1 Release Notes - Heimdal - Version Heimdal 1.5.2
4 - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
5 - Check that key types strictly match - denial of service
7 Release Notes - Heimdal - Version Heimdal 1.5.1
10 - Fix building on Solaris, requires c99
11 - Fix building on Windows
12 - Build system updates
14 Release Notes - Heimdal - Version Heimdal 1.5
18 - Support GSS name extensions/attributes
20 - No Kerberos 4 support
21 - Basic support for MIT Admin protocol (SECGSS flavor)
22 in kadmind (extract keytab)
23 - Replace editline with libedit
25 Release Notes - Heimdal - Version Heimdal 1.4
29 - Support for reading MIT database file directly
30 - KCM is polished up and now used in production
31 - NTLM first class citizen, credentials stored in KCM
32 - Table driven ASN.1 compiler, smaller!, not enabled by default
33 - Native Windows client support
37 - Disabled write support NDBM hdb backend (read still in there) since
38 it can't handle large records, please migrate to a diffrent backend
41 Release Notes - Heimdal - Version Heimdal 1.3.3
44 - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
45 - Check NULL pointers before dereference them [kdc]
47 Release Notes - Heimdal - Version Heimdal 1.3.2
51 - Don't mix length when clearing hmac (could memset too much)
52 - More paranoid underrun checking when decrypting packets
53 - Check the password change requests and refuse to answer empty packets
54 - Build on OpenSolaris
55 - Renumber AD-SIGNED-TICKET since it was stolen from US
56 - Don't cache /dev/*random file descriptor, it doesn't get unloaded
60 Release Notes - Heimdal - Version Heimdal 1.3.1
64 - Store KDC offset in credentials
65 - Many many more bug fixes
67 Release Notes - Heimdal - Version Heimdal 1.3.1
71 - Make work with OpenLDAPs krb5 overlay
73 Release Notes - Heimdal - Version Heimdal 1.3
77 - Partial support for MIT kadmind rpc protocol in kadmind
78 - Better support for finding keytab entries when using SPN aliases in the KDC
79 - Support BER in ASN.1 library (needed for CMS)
80 - Support decryption in Keychain private keys
81 - Support for new sqlite based credential cache
82 - Try both KDC referals and the common DNS reverse lookup in GSS-API
83 - Fix the KCM to not leak resources on failure
84 - Add IPv6 support to iprop
85 - Support localization of error strings in
86 kinit/klist/kdestroy and Kerberos library
87 - Remove Kerberos 4 support in application (still in KDC)
89 - Support i18n password in windows domains (using UTF-8)
90 - More complete API emulation of OpenSSL in hcrypto
91 - Support for ECDSA and ECDH when linking with OpenSSL
95 - Support for settin friendly name on credential caches
96 - Move to using doxygen to generate documentation.
97 - Sprinkling __attribute__((depricated)) for old function to be removed
98 - Support to export LAST-REQUST information in AS-REQ
99 - Support for client deferrals in in AS-REQ
100 - Add seek support for krb5_storage.
101 - Support for split AS-REQ, first step for IA-KERB
102 - Fix many memory leaks and bugs
103 - Improved regression test
105 - Switch to krb5_set_error_message
106 - Support krb5_crypto_*_iov
107 - Switch to use EVP for most function
108 - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
109 - Add support for GSS_C_DELEG_POLICY_FLAG
110 - Add krb5_cc_[gs]et_config to store data in the credential caches
111 - PTY testing application
114 - Make building on AIX6 possible.
