User-Visible krb5-strength Changes
-krb5-strength 3.1 (unreleased)
+krb5-strength 3.3 (unreleased)
+
+ heimdal-history now requires the Perl modules Const::Fast and
+ JSON::MaybeXS instead of Readonly and JSON.
+
+ Explicitly erase the copy of the password made in the Heimdal plugin.
+
+ Update to rra-c-util 10.5:
+
+ * Assume a working snprintf rather than supplying a replacement.
+ * Fix detection of reallocarray on NetBSD.
+ * Check that Kerberos header files were found during configure.
+ * Use AS_ECHO in all Autoconf macros.
+ * Always use lib32 or lib64 if it exists, even on Debian.
+ * Fix rejection of unknown Clang warning flags.
+ * Disable -Wreserved-identifier for Clang warning builds.
+
+krb5-strength 3.2 (2020-05-17)
+
+ Add new -c (--check-only) option to heimdal-history to check whether a
+ password would be accepted without updating the history or password
+ length databases. Based on work by macrotex.
+
+ Increase hash iterations for heimdal-history by roughly a factor of
+ four to increase the time required for a password hash to about 0.1
+ seconds on modern hardware. This will affect newly-stored history
+ entries but will not invalidate existing password history entries.
+
+ Support building without CrackLib support by passing
+ --without-cracklib to configure. This makes the code a bit simpler
+ and lighter if you don't intend to ever use the CrackLib support.
+
+ krb5-strength-wordlist now requires Perl 5.010 or later.
+
+ Use explicit_bzero instead of memset, where available, to overwrite
+ copies of passwords before freeing memory. This reduces the lifetime
+ of passwords in memory.
+
+ Skip tests that require the stronger rule configuration in the
+ embedded CrackLib when built against system CrackLib. This avoids
+ test failures when built with system CrackLib.
+
+ Rework the check-valgrind target to use the new C TAP Harness valgrind
+ support and automatically check the valgrind log files for errors at
+ the end of the test suite.
+
+ Add SPDX-License-Identifier headers to all substantial source files
+ other than those in the bundled version of CrackLib.
+
+ Update to rra-c-util 8.2:
+
+ * Implement explicit_bzero with memset if it is not available.
+ * Reformat all C source using clang-format 10.
+ * Work around Test::Strict not skipping .git directories.
+ * Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
+ * Improve check for obsolete strings.
+ * Use a more standard all-permissive license.
+ * Add SPDX-License-Identifier headers to all substantial source files.
+ * Skip more build system files when running the test suite.
+ * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
+ * Exclude more valgrind false positives with Kerberos libraries.
+ * Improve support for AIX's bundled Kerberos.
+
+ Update to C TAP Harness 4.7:
+
+ * Fix warnings with GCC 10.
+ * Reformat all C source using clang-format 10.
+ * Fixed malloc error checking in bstrndup.
+ * Add support for valgrind testing via test list options.
+ * Report test failures as left and right, not wanted and seen.
+ * Fix is_string comparisons involving NULL pointers and "(null)".
+ * Add SPDX-License-Identifier headers to all substantial source files.
+
+krb5-strength 3.1 (2016-12-25)
A new configuration option, cracklib_maxlen, can be set to skip
CrackLib checks of passwords longer than that length. The CrackLib
SQLite dictionaries work better for checking longer passwords and
passphrases. Patch from Jorj Bauer.
+ The require_classes configuration option can now require a particular
+ number of character classes in the password (whatever those classes
+ are). Patch from Toby Blake.
+
Change the error messages returned for passwords that fail strength
checking to start with a capital letter. This appears to be more
consistent with the error message conventions used inside Heimdal.
doesn't apply since all the GECOS manipulation code was removed from
the embedded CrackLib in this package.)
+ Patch the mkdict and packer in the embedded copy of CrackLib to force
+ C locale when sorting (avoiding a corrupted dictionary) and warn and
+ skip out-of-order words rather than creating a corrupted dictionary.
+ Patch from Mark Sirota.
+
+ Configuration instrutions are now in the heimdal-history and
+ heimdal-strength man pages and a new krb5-strength man page (which
+ documents configuration of the KDC plugin) instead of the README file
+ to make it more accessible after the software has been installed.
+
+ Update to rra-c-util 6.2:
+
+ * Use calloc in preference to malloc wherever appropriate.
+ * Use reallocarray in preference to realloc wherever appropriate.
+ * Suppress warnings from Kerberos headers under make warnings.
+ * Support the embedded Kerberos in Solaris 10 in library probes.
+ * Add missing va_end in xasprintf implementation.
+ * Fix logic in Test::RRA::Automake for new Automake dist checking.
+ * Fix all return-value checks for snprintf to avoid off-by-one error.
+ * Update warning flags for make warnings to GCC 6.1.0.
+ * Fix Test::RRA::Config for new "do" semantics in Perl 5.22.2.
+ * Add a new test for obsolete eyrie.org URLs.
+ * Require Test::Strict 0.25 or newer for Perl strictness checks.
+
+ Update to C TAP Harness 4.1:
+
+ * Replace all remaining uses of sprintf.
+ * Test lists may now have comments and blank lines.
+ * runtests -v will show the complete output from a test.
+ * Fix segfault in runtests when given an empty test list.
+ * Tests use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
+
krb5-strength 3.0 (2014-03-25)
The krb5-strength plugin and heimdal-strength program now support a
projects / kerberos / krb5-strength.git / blobdiff