security/krb5-118: Update to 1.18.4
The announcement as follows:
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Releases 1.19.2 and 1.18.4. Please see below for a list of some major
changes included, or consult the README file in the source tree for a
more detailed list of significant changes.
Retrieving krb5-1.19.2 and krb5-1.18.4
You may retrieve the krb5-1.19.2 and krb5-1.18.4 sources from the
following URL:
https://kerberos.org/dist/
The homepage for the krb5-1.19.2 and krb5-1.18.4 releases are:
https://web.mit.edu/kerberos/krb5-1.19/ https://web.mit.edu/kerberos/krb5-1.18/
Further information about Kerberos 5 may be found at the following
URL:
https://web.mit.edu/kerberos/
Triple-DES transition
Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type. In future releases, this encryption type will be disabled by
default and eventually removed.
Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.
Major changes in 1.19.2 and 1.18.4 (2021-07-22)
These are bug fix releases.
- Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222].
- Fix a memory leak when gss_inquire_cred() is called without a credential handle.
MFH: 2021Q3
Security: CVE-2021-36222