e5fe63eaf1
Security: CVE-2025-57736
607 lines
16 KiB
Plaintext
607 lines
16 KiB
Plaintext
Kerberos Version 5, Release 1.22
|
|
|
|
Release Notes
|
|
The MIT Kerberos Team
|
|
|
|
Copyright and Other Notices
|
|
---------------------------
|
|
|
|
Copyright (C) 1985-2025 by the Massachusetts Institute of Technology
|
|
and its contributors. All rights reserved.
|
|
|
|
Please see the file named NOTICE for additional notices.
|
|
|
|
Documentation
|
|
-------------
|
|
|
|
Unified documentation for Kerberos V5 is available in both HTML and
|
|
PDF formats. The table of contents of the HTML format documentation
|
|
is at doc/html/index.html, and the PDF format documentation is in the
|
|
doc/pdf directory.
|
|
|
|
Additionally, you may find copies of the HTML format documentation
|
|
online at
|
|
|
|
https://web.mit.edu/kerberos/krb5-latest/doc/
|
|
|
|
for the most recent supported release, or at
|
|
|
|
https://web.mit.edu/kerberos/krb5-devel/doc/
|
|
|
|
for the release under development.
|
|
|
|
More information about Kerberos may be found at
|
|
|
|
https://web.mit.edu/kerberos/
|
|
|
|
and at the MIT Kerberos Consortium web site
|
|
|
|
https://kerberos.org/
|
|
|
|
Building and Installing Kerberos 5
|
|
----------------------------------
|
|
|
|
Build documentation is in doc/html/build/index.html or
|
|
doc/pdf/build.pdf.
|
|
|
|
The installation guide is in doc/html/admin/install.html or
|
|
doc/pdf/install.pdf.
|
|
|
|
If you are attempting to build under Windows, please see the
|
|
src/windows/README file.
|
|
|
|
Reporting Bugs
|
|
--------------
|
|
|
|
Please report any problems/bugs/comments by sending email to
|
|
krb5-bugs@mit.edu.
|
|
|
|
You may view bug reports by visiting
|
|
|
|
https://krbdev.mit.edu/rt/
|
|
|
|
and using the "Guest Login" button. Please note that the web
|
|
interface to our bug database is read-only for guests, and the primary
|
|
way to interact with our bug database is via email.
|
|
|
|
PAC transitions
|
|
---------------
|
|
|
|
Beginning with release 1.20, the KDC will include minimal PACs in
|
|
tickets instead of AD-SIGNEDPATH authdata. S4U requests (protocol
|
|
transition and constrained delegation) must now contain valid PACs in
|
|
the incoming tickets. Beginning with release 1.21, service ticket
|
|
PACs will contain a new KDC checksum buffer, to mitigate a hash
|
|
collision attack against the old KDC checksum. If only some KDCs in a
|
|
realm have been upgraded across versions 1.20 or 1.21, the upgraded
|
|
KDCs will reject S4U requests containing tickets from non-upgraded
|
|
KDCs and vice versa.
|
|
|
|
Triple-DES and RC4 transitions
|
|
------------------------------
|
|
|
|
Beginning with the krb5-1.21 release, the KDC will not issue tickets
|
|
with triple-DES or RC4 session keys unless explicitly configured using
|
|
the new allow_des3 and allow_rc4 variables in [libdefaults]. To
|
|
facilitate the negotiation of session keys, the KDC will assume that
|
|
all services can handle aes256-sha1 session keys unless the service
|
|
principal has a session_enctypes string attribute.
|
|
|
|
Beginning with the krb5-1.19 release, a warning will be issued if
|
|
initial credentials are acquired using the des3-cbc-sha1 encryption
|
|
type. Beginning with the krb5-1.21 release, a warning will also be
|
|
issued for the arcfour-hmac encryption type. In future releases,
|
|
these encryption types will be disabled by default and eventually
|
|
removed.
|
|
|
|
Beginning with the krb5-1.18 release, all support for single-DES
|
|
encryption types has been removed.
|
|
|
|
Major changes in 1.22.1 (2025-08-20)
|
|
------------------------------------
|
|
|
|
This is a bug fix release.
|
|
|
|
* Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
|
|
|
|
krb5-1.22.1 changes by ticket ID
|
|
--------------------------------
|
|
|
|
9181 verify_mic_v3 broken in 1.22
|
|
|
|
Major changes in 1.22 (2025-08-05)
|
|
----------------------------------
|
|
|
|
User experience:
|
|
|
|
* The libdefaults configuration variable "request_timeout" can be set
|
|
to limit the total timeout for KDC requests. When making a KDC
|
|
request, the client will now wait indefinitely (or until the request
|
|
timeout has elapsed) on a KDC which accepts a TCP connection,
|
|
without contacting any additional KDCs. Clients will make fewer DNS
|
|
queries in some configurations.
