-
Notifications
You must be signed in to change notification settings - Fork 370
/
README
984 lines (834 loc) · 44 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
Kerberos Version 5, Release 1.6.4
Release Notes
The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
The source distribution of Kerberos 5 comes in a gzipped tarfile,
krb5-1.6.4.tar.gz. Instructions on how to extract the entire
distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
gtar zxpf krb5-1.6.4.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
gzcat krb5-1.6.4.tar.gz | tar xpf -
Both of these methods will extract the sources into krb5-1.6.4/src and
the documentation into krb5-1.6.4/doc.
Building and Installing Kerberos 5
----------------------------------
The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5. The info file
krb5-install.info has the same information in info file format. You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation. This
is also available as an HTML file, install.html.
Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively. They are also available as info files
kerberos-admin.info and krb5-user.info, respectively. These files are
also available as HTML files.
If you are attempting to build under Windows, please see the
src/windows/README file.
Reporting Bugs
--------------
Please report any problems/bugs/comments using the krb5-send-pr
program. The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).
If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.
You may view bug reports by visiting
http://krbdev.mit.edu/rt/
and logging in as "guest" with password "guest".
Major changes in krb5-1.6.4
---------------------------
[5880] Fix long-standing bug in libdb btree page splits that could
cause database corruption under unusual circumstances. This
is believed to be one of the major causes of unexplained
database corruption events reported to us over many years.
[5918] Fix MITKRB5-SA-2008-002 rpc/svc.c file descriptor array
overrun. [CVE-2008-0947]
[5919] Fix MITKRB5-SA-2008-001 double-free in KDC krb4 code
[CVE-2008-0062], and uninitialized data in KDC krb4 code.
[CVE-2008-0063]
krb5-1.6.4 changes by ticket ID
-------------------------------
5752 gcc -fworking-directory breaks make depend
5777 keytab iteration + search don't mix
5830 src/plugins/preauth/pkinit/configure.in erroneous
AC_CHECK_FUNCS
5842 NIM 1.3.1 - Show Network Identity Manager Window bug
5851 KFW BUG: WIX: 64-bit installer attempts to uninstall 32-bit
NSIS
5852 copy correct key for lucid context acceptor_subkey
5853 apparent uninit length in ftpd.c:reply() [CVE-2007-5894]
5854 freeing non-heap in gss_indicate_mechs() [CVE-2007-5901]
5855 integer overflow in svcauth_gss_get_principal()
[CVE-2007-5902]
5856 double-free in gss_krb5int_make_seal_token_v3()
[CVE-2007-5971]
5857 double fclose() in krb5_def_store_mkey() [CVE-2007-5972]
5858 KFW: BUG: KRB5CRED: Set identity data before sending
notification
5875 Windows: avoid use of cygwin mkdir and rmdir commands
5879 Actually pass the nmake arguments to nmake
5880 libdb btree page split on zero index corrupts db
5888 more tests for libdb btree page split on zero index
5892 man page macro and hyphen fixes
5893 krb5_get_cred_from_kdc_opt does not preserve NUL-terminated
realm data
5897 Possible memory leak in krb5_mcc_resolve
5918 MITKRB5-SA-2008-002 rpc/svc.c descriptor array overrun
[CVE-2008-0947]
5919 MITKRB5-SA-2008-001 kdc krb4 double-free [CVE-2008-0062],
uninit data [CVE-2008-0063] vulns
Major changes in krb5-1.6.3
---------------------------
[5706] fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
[5707] fix CVE-2007-4000 modify_policy vulnerability
The above are two kadmind vulnerabilities described in
MITKRB5-SA-2007-006. CVE-2007-3999 is actually a vulnerability in
the RPC library.
[5617] Add PKINIT support
At this point, PKINIT support should be considered to be ALPHA
code. APIs and configuration details may change in the future.
