From: Tom Yu Date: Thu, 25 Feb 2010 21:28:22 +0000 (+0000) Subject: README and patchlevel.h for krb5-1.8-beta2 X-Git-Tag: krb5-1.8-beta2^2 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=46d7ebf6edd4ca81c13aee890327237ceed03c74;p=krb5.git README and patchlevel.h for krb5-1.8-beta2 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23754 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/README b/README index 26e516b50..1135b8f0b 100644 --- a/README +++ b/README @@ -64,6 +64,11 @@ and logging in as "guest" with password "guest". DES transition -------------- +The krb5-1.8 release disables single-DES cryptosystems by default. As +a result, you may need to add the libdefaults setting +"allow_weak_crypto = true" to communicate with existing Kerberos +infrastructures if they do not support stronger ciphers. + The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration @@ -192,6 +197,7 @@ krb5-1.8 changes by ticket ID 6599 memory leak in krb5_rd_req_decrypt_tkt_part 6600 gss_inquire_context cannot handle no target name from mechanism 6601 gsssspi_set_cred_option cannot handle mech specific option +6603 issues with SPNEGO 6605 PKINIT client should validate SAN for TGS, not service principal 6606 allow testing when offline 6607 anonymous PKINIT @@ -202,7 +208,8 @@ krb5-1.8 changes by ticket ID 6622 kinit_fast fails if weak enctype is among client principal keys 6623 Always treat anonymous as preauth required 6624 automated tests for anonymous pkinit -6625 yarrow code does not initialize keyblock enctype and uses unitialized value +6625 yarrow code does not initialize keyblock enctype and uses + unitialized value 6626 Restore interoperability with 1.6 addprinc -randkey 6627 Set enctype in crypto_tests to prevent memory leaks 6628 krb5int_dk_string_to_key fails to set enctype @@ -217,7 +224,8 @@ krb5-1.8 changes by ticket ID 6645 Add krb5_allow_weak_crypto API 6648 define MIN() in lib/gssapi/krb5/prf.c 6649 Get rid of kdb_ext.h and allow out-of-tree KDB plugins -6651 Handle migration from pre-1.7 databases with master key kvno != 1 (1.8 pullup) +6651 Handle migration from pre-1.7 databases with master key + kvno != 1 (1.8 pullup) 6652 Make decryption of master key list more robust 6653 set_default_enctype_var should filter not reject weak enctypes 6654 Fix greet_server build @@ -225,9 +233,12 @@ krb5-1.8 changes by ticket ID 6656 krb5int_fast_free_state segfaults if state is null 6657 enc_padata can include empty sequence 6658 Implement gss_set_neg_mechs +6659 Additional memory leaks in kdc 6660 Minimal support for updating history key 6662 MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service 6663 update mkrel to deal with changed source layout +6665 Fix cipher state chaining in OpenSSL back end +6669 doc updates for allow_weak_crypto Acknowledgements ---------------- diff --git a/src/patchlevel.h b/src/patchlevel.h index 7b8dc9f3e..1dd918eb9 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 8 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta1-postrelease" +#define KRB5_RELTAIL "beta2" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "branches/krb5-1-8" +#define KRB5_RELTAG "tags/krb5-1-8-beta2"