From 6cbd45486eb0b7814377a3864aaa298d171b3134 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Aug 2024 16:43:07 -0400 Subject: [PATCH] Update features list for 1.22 --- doc/mitK5features.rst | 49 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index 10effcf175..a3679354f6 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -19,8 +19,8 @@ Quick facts License - :ref:`mitK5license` Releases: - - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/ - - Supported: https://web.mit.edu/kerberos/krb5-1.19/ + - Latest stable: https://web.mit.edu/kerberos/krb5-1.22/ + - Supported: https://web.mit.edu/kerberos/krb5-1.21/ - Release cycle: approximately 12 months Supported platforms \/ OS distributions: @@ -685,6 +685,51 @@ Release 1.21 - Improved the test framework's detection of memory errors in daemon processes when used with asan. +Release 1.21 + +* User experience: + + - The libdefaults configuration variable "request_timeout" can be + set to limit the total timeout for KDC requests. When making a + KDC request, the client will now wait indefinitely (or until the + request timeout has elapsed) on a KDC which accepts a TCP + connection, without contacting any additional KDCs. Clients will + make fewer DNS queries in some configurations. + + - The realm configuration variable "sitename" can be set to cause + the client look for site-specific DNS records when making KDC + requests. + +* Developer experience: + + - The profile library supports the modification of empty profiles + and the copying of modified profiles, making it possible to + construct an in-memory profile and pass it to + krb5_init_context_profile(). + + - GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to + gss_init_sec_context() to request strict enforcement of channel + bindings by the acceptor. + +* Protocol evolution: + + - PKINIT has support for elliptic curve client certificates and for + ECDH key exchange. + + - The IAKERB implementation has been changed to comply with the + standard. + +* Code quality: + + - Old-style function declarations have been removed, to accomodate + compilers removing support for them. + + - OSS-Fuzz support has been added to the project's continuous + integration infrastructure. + + - GSS per-message token parsing code has been rewritten for improved + safety. + `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` -- 2.47.2