We would greatly appreciate testing and feedback of PKINIT
support.
krb5-1.6.3 changes by ticket ID
-------------------------------
3334 libkrb5 treats all KDC errors as terminal
4136 kadmin_unlock() calls kadm5_lock() instead of kadm5_unlock()
4950 gc_frm_kdc doesn't adjust use_conf_ktypes in referrals case
5471 krb5_ktfile_get_entry() can invalidate keytab file handle
5542 Optimize file/directory pruning in KfW build script
5548 Look for unix find command in multiple places in KfW build script
5577 MSI Deployment Guide
5581 Build fails in lib/gssapi/spnego
5584 NIM Changes Post KFW 3.2
5604 NIM credential display doesn't update when credential deleted
5607 NIM GUI: Default identity display should not have a background color
5609 NIM watermark does not track tray icon
5613 NIM GUI: views jump around on the screen
5617 Add PKINIT support
5623 NIM: apply does not update saved values of general identities cfg page
5624 krb5_fcc_generate_new() doesn't work with mkstemp()
5625 KRB5_CALLCONV must be specified inside parens
5629 gss_init_sec_context does not release output token buffer when
used with spnego mech
5636 remove unused src/windows/identity/uilib/Makefile.w2k
5645 export krb5_get_profile
5653 compilation failure with IRIX native compiler
5666 read_entropy_from_device on partial read will not fill buffer
5673 NIM: resource leak in khui_action_trigger()
5674 NIM: Identity Configuration Panel Fixes
5675 NIM: New command-line options --hide and --show / new
command-line help dialog
5676 NIM: APP: Redesigned Color Schemas
5677 NIM: BUG: APP: Identity right click selection failure and
context menu keyboard events were ignored
5678 NIM: BUG: APP: WM_TIMER messages if received after timer event
is canceled results in invalid data access
5679 NIM: BUG: APP: Filler columns should not be resizeable
5680 NIM: BUG: APP: WM_PAINT messages received without update
regions results in incorrect window repainting behavior
5681 NIM: BUG: APP: Fix Cursor Position and Selection Usability Issues
5682 NIM: remove unused code from ui/credwnd.c
5683 NIM: support include files in schemas
5684 NIM: Keep API release documentation up to date
5685 NIM: FEATURE: API: Add Identity Provider Pre-Process Message
to trigger immediate identity selection
5686 NIM: BUG: LIB: khcint_remove_space() frees memory too soon
resulting in potential invalid memory access
5687 NIM: BUG: KRB5: External changes to default identity ccache
are improperly reflected by krb5 provider
5688 NIM: Reposition New Credentials Dialog if necessary
5689 NIM: BUG: APP: Revert ticket 5604
5690 NIM: version update
5692 KFW: KFWLOGON: avoid missing symbol errors when building with
VS 2005
5696 NIM: FEATURE: ALL: 64-bit Windows Support and Removal of
Compile Time Warnings
5697 make ccache handle referrals better
5698 Windows: Add support for 64-bit CCAPI DLL name: krbcc64s.exe
5700 -S sname option for kvno
5701 NIM: APP: remove unused preprocessor symbols from resource files
5702 NIM: LIB: a small source code readability change
5703 NIM: BUG: KRB5: FILE ccache support did not make use of
OPENCLOSE flags
5704 new warnings in pkinit code (patch needs review)
5705 GSS-API Win64 support: Access Leash API via leashw64.dll
5706 fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
5707 fix CVE-2007-4000 modify_policy vulnerability
5708 krb5_fcc_generate_new is non-functional
5710 Build 64-bit Windows gss.exe (gui version of gss-client.exe)
now that 64-bit CCAPI is available
5711 KFW: Add MSI installer for 64-bit AMD64
5713 64-bit Windows krb5int_cc_default calls to Leash API must use
leashw64.dll
5719 NIM: FEATURE: APP: Add View->All Identities
5724 NIM: FEATURE: APP: Add Notification Icon Default Identity Context Menu
5751 KFW: permit administrative installs using MSI installation package
5753 NIM: BUG: APP: Do not report errors for modules that are not installed
5756 NIM: BUG: SRC: Windows\Identity Makefile "clean" more