115 - Bugfixes in LDAP KDC code to make it more stable
116 - Make ipropd-slave reconnect when master down gown
119 Release Notes - Heimdal - Version Heimdal 1.2.1
123 [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
124 [HEIMDAL-151] - Make canned tests work again after cert expired
125 [HEIMDAL-152] - iprop test: use full hostname to avoid realm
127 [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
129 Release Notes - Heimdal - Version Heimdal 1.2
133 [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
134 gss_display_name/gss_export_name when using SPNEGO
135 [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
136 [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
137 [HEIMDAL-52] - hdb overwrite aliases for db databases
138 [HEIMDAL-54] - Two issues which affect credentials delegation
139 [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
140 [HEIMDAL-62] - Fix printing of sig_atomic_t
141 [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
142 [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
143 [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
146 [HEIMDAL-67] - Fix locking and store credential in atomic writes
147 in the FILE credential cache
148 [HEIMDAL-106] - make compile on cygwin again
149 [HEIMDAL-107] - Replace old random key generation in des module
150 and use it with RAND_ function instead
151 [HEIMDAL-115] - Better documentation and compatibility in hcrypto
152 in regards to OpenSSL
155 [HEIMDAL-3] - pkinit alg agility PRF test vectors
156 [HEIMDAL-14] - Add libwind to Heimdal
157 [HEIMDAL-16] - Use libwind in hx509
158 [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
160 [HEIMDAL-74] - Add support to report extended error message back
161 in AS-REQ to support windows clients
162 [HEIMDAL-116] - test pty based application (using rkpty)
163 [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
166 [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
167 This drop compatibility with pre 0.3d KDCs.
168 [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
169 [HEIMDAL-65] - Failed to compile with --disable-pk-init
170 [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
171 wraparound checks doesn't apply to Heimdal
173 Changes in release 1.1
175 * Read-only PKCS11 provider built-in to hx509.
177 * Documentation for hx509, hcrypto and ntlm libraries improved.
179 * Better compatibilty with Windows 2008 Server pre-releases and Vista.
181 * Mac OS X 10.5 support for native credential cache.
183 * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
187 Changes in release 1.0.2
193 Changes in release 1.0.1
195 * Serveral bug fixes to iprop.
197 * Make work on platforms without dlopen.
199 * Add RFC3526 modp group14 as default.
201 * Handle [kdc] database = { } entries without realm = stanzas.
203 * Make krb5_get_renewed_creds work.
205 * Make kaserver preauth work again.
209 Changes in release 1.0
211 * Add gss_pseudo_random() for mechglue and krb5.
213 * Make session key for the krbtgt be selected by the best encryption
216 * Better interoperability with other PK-INIT implementations.
218 * Inital support for Mac OS X Keychain for hx509.
220 * Alias support for inital ticket requests.
222 * Add symbol versioning to selected libraries on platforms that uses
223 GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
225 * New version of imath included in hcrypto.
231 Changes in release 0.8.1
233 * Make ASN.1 library less paranoid to with regard to NUL in string to
234 make it inter-operate with MIT Kerberos again.
236 * Make GSS-API library work again when using gss_acquire_cred
238 * Add symbol versioning to libgssapi when using GNU ld.
244 Changes in release 0.8
248 * HDB extensions support, used by PK-INIT.
250 * New ASN.1 compiler.
252 * GSS-API mechglue from FreeBSD.
254 * Updated SPNEGO to support RFC4178.
256 * Support for Cryptosystem Negotiation Extension (RFC 4537).
258 * A new X.509 library (hx509) and related crypto functions.
260 * A new ntlm library (heimntlm) and related crypto functions.
262 * Updated the built-in crypto library with bignum support using
263 imath, support for RSA and DH and renamed it to libhcrypto.
265 * Subsystem in the KDC, digest, that will perform the digest
266 operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
267 DIGEST-MD5 NTLMv1 and NTLMv2.
269 * KDC will return the "response too big" error to force TCP retries
270 for large (default 1400 bytes) UDP replies. This is common for
273 * Libkafs defaults to use 2b tokens.
275 * Default to use the API cache on Mac OS X.
277 * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
278 see manpage for krb5_kuserok for description.
280 * Many, many, other updates to code and info manual and manual pages.
284 Changes in release 0.7.2
286 * Fix security problem in rshd that enable an attacker to overwrite
287 and change ownership of any file that root could write.
