X-Git-Url: https://git.eyrie.org/?a=blobdiff_plain;f=NEWS;h=c127ce141485ce2272a53bace3f2dc9b7a58b0f6;hb=refs%2Fheads%2Fdebian%2Funstable;hp=72be2f3a14f4f771aa4391a6522a87159edc1bfd;hpb=13bae4ba5c37b1636b96e2771ed71585674a7f09;p=kerberos%2Fkrb5-strength.git

diff --git a/NEWS b/NEWS
index 72be2f3..c127ce1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,149 @@
                     User-Visible krb5-strength Changes
 
+krb5-strength 3.3 (2023-12-25)
+
+    heimdal-history now requires the Perl modules Const::Fast and
+    JSON::MaybeXS instead of Readonly and JSON.
+
+    Increase hash iterations for heimdal-history by about 10% to maintain
+    the time required for a password hash at about 0.1 seconds on not
+    horribly modern hardware.  This will affect newly-stored history
+    entries but will not invalidate existing password history entries.
+
+    Explicitly erase the copy of the password made in the Heimdal plugin
+    before freeing memory.
+
+    Add a spec file for building RPMs, contributed by Daria Phoebe
+    Brashear.
+
+    Update to rra-c-util 10.5:
+
+    * Assume a working snprintf rather than supplying a replacement.
+    * Fix detection of reallocarray on NetBSD.
+    * Check that Kerberos header files were found during configure.
+    * Use AS_ECHO in all Autoconf macros.
+    * Always use lib32 or lib64 if it exists, even on Debian.
+    * Fix rejection of unknown Clang warning flags.
+    * Disable -Wreserved-identifier for Clang warning builds.
+
+krb5-strength 3.2 (2020-05-17)
+
+    Add new -c (--check-only) option to heimdal-history to check whether a
+    password would be accepted without updating the history or password
+    length databases.  Based on work by macrotex.
+
+    Increase hash iterations for heimdal-history by roughly a factor of
+    four to increase the time required for a password hash to about 0.1
+    seconds on modern hardware.  This will affect newly-stored history
+    entries but will not invalidate existing password history entries.
+
+    Support building without CrackLib support by passing
+    --without-cracklib to configure.  This makes the code a bit simpler
+    and lighter if you don't intend to ever use the CrackLib support.
+
+    krb5-strength-wordlist now requires Perl 5.010 or later.
+
+    Use explicit_bzero instead of memset, where available, to overwrite
+    copies of passwords before freeing memory.  This reduces the lifetime
+    of passwords in memory.
+
+    Skip tests that require the stronger rule configuration in the
+    embedded CrackLib when built against system CrackLib.  This avoids
+    test failures when built with system CrackLib.
+
+    Rework the check-valgrind target to use the new C TAP Harness valgrind
+    support and automatically check the valgrind log files for errors at
+    the end of the test suite.
+
+    Add SPDX-License-Identifier headers to all substantial source files
+    other than those in the bundled version of CrackLib.
+
+    Update to rra-c-util 8.2:
+
+    * Implement explicit_bzero with memset if it is not available.
+    * Reformat all C source using clang-format 10.
+    * Work around Test::Strict not skipping .git directories.
+    * Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
+    * Improve check for obsolete strings.
+    * Use a more standard all-permissive license.
+    * Add SPDX-License-Identifier headers to all substantial source files.
+    * Skip more build system files when running the test suite.
+    * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
+    * Exclude more valgrind false positives with Kerberos libraries.
+    * Improve support for AIX's bundled Kerberos.
+
+    Update to C TAP Harness 4.7:
+
+    * Fix warnings with GCC 10.
+    * Reformat all C source using clang-format 10.
+    * Fixed malloc error checking in bstrndup.
+    * Add support for valgrind testing via test list options.
+    * Report test failures as left and right, not wanted and seen.
+    * Fix is_string comparisons involving NULL pointers and "(null)".
+    * Add SPDX-License-Identifier headers to all substantial source files.
+
+krb5-strength 3.1 (2016-12-25)
+
+    A new configuration option, cracklib_maxlen, can be set to skip
+    CrackLib checks of passwords longer than that length.  The CrackLib
+    rules were designed in a world in which most passwords were four to
+    eight characters long and tend to spuriously reject longer passwords.
+    SQLite dictionaries work better for checking longer passwords and
+    passphrases.  Patch from Jorj Bauer.
+
+    The require_classes configuration option can now require a particular
+    number of character classes in the password (whatever those classes
+    are).  Patch from Toby Blake.
+
+    Change the error messages returned for passwords that fail strength
+    checking to start with a capital letter.  This appears to be more
+    consistent with the error message conventions used inside Heimdal.
+
+    Change the DB_File::Lock calling method in heimdal-history to work
+    properly with the (buggy) CPAN version of DB_File::Lock, instead of
+    relying on Debian's patched version.  Thanks to Bernt Jernberg for the
+    report.
+
+    Apply the SuSE patch for a buffer overflow when using duplicate rules
+    to the embedded CrackLib.  No duplicating rules are used in the rule
+    set included with this package, and this package doesn't expose the
+    general API, so this was not exploitable, but best to close the latent
+    issue.  (The other recent CrackLib vulnerability, CVE-2016-6318,
+    doesn't apply since all the GECOS manipulation code was removed from
+    the embedded CrackLib in this package.)
+
+    Patch the mkdict and packer in the embedded copy of CrackLib to force
+    C locale when sorting (avoiding a corrupted dictionary) and warn and
+    skip out-of-order words rather than creating a corrupted dictionary.
+    Patch from Mark Sirota.
+
+    Configuration instrutions are now in the heimdal-history and
+    heimdal-strength man pages and a new krb5-strength man page (which
+    documents configuration of the KDC plugin) instead of the README file
+    to make it more accessible after the software has been installed.
+
+    Update to rra-c-util 6.2:
+
+    * Use calloc in preference to malloc wherever appropriate.
+    * Use reallocarray in preference to realloc wherever appropriate.
+    * Suppress warnings from Kerberos headers under make warnings.
+    * Support the embedded Kerberos in Solaris 10 in library probes.
+    * Add missing va_end in xasprintf implementation.
+    * Fix logic in Test::RRA::Automake for new Automake dist checking.
+    * Fix all return-value checks for snprintf to avoid off-by-one error.
+    * Update warning flags for make warnings to GCC 6.1.0.
+    * Fix Test::RRA::Config for new "do" semantics in Perl 5.22.2.
+    * Add a new test for obsolete eyrie.org URLs.
+    * Require Test::Strict 0.25 or newer for Perl strictness checks.
+
+    Update to C TAP Harness 4.1:
+
+    * Replace all remaining uses of sprintf.
+    * Test lists may now have comments and blank lines.
+    * runtests -v will show the complete output from a test.
+    * Fix segfault in runtests when given an empty test list.
+    * Tests use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
+
 krb5-strength 3.0 (2014-03-25)
 
     The krb5-strength plugin and heimdal-strength program now support a