5759 NIM: APP: BUG: restore HideWatermark functionality
5763 NIM: BUG: khm_krb5_initialize() failed to return error code
5764 NIM: BUG: Restore Copyright removed in revision 19855
5766 MSLSA krb5_cc module fails to check success of UNICODE string
conversions
5768 set svn:eol-style property on a bunch of files
5772 NIM: BUG: SRC: Increase size of max ccache name buffers and
remove extraneous trailing path component separators
5773 NIM: BUG: KMM: Ensure proper buffer length for registry
multi-string reads; avoid error reports for modules without
config data; avoid race when sending thread quit message
5779 NIM: BUG: LIB: optimize khui_find_action()
5780 NIM: FEATURE: APP: Notification Icon Tooltip now includes
default identity name
5782 NIM: APP: BUG: Initial cursor position does not track selected identity
5783 NIM: APP: BUG: Identities without identity credentials are
listed as having credentials
5787 NIM: BUG: APP: Spell Check
5788 NIM: BUG: APP: Provide keyboard accelerator for switching
between advanced and basic obtain new credentials dialog modes
5789 NIM: documentation updates for KFW 3.2.2
5790 NIM: SRC: disable potential uninitialized variable warning
5791 Add static ordinals to DLL exports
5792 NIM: BUG: LIB: deadlock in kmq
5793 NIM: BUG: APP: leaking prompts in obtain new credentials dialog
5794 NIM: BUG: APP: Change View->Choose Columns to View->Select
Columns to match standard windows style
5795 NIM: BUG: APP: store credential type in the correct field of
the khui_credwnd_identity structure
5796 NIM: BUG: APP: change notification icon state to track default
identity only
5797 NIM: BUG: APP: notification icon tooltip wrong string
5798 NIM: BUG: APP: command-line options window doesn't process
WM_CLOSE messages
5800 krb5_get_init_creds_opt_alloc needs to initialize the opt structure
5801 remove error tables by pointer
5802 libgssapi mechglue doesn't always store delegated credentials
5803 fix pkinit module deps for krb5-1.6.x
5808 KfW Build: add new installer build files to copyfiles.xml.
5809 NIM: BUG: APP: New edit controls should be marked ES_AUTOHSCROLL
5820 KFW: BUG: WIX: Improve Usability of multiple architecture MSI
installations, remove non-unique GUID component identifiers,
and include Beta ID in the package name
5823 KFW: BUG: WIX: Beta value hard coded
Major changes in krb5-1.6.2
---------------------------
[5585] fix MITKRB5-SA-2007-004: kadmind affected by multiple RPC
library vulnerabilities [CVE-2007-2442/VU#356961,
CVE-2007-2443/VU#365313]
[5586] fix MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow
[CVE-2007-2798/VU#554257]
krb5-1.6.2 changes by ticket ID
-------------------------------
5541 remove debugging code accidentally left in ftp/cmds.c
5546 race condition in referrals fallback
5547 profile stores empty string values without double quotes
5551 rd_req_decoded needs to deal with referral realms
5552 minor incompatability krb5-1.6.1 and OpenSSH_4.6p1, OpenSSL 0.9.8e
5554 Modify WIX installer to better support upgrading betas
5573 Kfw 3.2.0.msi is missing a file krb5/krb5.h
5579 krb5_walk_realm_tree leaks in capaths case
5585 fix MITKRB5-SA-2007-004 [CVE-2007-2442/VU#356961,
CVE-2007-2443/VU#365313]
5586 fix MITKRB5-SA-2007-005 [CVE-2007-2798/VU#554257]
Major changes in krb5-1.6.1
---------------------------
[5508] Fix MITKRB5-SA-2007-001: telnetd allows login as arbitrary user
[CVE-2007-0956, VU#220816]
[5507] Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog
[CVE-2007-0957, VU#704024]
[5445] Fix MITKRB5-SA-2007-003: double-free in kadmind - the RPC
library could perform a double-free due to a GSS-API library
bug [CVE-2007-1216, VU#419344]
[5293] fix crash creating db2 database in non-existent directory
krb5-1.6.1 changes by ticket ID
-------------------------------
Listed below are the RT tickets of bugs fixed in krb5-1.6.1. Please see
http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.1.html
for a current listing with links to the complete tickets.
