User-Visible krb5-strength Changes
-krb5-strength 3.1 (unreleased)
+krb5-strength 3.2 (unreleased)
+
+ Support building without CrackLib support by passing
+ --without-cracklib to configure. This makes the code a bit simpler
+ and lighter if you don't intend to ever use the CrackLib support.
+
+ Use explicit_bzero instead of memset, where available, to overwrite
+ copies of passwords before freeing memory. This reduces the lifetime
+ of passwords in memory.
+
+ Update to rra-c-util 8.2:
+
+ * Implement explicit_bzero with memset if it is not available.
+ * Reformat all C source using clang-format 10.
+ * Work around Test::Strict not skipping .git directories.
+ * Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
+ * Improve check for obsolete strings.
+ * Use a more standard all-permissive license.
+ * Add SPDX-License-Identifier headers to all substantial source files.
+ * Skip more build system files when running the test suite.
+ * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
+ * Exclude more valgrind false positives with Kerberos libraries.
+
+ Update to C TAP Harness 4.7:
+
+ * Fix warnings with GCC 10.
+ * Reformat all C source using clang-format 10.
+ * Fixed malloc error checking in bstrndup.
+ * Add support for valgrind testing via test list options.
+ * Report test failures as left and right, not wanted and seen.
+ * Fix is_string comparisons involving NULL pointers and "(null)".
+ * Add SPDX-License-Identifier headers to all substantial source files.
+
+krb5-strength 3.1 (2016-12-25)
A new configuration option, cracklib_maxlen, can be set to skip
CrackLib checks of passwords longer than that length. The CrackLib
SQLite dictionaries work better for checking longer passwords and
passphrases. Patch from Jorj Bauer.
+ The require_classes configuration option can now require a particular
+ number of character classes in the password (whatever those classes
+ are). Patch from Toby Blake.
+
Change the error messages returned for passwords that fail strength
checking to start with a capital letter. This appears to be more
consistent with the error message conventions used inside Heimdal.
doesn't apply since all the GECOS manipulation code was removed from
the embedded CrackLib in this package.)
+ Patch the mkdict and packer in the embedded copy of CrackLib to force
+ C locale when sorting (avoiding a corrupted dictionary) and warn and
+ skip out-of-order words rather than creating a corrupted dictionary.
+ Patch from Mark Sirota.
+
+ Configuration instrutions are now in the heimdal-history and
+ heimdal-strength man pages and a new krb5-strength man page (which
+ documents configuration of the KDC plugin) instead of the README file
+ to make it more accessible after the software has been installed.
+
Update to rra-c-util 6.2:
* Use calloc in preference to malloc wherever appropriate.