|
|
|
|
* The realm configuration variable "sitename" can be set to cause the
|
|
client to query site-specific DNS records when making KDC requests.
|
|
|
|
Administrator experience:
|
|
|
|
* Principal aliases are supported in the DB2 and LMDB KDB modules and
|
|
in the kadmin protocol. (The LDAP KDB module has supported aliases
|
|
since release 1.7.)
|
|
|
|
* UNIX domain sockets are supported for the Kerberos and kpasswd
|
|
protocols.
|
|
|
|
* systemd socket activation is supported for krb5kdc and kadmind.
|
|
|
|
Developer experience:
|
|
|
|
* KDB modules can be be implemented in terms of other modules using
|
|
the new krb5_db_load_module() function.
|
|
|
|
* The profile library supports the modification of empty profiles and
|
|
the copying of modified profiles, making it possible to construct an
|
|
in-memory profile and pass it to krb5_init_context_profile().
|
|
|
|
* GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
|
|
gss_init_sec_context() to request strict enforcement of channel
|
|
bindings by the acceptor.
|
|
|
|
Protocol evolution:
|
|
|
|
* The PKINIT preauth module supports elliptic curve client
|
|
certificates, ECDH key exchange, and the Microsoft paChecksum2
|
|
field.
|
|
|
|
* The IAKERB implementation has been changed to comply with the most
|
|
recent draft standard and to support realm discovery.
|
|
|
|
* Message-Authenticator is supported in the RADIUS implementation used
|
|
by the OTP kdcpreauth module.
|
|
|
|
Code quality:
|
|
|
|
* Removed old-style function declarations, to accomodate compilers
|
|
which have removed support for them.
|
|
|
|
* Added OSS-Fuzz to the project's continuous integration
|
|
infrastructure.
|
|
|
|
* Rewrote the GSS per-message token parsing code for improved safety.
|
|
|
|
krb5-1.22 changes by ticket ID
|
|
------------------------------
|
|
|
|
7721 Primary KDC lookups happen sooner than necessary
|
|
7899 Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
|
|
8618 ksu doesn't exit nonzero
|
|
9094 Get arm64-windows builds working
|
|
9095 PKINIT ECDH support
|
|
9096 Enable PKINIT if at least one group is available
|
|
9100 Add ecdsa-with-sha512/256 to supportedCMSTypes
|
|
9105 Wait indefinitely on KDC TCP connections
|
|
9106 Add request_timeout configuration parameter
|
|
9108 Remove PKINIT RSA support
|
|
9110 profile library null dereference when modifying empty profile
|
|
9111 Correct PKINIT EC cert signature metadata
|
|
9112 Support PKCS11 EC client certs in PKINIT
|
|
9113 Improve PKCS11 error reporting in PKINIT
|
|
9114 Build fails with link-time optimization
|
|
9116 Improve error message for DES kadmin/history key
|
|
9118 profile write operation interactions with reloading
|
|
9119 Make profile_copy() work on dirty profiles
|
|
9120 profile final flag limitations
|
|
9121 Don't flush libkrb5 context profiles
|
|
9122 Add GSS flag to include KERB_AP_OPTIONS_CBT
|
|
9123 Correct IAKERB protocol implementation
|
|
9124 Support site-local KDC discovery via DNS
|
|
9126 Handle empty initial buffer in IAKERB initiator
