config
+6988 Fix handling of null edata method in KDC preauth
+6989 fix tar invocation in mkrel
+6992 Make krb5_find_authdata public
+6994 Fix intermediate key length in hmac-md5 checksum
+6995 Initialize typed_e_data in as_req_state
+6996 Make krb5_check_clockskew public
+6997 don't build po/ if msgfmt is missing
+6999 compile warnings, mininum version check for pkinit (NSS code paths)
+7000 Exit on error in kadmind kprop child
+7002 verto sshould have a pointer to upstream sources and be in NOTICE
+7003 Fix month/year units in getdate
+7006 Fix format string for TRACE_INIT_CREDS_SERVICE
+7014 Fix com_err.h dependencies in gss-kernel-lib
+7015 Add plugin interface_names entry for ccselect
+7017 Simplify and fix kdcpreauth request_body callback
+7018 Update verto to 0.2.2 release
+7019 Make verto context available to kdcpreauth modules
+7020 reading minor error message doesn't work for the IAKERB mech
+7021 Fix failure interval of 0 in LDAP lockout code
+7023 Clean up client-side preauth error data handling
+7027 FAST PKINIT
+7029 Fix --with-system-verto without pkg-config
+7030 Ldap dependency for parallel builds
+7033 krb5 1.10 KRB5_PADATA_ENC_TIMESTAMP isn't working
+7034 mk_cred: memory management
+7035 krb5_lcc_store() now ignores config credentials
+7036 Fix free ofuninitialized memory in sname_to_princ
+7037 Use LsaDeregisterLogonProcess(), not CloseHandle()
+7038 Added support for loading of Krb5.ini from Windows APPDATA
+7039 Handle TGS referrals to the same realm
+7042 SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
+7049 Fix subkey memory leak in krb5_get_credentials
+7050 KfW changes for krb5-1.10
+
+Acknowledgements
+----------------
+
+Past and present Sponsors of the MIT Kerberos Consortium:
+
+ Apple
+ Carnegie Mellon University
+ Centrify Corporation
+ Columbia University
+ Cornell University
+ The Department of Defense of the United States of America (DoD)
+ Fidelity Investments
+ Google
+ Iowa State University
+ MIT
+ Michigan State University
+ Microsoft
+ The National Aeronautics and Space Administration
+ of the United States of America (NASA)
+ Network Appliance (NetApp)
+ Nippon Telephone and Telegraph (NTT)
+ Oracle
+ Pennsylvania State University
+ Red Hat
+ Stanford University
+ TeamF1, Inc.
+ The University of Alaska
+ The University of Michigan
+ The University of Pennsylvania
+
+Past and present members of the Kerberos Team at MIT:
+
+ Danilo Almeida
+ Jeffrey Altman
+ Justin Anderson
+ Richard Basch
+ Mitch Berger
+ Jay Berkenbilt
+ Andrew Boardman
+ Bill Bryant
+ Steve Buckley
+ Joe Calzaretta
+ John Carr
+ Mark Colan
+ Don Davis
+ Alexandra Ellwood
+ Carlos Garay
+ Dan Geer
+ Nancy Gilman
+ Matt Hancher
+ Thomas Hardjono
+ Sam Hartman
+ Paul Hill
+ Marc Horowitz
+ Eva Jacobus
+ Miroslav Jurisic
+ Barry Jaspan
+ Geoffrey King
+ Kevin Koch
+ John Kohl
+ HaoQi Li
+ Jonathan Lin
+ Peter Litwack
+ Scott McGuire
+ Steve Miller
+ Kevin Mitchell
+ Cliff Neuman
+ Paul Park
+ Ezra Peisach
+ Chris Provenzano
+ Ken Raeburn
+ Jon Rochlis
+ Jeff Schiller
+ Jen Selby
+ Robert Silk
+ Bill Sommerfeld
+ Jennifer Steiner
+ Ralph Swick
+ Brad Thompson
+ Harry Tsai
+ Zhanna Tsitkova
+ Ted Ts'o
+ Marshall Vale
+ Tom Yu
+
+The following external contributors have provided code, patches, bug
+reports, suggestions, and valuable resources:
+
+ Brandon Allbery
+ Russell Allbery
+ Brian Almeida
+ Michael B Allen
+ Heinz-Ado Arnolds
+ Derek Atkins
+ Mark Bannister
+ David Bantz
+ Alex Baule
+ Arlene Berry
+ Jeff Blaine
+ Radoslav Bodo
+ Emmanuel Bouillon
+ Michael Calmer
+ Julien Chaffraix
+ Ravi Channavajhala
+ Srinivas Cheruku
+ Leonardo Chiquitto
+ Howard Chu
+ Andrea Cirulli
+ Christopher D. Clausen
+ Kevin Coffman
+ Simon Cooper
+ Sylvain Cortes
+ Nalin Dahyabhai
+ Dennis Davis
+ Mark Deneen
+ Roland Dowdeswell
+ Jason Edgecombe
+ Mark Eichin
+ Shawn M. Emery
+ Douglas E. Engert
+ Peter Eriksson
+ Juha Erkkilä
+ Ronni Feldt
+ Bill Fellows
+ JC Ferguson
+ William Fiveash
+ Ákos Frohner
+ Marcus Granado
+ Scott Grizzard
+ Helmut Grohne
+ Steve Grubb
+ Philip Guenther
+ Dominic Hargreaves
+ Jakob Haufe
+ Paul B. Henson
+ Jeff Hodges
+ Christopher Hogan
+ Love Hörnquist Åstrand
+ Ken Hornstein
+ Henry B. Hotz
+ Luke Howard
+ Jakub Hrozek
+ Shumon Huque
+ Jeffrey Hutzelman
+ Wyllys Ingersoll
+ Holger Isenberg
+ Pavel Jindra
+ Joel Johnson
+ Mikkel Kruse
+ Volker Lendecke
+ Jan iankko Lieskovsky
+ Kevin Longfellow
+ Ryan Lynch
+ Nathaniel McCallum
+ Greg McClement
+ Cameron Meadors
+ Alexey Melnikov
+ Franklyn Mendez
+ Markus Moeller
+ Kyle Moffett
+ Paul Moore
+ Keiichi Mori
+ Zbysek Mraz
+ Edward Murrell
+ Nikos Nikoleris
+ Felipe Ortega
+ Andrej Ota
+ Dmitri Pal
+ Javier Palacios
+ Tom Parker
+ Ezra Peisach
+ W. Michael Petullo
+ Mark Phalan
+ Jonathan Reams
+ Robert Relyea
+ Martin Rex
+ Jason Rogers
+ Mike Roszkowski
+ Guillaume Rousse
+ Tom Shaw
+ Peter Shoults
+ Simo Sorce
+ Michael Spang
+ Michael Ströder
+ Bjørn Tore Sund
+ Rathor Vipin
+ Jorgen Wahlsten
+ Max (Weijun) Wang
+ John Washington
+ Kevin Wasserman
+ Margaret Wasserman
+ Marcus Watts
+ Simon Wilkinson
+ Nicolas Williams
+ Ross Wilper
+ Xu Qiang
+ Hanz van Zijst
+
+The above is not an exhaustive list; many others have contributed in
+various ways to the MIT Kerberos development effort over the years.
+Other acknowledgments (for bug reports and patches) are in the
+doc/CHANGES file.