2724 kdc.conf man page typo in v4_mode section
5233 Change in behaviour in gss_release_buffer() by mechtypes
introduces memory leak
5238 fix leak in gss_krb5int_unseal_token_v3
5246 Memory leak in tests/gssapi/t_imp_name.c
5257 error on gethostbyname is tested on errno instead of h_errno
5293 crash creating db2 database in non-existent directory
5294 create KDC database directory
5343 updated Windows README
5344 Update to KFW NSIS installer
5349 Proposed implementation of krb5_server_decrypt_ticket_keyblock
and krb5_server_decrypt_ticket_keytab
5353 kfw wix installer - memory overwrite error
5393 krb5-1.6: tcp kpasswd service required if only admin_server is
specified in krb5.conf
5394 krb5-1.6: segfault on password change
5396 Master ticket for NetIdMgr 1.2 commits
5397 NIM string tables
5398 NIM Kerberos v4 configuration dialog
5399 NIM Correct Visual Identity Expiration Status
5400 NIM Kerberos 5 Provider corrections
5403 Add KDC timesyncing support to the CCAPI ccache backend
5408 NIM - Context sensitive system tray menu and more
5409 KFW MSI installer corrections
5410 kt_file.c memory leak on error in krb5_kt_resolve /
krb5_kt_wresolve
5414 NIM Bug Fixes
5418 KFW: 32-bit builds use the pismere krbv4w32.dll library
5419 Microsoft Windows Visual Studio does not define ssize_t
5420 get_init_creds_opt extensibility
5437 hack to permit GetEnvironmentVariable usage without requiring
getenv() conversion
5445 gsstest doesn't like krb5-1.6 GSSAPI library
[also MITKRB5-SA-2007-003]
5446 KfW 3.1: stderr of kinit/klist/kdestroy cannot be re-directed
to file
5447 tail portability bug in k5srvutil
5452 NIM Improved Alert Management
5453 Windows - some apps define ssize_t as a preprocessor symbol
5454 krb5_get_cred_from_kdc fails to null terminate the tgt list
5455 valgrind detects uninitialized (but really unused) bytes in
'queue'
5457 More existence tests; path update
5458 osf1: get proper library dependencies installed
5461 reverting commit to windows WIX installer (revision 19207)
5469 KFW: Vista Integrated Logon
5476 Zero sockaddrs in fai_add_entry() so we can compare them with
memcmp()
5477 Enable Vista support for MSLSA
5478 NIM: New Default View and miscellaneous fixes
5480 krb5 library uses kdc.conf when it shouldn't
5490 KfW build automation
5491 WIX installer stores WinLogon event handler under wrong
registry value
5492 remove unwanted files from kfw build script
5493 KFW: problems with non-interactive logons
5495 NIM commits for KFW 3.2 Beta 1
5496 more bug fixes for NIM 1.2 (KFW 3.2)
5503 msi deployment guide updates for KFW 3.2
5504 Network Identity Manager 1.2 User Manual
5505 More commits for NIM 1.2 Beta 1
5507 MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog
5508 MITKRB5-SA-2007-001: telnetd allows login as arbitrary user
5509 service location plugin returning no addresses handled
incorrectly
5510 krb5int_open_plugin_dirs errors out if directory does not
exist
5514 wix installer - modify file list
5515 KFW NSIS installer - copyright updates and aklog removal
5516 NIM 1.2.0.1 corrections
5518 EAI_NODATA deprecated, not always defined
5521 KfW build system (post kfw-3.2-beta1)
5522 NIM 3.2 documentation update
5523 KFW 3.2 Beta 2 commits
5524 NIM doxyfile.cfg - update to Doxygen 1.5.2
5525 NIM 1.2 HtmlHelp User Documentation
5526 NIM - Fix taskbar button visibility on Vista
5527 kfw build - include netidmgr_userdoc.pdf in zip file
5528 Add vertical scrollbars to realm fields in dialogs
5529 Missing version resource info on krb5 files
5530 KFW 3.2.0.7002 about dialogue will not respond to alt-f4
5532 KFW Network Provider Improvements
5533 updates for NIM developer documentation
5534 kfwlogon corrections for XP
5535 More NIM Developer documentation updates
5537 only check current dir for a.tmp
5539 add option to export instead of checkout, etc.