|
|
9130 make krb5_get_default_config_files public
|
|
9131 Adjust removed cred detection in FILE ccache
|
|
9132 Change krb5_get_credentials() endtime behavior
|
|
9133 Add acceptor-side IAKERB realm discovery
|
|
9135 Replace Windows installer FilesInUse dialog text
|
|
9139 Block library unloading to avoid finalizer races
|
|
9141 Fix krb5_crypto_us_timeofday() microseconds check
|
|
9142 Generate and verify message MACs in libkrad
|
|
9143 Fix memory leak in PAC checksum verification
|
|
9144 Fix potential PAC processing crash
|
|
9145 Prevent late initialization of GSS error map
|
|
9146 Allow null keyblocks in IOV checksum functions
|
|
9147 Add numeric constants to krad.h and use them
|
|
9148 Fix krb5_ldap_list_policy() filtering loop
|
|
9149 Use getentropy() when available
|
|
9151 Add kadmind support for disabling listening
|
|
9152 Default kdc_tcp_listen to kdc_listen value
|
|
9153 Fix LDAP module leak on authentication error
|
|
9154 Components of the X509_user_identity string cannot contain ':'
|
|
9155 UNIX domain socket support
|
|
9156 Allow KDB module stacking
|
|
9157 Add support for systemd socket activation
|
|
9158 Set missing mask flags for kdb5_util operations
|
|
9159 Prevent overflow when calculating ulog block size
|
|
9160 Allow only one salt type per enctype in key data
|
|
9161 Improve ulog block resize efficiency
|
|
9162 Build PKINIT on Windows
|
|
9163 Add alias support
|
|
9164 Add database format documentation
|
|
9165 Display NetBIOS ticket addresses in klist
|
|
9166 Add PKINIT paChecksum2 from MS-PKCA v20230920
|
|
9167 Add initiator-side IAKERB realm discovery
|
|
9168 Fix IAKERB accept_sec_context null pointer crash
|
|
9169 Fix IAKERB error handling
|
|
9170 Avoid gss_inquire_attrs_for_mech() null outputs
|
|
9171 Fix getsockname() call in Windows localaddr
|
|
9172 Check lengths in xdr_krb5_key_data()
|
|
9173 Limit -keepold for self-service key changes
|
|
9179 Avoid large numbers of refresh_time cache entries
|
|
|
|
Acknowledgements
|
|
----------------
|
|
|
|
Past Sponsors of the MIT Kerberos Consortium:
|
|
|
|
Apple
|
|
Carnegie Mellon University
|
|
Centrify Corporation
|
|
Columbia University
|
|
Cornell University
|
|
The Department of Defense of the United States of America (DoD)
|
|
Fidelity Investments
|
|
Google
|
|
Iowa State University
|
|
MIT
|
|
Michigan State University
|
|
Microsoft
|
|
MITRE Corporation
|
|
Morgan-Stanley
|
|
The National Aeronautics and Space Administration
|
|
of the United States of America (NASA)
|
|
Network Appliance (NetApp)
|
|
Nippon Telephone and Telegraph (NTT)
|
|
US Government Office of the National Coordinator for Health
|
|
Information Technology (ONC)
|
|
Oracle
|
|
Pennsylvania State University
|
|
Red Hat
|
|
Stanford University
|
|
TeamF1, Inc.
|
|
The University of Alaska
|
|
The University of Michigan
|
|
The University of Pennsylvania
|
|
|
|
Past and present members of the Kerberos Team at MIT:
|
|
|
|
Danilo Almeida
|
|
Jeffrey Altman
|
|
Justin Anderson
|
|
Richard Basch
