Major changes in 1.9
--------------------
+Code quality:
+
+* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and others)
+* Python-based testing framework
+* DAL cleanup
+
+Developer experience:
+
+* NSS crypto back end
+* PRNG modularity
+* Fortuna-like PRNG
+
+Performance:
+
+* Account lockout performance improvements -- allow disabling of some
+ account lockout functionality to reduce the number of write
+ operations to the database during authentication
+
+Administrator experience:
+
+* Trace logging -- for easier diagnosis of configuration problems
+
+* Support for purging old keys (e.g. from "cpw -randkey -keepold")
+
+* Plugin interface for password sync -- based on proposed patches by
+ Russ Allbery that support his krb5-sync package
+
+* Plugin interface for password quality checks -- enables pluggable
+ password quality checks similar to Russ Allbery's krb5-strength
+ package
+
+* Configuration file validator
+
+* KDC support for SecurID preauthentication -- This is the old SAM-2
+ protocol, implemented to support existing deployments, not the
+ in-progress FAST-OTP work.
+
+Protocol evolution:
+
+* IAKERB -- a mechanism for tunneling Kerberos KDC transactions over
+ GSS-API, enabling clients to authenticate to services even when the
+ clients cannot directly reach the KDC that serves the services.
+
+* Camellia encryption (experimental; disabled by default)
+
krb5-1.9 changes by ticket ID
-----------------------------
+1219 mechanism to delete old keys should exist
+2032 No advanced warning of password expiry
+5014 kadmin (and other utilities) should report enctypes as it takes them
+6647 Memory leak in kdc
+6672 Python test framework
+6679 Lazy history key creation
+6684 Simple kinit verbosity patch
+6686 IPv6 support for kprop and kpropd
+6688 mit-krb5-1.7 fails to compile against openssl-1.0.0
+6699 Validate and renew should work on non-TGT creds
+6700 Introduce new krb5_tkt_creds API
+6712 Add IAKERB mechanism and gss_acquire_cred_with_password
+6714 [patch] fix format errors in krb5-1.8.1
+6715 cksum_body exports
+6719 Add lockout-related performance tuning variables
+6720 Negative enctypes improperly read from keytabs
+6723 Negative enctypes improperly read from ccaches
+6733 Make signedpath authdata visible via GSS naming exts
+6736 Add krb5_enctype_to_name() API
+6737 Trace logging
+6746 Make kadmin work over IPv6
+6749 DAL improvements
+6753 Fix XDR decoding of large values in xdr_u_int
+6755 Add GIC option for password/account expiration callback
+6758 Allow krb5_gss_register_acceptor_identity to unset keytab name
+6760 Fail properly when profile can't be accessed
+6761 add profile include support
+6762 key expiration computed incorrectly in libkdb_ldap
+6763 New plugin infrastructure
+6765 Password quality pluggable interface
+6769 clean up memory leak and potential unused variable in crypto tests
+6771 Fix memory leaks in kdb5_verify
+6772 Ensure valid key in krb5int_yarrow_cipher_encrypt_block
+6774 pkinit client cert matching can be disrupted by one of the
+ candidate certs
+6775 pkinit <KU> evaluation during certificate matching may fail
+6776 Typos in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+6777 Segmentation fault in krb library (sn2princ.c) if realm not resolved
+6778 kdb: store mkey list in context and permit NULL mkey for
+ kdb_dbe_decrypt_key_data
+6779 kinit: add KDB keytab support
+6783 KDC worker processes feature
+6784 relicense Sun RPC to 3-clause BSD-style
+6785 Add gss_krb5_import_cred
+6786 kpasswd: if a credential cache is present, use FAST
+6787 S4U memory leak
+6791 kadm5_hook: new plugin interface
+6792 Implement k5login_directory and k5login_authoritative options
+6793 acquire_init_cred leaks interned name
+6795 Propagate modprinc -unlock from master to slave KDCs
+6796 segfault due to uninitialized variable in S4U
+6799 Performance issue in LDAP policy fetch
+6801 Fix leaks in get_init_creds interface
+6802 copyright notice updates
+6804 Remove KDC replay cache
+6805 securID code fixes
+6806 securID error handling fix
+6807 SecurID build support
+6809 gss_krb5int_make_seal_token_v3_iov fails to set conf_state
+6810 Better libk5crypto NSS fork safety
+6811 Mark Camellia-CCM code as experimental
+6812 krb5_get_credentials should not fail due to inability to store
+ a credential in a cache
+6815 Failed kdb5_util load removes real database
+6819 Handle referral realm in kprop client principal
+6820 Read KDC profile settings in kpropd
+6822 Implement Camellia-CTS-CMAC instead of Camellia-CCM
+6823 getdate.y: declare yyparse
+6824 Export krb5_tkt_creds_get
+6825 Add missing KRB5_CALLCONV in callback declaration
+6826 Fix Windows build
+6827 SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)
+6828 Install kadm5_hook_plugin.h
+6829 Implement restrict_anonymous_to_tgt realm flag
+6838 Regression in renewable handling
+6839 handle MS PACs that lack server checksum
+6840 typo in plugin-related error message
+6841 memory leak in changepw.c
+6842 Ensure time() is prototyped in g_accept_sec_context.c
+
Acknowledgements
----------------
Douglas E. Engert
Peter Eriksson
Ronni Feldt
+ Bill Fellows
JC Ferguson
William Fiveash
Ákos Frohner
Marcus Granado
Scott Grizzard
+ Helmut Grohne
Steve Grubb
Philip Guenther
+ Dominic Hargreaves
Jakob Haufe
Jeff Hodges
Love Hörnquist Åstrand
Jeffrey Hutzelman
Wyllys Ingersoll
Holger Isenberg
+ Pavel Jindra
Joel Johnson
Mikkel Kruse
Volker Lendecke
Robert Relyea
Martin Rex
Jason Rogers
+ Mike Roszkowski
Guillaume Rousse
Tom Shaw
Peter Shoults