Major changes in krb5-1.6
-------------------------
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
* Fix for MITKRB5-SA-2006-002: the RPC library could call an
uninitialized function pointer, which created a security
vulnerability for kadmind.
* Fix for MITKRB5-SA-2006-003: the GSS-API mechglue layer could fail
to initialize some output pointers, causing callers to attempt to
free uninitialized pointers. This caused a security vulnerability
in kadmind.
Note that the implementation of referral handling involves a change to
the behavior of krb5_sname_to_principal() to return a zero-length
realm name if it is unable to find the realm corresponding to the
hostname. This special realm name signals the ticket-acquisition code
to request KDC canonicalization of service principal names. Other
library code has changed to accommodate this new behavior. This
particular method of implementing service principal name referral
handling may change in the future; we invite discussion on this
subject.
Major known bugs in krb5-1.6
----------------------------
5293 crash creating db2 database in non-existent directory
Attempting to create a KDB in a non-existent directory using the
Berkeley DB back end may cause a crash resulting from a null pointer
dereference. If a core dump occurs, this may cause a local exposure
of sensitive information such a master key password. This will be
fixed in an upcoming patch release.
krb5-1.6 changes by ticket ID
-----------------------------
Listed below are the RT tickets of bugs fixed in krb5-1.6. Please see
http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.html
for a current listing with links to the complete tickets.
1204 Unable to get a TGT cross-realm referral
2087 undocumented options for kpropd
2240 krb5-config --cflags gssapi when used by OpenSSH-snap-20040212
2579 kdc: add_to_transited may reference off end of array...
2652 Add support for referrals
2876 Tree does not compile with GCC 4.0
2935 KDB/LDAP backend
3089 krb5_verify_init_creds() is not thread safe
3091 add krb5_cc_new_unique()
3218 kdb5_util load requires that the dumpfile be writable.
3276 local array of structures not declared static
3288 NetIdMgr cannot obtain Kerberos 5 tickets containing addresses
3322 get_cred_via_tkt() checks too strict on server principal
3522 Error code definitions are outside macros to prevent multiple
inclusion in public headers
3642 changes for embedding manifest into dlls and exes
3735 Add TCP change/set password support
3947 allow multiple calls to krb5_get_error_message to retrieve message
3955 check calling conventions specified for Windows
3961 fix stdcc.c to build without USE_CCAPI_V3
4021 use GSS_C_NO_CHANNEL_BINDINGS not NULL in lib/rpc/auth_gss.c
4023 Turn off KLL automatic prompting support in kadmin
4024 gss_acquire_cred auto prompt support shouldn't break
gss_krb5_ccache_name()
4025 need to look harder for tclConfig.sh
4055 remove unused Metrowerks support from yarrow
4056 g_canon_name.c if-statement warning cleanup
4057 GSSAPI opaque types should be pointers to opaque structs, not void*
4256 Make process error
4292 LDAP error prevents KfM 6.0 from building on Tiger
4294 Bad loop logic in krb5_mcc_generate_new
4304 audit referrals merge (R18598)
4327 doc/krb5-protocol out of date
4389 cursor for iterating over ccaches
4412 Don't segfault if a preauth plugin module fails to load
4453 krb5-1.6-pre: fix warnings/ improve 64bit compatibility in the
ldap plugin
4454 krb5-1.6-pre: kdb5_ldap_util stashsrvpw does not work
4455 IRIX build fails w/ GCC 4.0 (really GNU ld)
4482 enabling LDAP mix-in support for kdb5_util load
4488 osf1 -oldstyle_liblookup typo
4495 Avoid segfault in krb5_do_preauth_tryagain
4496 fix invalid access found by valgrind
4501 fix krb5_ldap_iterate to handle NULL match_expr and
open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN
4534 don't confuse profile iterator in 425 princ conversion
4561 UC Berkeley BSD license change
4562 latest Novell ldap patches and kdb5_util dump support for ldap
4566 leaks in preauth plugin support
4567 KDC can crash for certain client requests when preauth plugins
are used