|
|
Mitch Berger
|
|
Jay Berkenbilt
|
|
Andrew Boardman
|
|
Bill Bryant
|
|
Steve Buckley
|
|
Joe Calzaretta
|
|
John Carr
|
|
Mark Colan
|
|
Don Davis
|
|
Sarah Day
|
|
Alexandra Ellwood
|
|
Carlos Garay
|
|
Dan Geer
|
|
Nancy Gilman
|
|
Matt Hancher
|
|
Thomas Hardjono
|
|
Sam Hartman
|
|
Paul Hill
|
|
Marc Horowitz
|
|
Eva Jacobus
|
|
Miroslav Jurisic
|
|
Barry Jaspan
|
|
Benjamin Kaduk
|
|
Geoffrey King
|
|
Kevin Koch
|
|
John Kohl
|
|
HaoQi Li
|
|
Jonathan Lin
|
|
Peter Litwack
|
|
Scott McGuire
|
|
Steve Miller
|
|
Kevin Mitchell
|
|
Cliff Neuman
|
|
Paul Park
|
|
Ezra Peisach
|
|
Chris Provenzano
|
|
Ken Raeburn
|
|
Jon Rochlis
|
|
Jeff Schiller
|
|
Jen Selby
|
|
Robert Silk
|
|
Bill Sommerfeld
|
|
Jennifer Steiner
|
|
Ralph Swick
|
|
Brad Thompson
|
|
Harry Tsai
|
|
Zhanna Tsitkova
|
|
Ted Ts'o
|
|
Marshall Vale
|
|
Taylor Yu
|
|
|
|
The following external contributors have provided code, patches, bug
|
|
reports, suggestions, and valuable resources:
|
|
|
|
Ian Abbott
|
|
Daniel Albers
|
|
Brandon Allbery
|
|
Russell Allbery
|
|
Brian Almeida
|
|
Michael B Allen
|
|
Pooja Anil
|
|
Jeffrey Arbuckle
|
|
Heinz-Ado Arnolds
|
|
Derek Atkins
|
|
Mark Bannister
|
|
David Bantz
|
|
Alex Baule
|
|
Nikhil Benesch
|
|
David Benjamin
|
|
Thomas Bernard
|
|
Adam Bernstein
|
|
Arlene Berry
|
|
Jeff Blaine
|
|
Toby Blake
|
|
Radoslav Bodo
|
|
Alexander Bokovoy
|
|
Zoltan Borbely
|
|
Sumit Bose
|
|
Emmanuel Bouillon
|
|
Isaac Boukris
|
|
Ulf Bremer
|
|
Pavel Březina
|
|
Philip Brown
|
|
Samuel Cabrero
|
|
Michael Calmer
|
|
Andrea Campi
|
|
Julien Chaffraix
|
|
Jacob Champion
|
|
Puran Chand
|
|
Ravi Channavajhala
|
|
Srinivas Cheruku
|
|
Leonardo Chiquitto
|
|
Rachit Chokshi
|
|
Seemant Choudhary
|
|
Howard Chu
|
|
Andrea Cirulli
|
|
Christopher D. Clausen
|
|
Kevin Coffman
|
|
Gerald Combs
|
|
Simon Cooper
|
|
Sylvain Cortes
|
|
Ian Crowther
|
|
Arran Cudbard-Bell
|
|
Adam Dabrowski
|
|
Jeff D'Angelo
|
|
Nalin Dahyabhai
|
|
Mark Davies
|
|
Dennis Davis
|
|
Rull Deef
|
|
Alex Dehnert
|
|
Misty De Meo
|
|
Mark Deneen
|
|
Günther Deschner
|
|
John Devitofranceschi
|
|
Marc Dionne
|
|
Roland Dowdeswell
|
|
Ken Dreyer
|
|
Dorian Ducournau
|
|
Francis Dupont
|
|
Viktor Dukhovni
|
|
Jason Edgecombe
|
|
Mark Eichin
|
|
Shawn M. Emery
|
|
Douglas E. Engert
|
|
Peter Eriksson
|
|
Juha Erkkilä
|
|
Gilles Espinasse
|
|
Valery Fedorenko
|
|
Sergey Fedorov
|
|
Ronni Feldt
|
|
Bill Fellows
|
|
JC Ferguson
|
|
Remi Ferrand
|
|
Paul Fertser
|
|
Fabiano Fidêncio
|
|
Frank Filz
|
|
William Fiveash
|
|
Jacques Florent
|
|
Oliver Freyermuth
|
|
Ákos Frohner
|
|
Sebastian Galiano
|
|
Ilya Gladyshev
|
|
Marcus Granado
|
|
Dylan Gray
|
|
Norm Green
|
|
Scott Grizzard
|
|
Helmut Grohne
|
|
Steve Grubb
|
|
Philip Guenther
|
|
Feng Guo
|
|
Timo Gurr
|
|
Dominic Hargreaves
|
|
Robbie Harwood
|
|
John Hascall
|
|
Jakob Haufe
|
|
Matthieu Hautreux
|
|
Jochen Hein
|
|
Paul B. Henson
|
|
Kihong Heo
|
|
Jeff Hodges
|
|
Christopher Hogan
|
|
Love Hörnquist Åstrand
|
|
Ken Hornstein
|
|
Henry B. Hotz
|
|
Luke Howard
|
|
Jakub Hrozek
