From: Tom Yu Date: Tue, 2 Jun 2009 00:25:44 +0000 (+0000) Subject: Update copyrights. Reorganize "major changes" listing X-Git-Tag: krb5-1.7-final~2 X-Git-Url: http://git.tremily.us/gitweb.cgi?a=commitdiff_plain;h=140234f0d2f292a1b7f7acd73ce2a77a13697340;p=krb5.git Update copyrights. Reorganize "major changes" listing git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22398 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/README b/README index 04f6e08e5..ab50b7781 100644 --- a/README +++ b/README @@ -53,6 +53,11 @@ If you are not able to use krb5-send-pr because you haven't been able compile and install Kerberos V5 on any platform, you may send mail to krb5-bugs@mit.edu. +Keep in mind that unencrypted e-mail is not secure; if you need to +send sensitive information, such as reporting potential security +vulnerabilities, please PGP-encrypt it to our security contact +address: krbcore-security@mit.edu. + You may view bug reports by visiting http://krbdev.mit.edu/rt/ @@ -72,59 +77,106 @@ future releases. Major changes in 1.7 -------------------- -* Remove support for version 4 of the Kerberos protocol (krb4). +The krb5-1.7 release contains a large number of changes, featuring +improvements in the following broad areas: -* New libdefaults configuration variable "allow_weak_crypto". NOTE: - Currently defaults to "true", but may default to "false" in a future - release. Setting this variable to "false" will have the effect of - removing weak enctypes (currently defined to be all single-DES - enctypes) from permitted_enctypes, default_tkt_enctypes, and - default_tgs_enctypes. +* Compatibility with Microsoft Windows + +* Administrator experience + +* User experience + +* Code quality + +* Protocol evolution -* Client library now follows client principal referrals, for - compatibility with Windows. +Compatibility with Microsoft Windows: + +* Follow client principal referrals in the client library when + obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. -* Encryption algorithm negotiation (RFC 4537). - -* In the replay cache, use a hash over the complete ciphertext to - avoid false-positive replay indications. +* Extensions supporting DCE RPC, including three-leg GSS context setup + and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is - similar to the equivalent SSPI functionality. - -* DCE RPC, including three-leg GSS context setup and unencapsulated - GSS tokens. + similar to the equivalent SSPI functionality. This is needed to + support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an - NTLM implementation. + NTLM implementation for improved compatibility with older releases + of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. -* Microsoft set/change password (RFC 3244) protocol in kadmind. +* Support Microsoft set/change password (RFC 3244) protocol in + kadmind. + +* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + +Administrator experience: + +* Install header files for the administration API, allowing + third-party software to manipulate the KDC database. * Incremental propagation support for the KDC database. -* Master key rollover support. +* Master key rollover support, making it easier to change master key + passwords or encryption types. -* Flexible Authentication Secure Tunneling (FAST), a preauthentiation - framework that can protect the AS exchange from dictionary attack. +* New libdefaults configuration variable "allow_weak_crypto". NOTE: + Currently defaults to "true", but may default to "false" in a future + release. Setting this variable to "false" will have the effect of + removing weak enctypes (currently defined to be all single-DES + enctypes) from permitted_enctypes, default_tkt_enctypes, and + default_tgs_enctypes. -* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which - allows a GSS application to request credential delegation only if - permitted by KDC policy. +User experience: + +* Provide enhanced GSS-API error message including supplementary + details about error conditions. + +* In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + +Code quality: + +* Replace many uses of "unsafe" string functions. While most of these + instances were innocuous, they impeded efficient automatic and + manual static code analysis. + +* Fix many instances of resource leaks and similar bugs identified by + static analysis tools. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. +Protocol evolution: + +* Remove support for version 4 of the Kerberos protocol (krb4). + +* Encryption algorithm negotiation (RFC 4537), allowing clients and + application services to negotiate stronger encryption than their KDC + supports. + +* Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attacks + on weak user passwords. + Known bugs by ticket ID ----------------------- 6481 kdb ldap integration removed rev/recurse kdb5_util dumps 6487 gss_unwrap_iov fails in stream mode +6505 fix t_prf test code properly +6506 Make results of krb5_db_def_fetch_mkey more predictable +6507 kdb5_util update_princ_encryption uses latest mkey instead of + active mkey Changes by ticket ID -------------------- diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo index 5d58c592a..018c41043 100644 --- a/doc/copyright.texinfo +++ b/doc/copyright.texinfo @@ -1,4 +1,4 @@ -Copyright @copyright{} 1985-2008 by the Massachusetts Institute of Technology. +Copyright @copyright{} 1985-2009 by the Massachusetts Institute of Technology. @quotation Export of software employing encryption from the United States of @@ -324,6 +324,12 @@ the following new or changed files: slave/kproplog.c @end smallexample +and marked portions of the following files: + +@smallexample + lib/krb5/os/hst_realm.c +@end smallexample + are subject to the following license: @quotation @@ -412,7 +418,7 @@ backend, are subject to the following license: @iftex @smallfonts @rm @end iftex -Copyright (c) 2004-2005, Novell, Inc. +Copyright @copyright{} 2004-2005, Novell, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -553,6 +559,36 @@ WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @end iftex @end quotation +The implementations of strlcpy and strlcat in +src/util/support/strlcat.c have the following copyright and permission +notice: + +@quotation +@iftex +@smallfonts @rm +@end iftex + +Copyright @copyright{} 1998 Todd C. Miller + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +@iftex +@vskip 12pt +@hrule +@vskip 12pt +@end iftex +@end quotation + The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice: @@ -617,6 +653,51 @@ distribute verbatim copies of this document is granted. @end iftex @end quotation +Marked test programs in src/lib/krb5/krb have the following copyright: + +@quotation +@iftex +@smallfonts @rm +@end iftex + +Copyright @copyright{} 2006 Kungliga Tekniska H@"{o}gskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of KTH nor the names of its contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY +EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +@iftex +@vskip 12pt +@hrule +@vskip 12pt +@end iftex +@end quotation + Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.