4587 Change preauth plugin context scope and lifetimes
4624 remove t_prf and t_prf.o on make clean
4625 Make clean in lib/kdb leaves error table files
4657 krb5.h not C++-safe due to "struct krb5_cccol_cursor"
4683 Remove obsolete/conflicting prototype for krb524_convert_princs
4688 Add public function to get keylength associated with an enctype
4689 Update minor version numbers for 1.6
4690 Add "get_data" function to the client preauth plugin interface
4692 Document changing the krbtgt key
4693 Delay kadmind random number initialization until after fork
4735 more Novell ldap patches from Nov 6 and Fix for wrong password
policy reference count
4737 correct client preauth plugin request_context
4738 allow server preauth plugin verify_padata function to return e-data
4739 cccursor backend for CCAPI
4755 update copyrights and acknowledgments
4770 Add macros for __attribute__((deprecated)) for krb4 and des APIs
4771 LDAP patch from Novell, 2006-10-13
4772 fix some warnings in ldap code
4773 fix warning in preauth_plugin.h header
4774 avoid double frees in ccache manipulation around gen_new
4775 include realm in "can't resolve KDC" error message
4784 krb5_stdccv3_generate_new returns NULL ccache
4788 ccache double free in krb5_fcc_read_addrs().
4799 krb5_c_keylength -> krb5_c_keylengths; add krb5_c_random_to_key
4805 replace existing calls of cc_gen_new()
4841 free error message when freeing context
4846 clean up preauth2 salt debug code
4860 fix LDAP plugin Makefile.in lib frag substitutions
4928 krb5int_copy_data_contents shouldn't free memory it didn't allocate
4941 referrals changes to telnet have unconditional debugging printfs
4942 skip all modules in plugin if init function fails
4955 Referrals code breaks krb5_set_password_using_ccache to Active
Directory
4967 referrals support assumes all rewrites produce TGS principals
4972 return edata from non-PA_REQUIRED preauth types
4973 send a new request with the new padata returned by
krb5_do_preauth_tryagain()
4980 Remove unused prototype for krb5_find_config_files
4981 Make clean in lib/krb5/os does not clean test objs
4991 fix for kdb5_util load bug with dumps from a LDAP KDB
4994 minor update to kdb5_util man page for LDAP plugin
5003 krb5_cc_remove should work for the CCAPI
5005 Reading maxlife, maxrenewlife and ticket flags from conf file
in LDAP plugin
5009 kadmin.local with LDAP backend fails to start when master key
enctype is not default enctype
5022 build the trunk on Windows (again)
5027 admin guide changes for the LDAP backend
5032 Don't leak padata when looping for krb5_do_preauth_tryagain()
5090 krb5_get_init_creds_opt_set_change_password_prompt
5115 krb5_rc_io_open_internal on error will call close(-1)
5116 minor ldap specific changes in man page
5121 keytab code can't match principals with realms not yet determined
5123 don't pass null pointer to krb5_do_preauth_tryagain()
5124 use KRB5KRB_ERR_GENERIC, not KRB_ERR_GENERIC in preauth2.c
5125 Add -clearpolicy to kadmin addprinc usage
5152 misc cleanups in admin guide ldap sections
5159 don't split HTML output from makeinfo
5223 Fix typo in user-guide.texinfo
5245 Repair broken links in NetIdMgr Help
5260 Deletion of principal fails
5265 update ldap/Makefile.in for newer autoconf substitution requirements
5271 Document KDC behavior without stash file
5279 Document what the kadmind ACL is for
5301 MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
5302 MITKRB5-SA-2006-003: mechglue argument handling too lax
Copyright and Other Legal Notices
---------------------------------
Copyright (C) 1985-2007 by the Massachusetts Institute of Technology.
All rights reserved.
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original MIT software.
M.I.T. makes no representations about the suitability of this software
for any purpose. It is provided "as is" without express or implied
warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
"Commercial use" means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
--------------------
Portions of src/lib/crypto have the following copyright:
Copyright (C) 1998 by the FundsXpress, INC.
All rights reserved.