|
|
Shumon Huque
|
|
Jeffrey Hutzelman
|
|
Sergey Ilinykh
|
|
Wyllys Ingersoll
|
|
Holger Isenberg
|
|
Spencer Jackson
|
|
Diogenes S. Jesus
|
|
Mike Jetzer
|
|
Pavel Jindra
|
|
Brian Johannesmeyer
|
|
Joel Johnson
|
|
Lutz Justen
|
|
Ganesh Kamath
|
|
Alexander Karaivanov
|
|
Anders Kaseorg
|
|
Bar Katz
|
|
Zentaro Kavanagh
|
|
Mubashir Kazia
|
|
W. Trevor King
|
|
Steffen Kieß
|
|
Patrik Kis
|
|
Martin Kittel
|
|
Thomas Klausner
|
|
Tomasz Kłoczko
|
|
Ivan Korytov
|
|
Matthew Krupcale
|
|
Mikkel Kruse
|
|
Reinhard Kugler
|
|
Harshawardhan Kulkarni
|
|
Tomas Kuthan
|
|
Pierre Labastie
|
|
Andreas Ladanyi
|
|
Chris Leick
|
|
Volker Lendecke
|
|
Jan iankko Lieskovsky
|
|
Todd Lipcon
|
|
Oliver Loch
|
|
Chris Long
|
|
Kevin Longfellow
|
|
Frank Lonigro
|
|
Jon Looney
|
|
Nuno Lopes
|
|
Todd Lubin
|
|
Ryan Lynch
|
|
Glenn Machin
|
|
Roland Mainz
|
|
Sorin Manolache
|
|
Robert Marshall
|
|
Andrei Maslennikov
|
|
Michael Mattioli
|
|
Nathaniel McCallum
|
|
Greg McClement
|
|
Cameron Meadors
|
|
Vipul Mehta
|
|
Alexey Melnikov
|
|
Ivan A. Melnikov
|
|
Franklyn Mendez
|
|
Stefan Metzmacher
|
|
Mantas Mikulėnas
|
|
Markus Moeller
|
|
Kyle Moffett
|
|
Jon Moore
|
|
Paul Moore
|
|
Keiichi Mori
|
|
Michael Morony
|
|
Robert Morris
|
|
Sam Morris
|
|
Zbysek Mraz
|
|
Edward Murrell
|
|
Bahaa Naamneh
|
|
Joshua Neuheisel
|
|
Nikos Nikoleris
|
|
Demi Obenour
|
|
Felipe Ortega
|
|
Michael Osipov
|
|
Andrej Ota
|
|
Dmitri Pal
|
|
Javier Palacios
|
|
Dilyan Palauzov
|
|
Tom Parker
|
|
Eric Pauly
|
|
Leonard Peirce
|
|
Ezra Peisach
|
|
Alejandro Perez
|
|
Zoran Pericic
|
|
W. Michael Petullo
|
|
Mark Phalan
|
|
Sharwan Ram
|
|
Brett Randall
|
|
Jonathan Reams
|
|
Jonathan Reed
|
|
Robert Relyea
|
|
Tony Reix
|
|
Martin Rex
|
|
Pat Riehecky
|
|
Julien Rische
|
|
Jason Rogers
|
|
Matt Rogers
|
|
Nate Rosenblum
|
|
Solly Ross
|
|
Mike Roszkowski
|
|
Guillaume Rousse
|
|
Joshua Schaeffer
|
|
Alexander Scheel
|
|
Jens Schleusener
|
|
Ryan Schmidt
|
|
Andreas Schneider
|
|
Eli Schwartz
|
|
Paul Seyfert
|
|
Tom Shaw
|
|
Jim Shi
|
|
Jerry Shipman
|
|
Peter Shoults
|
|
Richard Silverman
|
|
Cel Skeggs
|
|
Simo Sorce
|
|
Anthony Sottile
|
|
Michael Spang
|
|
Michael Ströder
|
|
Bjørn Tore Sund
|
|
Ondřej Surý
|
|
Joseph Sutton
|
|
Alexey Tikhonov
|
|
Joe Travaglini
|
|
Sergei Trofimovich
|
|
Greg Troxel
|
|
Fraser Tweedale
|
|
Tim Uglow
|
|
Rathor Vipin
|
|
Denis Vlasenko
|
|
Thomas Wagner
|
|
Jorgen Wahlsten
|
|
Stef Walter
|
|
Max (Weijun) Wang
|
|
John Washington
|
|
Stef Walter
|
|
Xi Wang
|
|
Nehal J Wani
|
|
Kevin Wasserman
|
|
Margaret Wasserman
|
|
Marcus Watts
|
|
Andreas Wiese
|
|
Simon Wilkinson
|
|
Nicolas Williams
|
|
Ross Wilper
|
|
Augustin Wolf
|
|
Garrett Wollman
|
|
David Woodhouse
|
|
Tsu-Phong Wu
|
|
Xu Qiang
|
|
Neng Xue
|
|
Zhaomo Yang
|
|
Tianjiao Yin
|
|
Nickolai Zeldovich
|
|
Bean Zhang
|
|
ChenChen Zhou
|
|
Hanz van Zijst
|
|
Gertjan Zwartjes
|
|
|
|
The above is not an exhaustive list; many others have contributed in
|
|
various ways to the MIT Kerberos development effort over the years.
|