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of FundsXpress. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. FundsXpress makes no representations about the suitability of
this software for any purpose. It is provided "as is" without express
or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
--------------------
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system
source code, as described below, indicates your acceptance of the
following terms. If you do not agree to the following terms, do not
retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source
Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision
also retains copyright to derivative works of the Source Code, whether
created by OpenVision or by a third party. The OpenVision copyright
notice must be preserved if derivative works are made based on the
donated Source Code.
OpenVision Technologies, Inc. has donated this Kerberos
Administration system to MIT for inclusion in the standard
Kerberos 5 distribution. This donation underscores our
commitment to continuing Kerberos technology development
and our gratitude for the valuable work which has been
performed by MIT and the Kerberos community.
--------------------
Portions contributed by Matt Crawford <crawdad@fnal.gov> were
work performed at Fermi National Accelerator Laboratory, which is
operated by Universities Research Association, Inc., under
contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
--------------------
The implementation of the Yarrow pseudo-random number generator in
src/lib/crypto/yarrow has the following copyright:
Copyright 2000 by Zero-Knowledge Systems, Inc.
Permission to use, copy, modify, distribute, and sell this software
and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Zero-Knowledge Systems,
Inc. not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior
permission. Zero-Knowledge Systems, Inc. makes no representations
about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--------------------
The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:
Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
All rights reserved.
LICENSE TERMS
The free distribution and use of this software in both source and binary
form is allowed (with or without changes) provided that:
1. distributions of this source code include the above copyright
notice, this list of conditions and the following disclaimer;
2. distributions in binary form include the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other associated materials;
3. the copyright holder's name is not used to endorse products
built using this software without specific written permission.
DISCLAIMER
This software is provided 'as is' with no explcit or implied warranties
in respect of any properties, including, but not limited to, correctness
and fitness for purpose.
--------------------
Portions contributed by Red Hat, including the pre-authentication
plug-ins framework, contain the following copyright:
Copyright (c) 2006 Red Hat, Inc.
Portions copyright (c) 2006 Massachusetts Institute of Technology
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of Red Hat, Inc., nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------
The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
src/lib/gssapi, including the following files:
lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c
are subject to the following license:
Copyright (c) 2004 Sun Microsystems, Inc.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------
MIT Kerberos includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:
Copyright (C) 1983 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
3. Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
--------------------
Portions contributed by Novell, Inc., including the LDAP database
backend, are subject to the following license:
Copyright (c) 2004-2005, Novell, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* The copyright holder's name is not used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
--------------------
Portions funded by Sandia National Laboratory and developed by the
University of Michigan's Center for Information Technology
Integration, including the PKINIT implementation, are subject to the
following license:
COPYRIGHT (C) 2006-2007
THE REGENTS OF THE UNIVERSITY OF MICHIGAN
ALL RIGHTS RESERVED
Permission is granted to use, copy, create derivative works
and redistribute this software and such derivative works
for any purpose, so long as the name of The University of
Michigan is not used in any advertising or publicity
pertaining to the use of distribution of this software
without specific, written prior authorization. If the
above copyright notice or any other identification of the
University of Michigan is included in any copy of any
portion of this software, then the disclaimer below must
also be included.
THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
--------------------
The pkcs11.h file included in the PKINIT code has the following
license:
Copyright 2006 g10 Code GmbH
Copyright 2006 Andreas Jellinghaus
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
Acknowledgments
---------------
Thanks to Red Hat for donating the pre-authentication plug-in
framework.
Thanks to Novell for donating the KDB abstraction layer and the LDAP
database plug-in.
Thanks to Sun Microsystems for donating their implementations of
mechglue and SPNEGO.
Thanks to iDefense for notifying us about the vulnerability in
MITKRB5-SA-2007-002.
Thanks to the CITI group at the University of Michigan for
contributing the implementation of PKINIT.
Thanks to Tenable Network Security and 3Com's Zero Day Initiative for
discovering CVE-2007-3999. Thanks to Kevin Coffman (UMich), Will
Fiveash (Sun), and Nico Williams (Sun) for help with developing the
revised patch.
Thanks to Garrett Wollman of MIT CSAIL for discovering CVE-2007-4000.
Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
Vale, Tom Yu.