289 * Fix a DOS in telnetd. The attacker could force the server to crash
290 in a NULL de-reference before the user logged in, resulting in inetd
291 turning telnetd off because it forked too fast.
293 * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
294 exists in the keytab before returning success. This allows servers
295 to check if its even possible to use GSSAPI.
297 * Fix receiving end of token delegation for GSS-API. It still wrongly
298 uses subkey for sending for compatibility reasons, this will change
301 * telnetd, login and rshd are now more verbose in logging failed and
306 Changes in release 0.7.1
310 Changes in release 0.7
312 * Support for KCM, a process based credential cache
314 * Support CCAPI credential cache
318 * AES (and the gssapi conterpart, CFX) support
320 * Adding new and improve old documentation
324 Changes in release 0.6.6
326 * Fix security problem in rshd that enable an attacker to overwrite
327 and change ownership of any file that root could write.
329 * Fix a DOS in telnetd. The attacker could force the server to crash
330 in a NULL de-reference before the user logged in, resulting in inetd
331 turning telnetd off because it forked too fast.
333 Changes in release 0.6.5
335 * fix vulnerabilities in telnetd
337 * unbreak Kerberos 4 and kaserver
339 Changes in release 0.6.4
341 * fix vulnerabilities in telnet
343 * rshd: encryption without a separate error socket should now work
345 * telnet now uses appdefaults for the encrypt and forward/forwardable
350 Changes in release 0.6.3
352 * fix vulnerabilities in ftpd
354 * support for linux AFS /proc "syscalls"
356 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
359 * fix possible KDC denial of service
363 Changes in release 0.6.2
365 * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
367 Changes in release 0.6.1
369 * Fixed ARCFOUR suppport
371 * Cross realm vulnerability
373 * kdc: fix denial of service attack
375 * kdc: stop clients from renewing tickets into the future
379 Changes in release 0.6
381 * The DES3 GSS-API mechanism has been changed to inter-operate with
382 other GSSAPI implementations. See man page for gssapi(3) how to turn
383 on generation of correct MIC messages. Next major release of heimdal
384 will generate correct MIC by default.
386 * More complete GSS-API support
388 * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
389 support in applications no longer requires Kerberos 4 libs
391 * Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
395 Changes in release 0.5.2
397 * kdc: add option for disabling v4 cross-realm (defaults to off)
401 Changes in release 0.5.1
403 * kadmind: fix remote exploit
405 * kadmind: add option to disable kerberos 4
407 * kdc: make sure kaserver token life is positive
409 * telnet: use the session key if there is no subkey
411 * fix EPSV parsing in ftp
415 Changes in release 0.5
417 * add --detach option to kdc
419 * allow setting forward and forwardable option in telnet from
420 .telnetrc, with override from command line
422 * accept addresses with or without ports in krb5_rd_cred
424 * make it work with modern openssl
426 * use our own string2key function even with openssl (that handles weak
429 * more system-specific requirements in login
431 * do not use getlogin() to determine root in su
433 * telnet: abort if telnetd does not support encryption
435 * update autoconf to 2.53
437 * update config.guess, config.sub
441 Changes in release 0.4e
443 * improve libcrypto and database autoconf tests
445 * do not care about salting of server principals when serving v4 requests
447 * some improvements to gssapi library
449 * test for existing compile_et/libcom_err
455 Changes in release 0.4d
457 * fix some problems when using libcrypto from openssl
459 * handle /dev/ptmx `unix98' ptys on Linux
461 * add some forgotten man pages
463 * rsh: clean-up and add man page
465 * fix -A and -a in builtin-ls in tpd
467 * fix building problem on Irix
469 * make `ktutil get' more efficient
473 Changes in release 0.4c
475 * fix buffer overrun in telnetd
477 * repair some of the v4 fallback code in kinit
479 * add more shared library dependencies
481 * simplify and fix hprop handling of v4 databases
483 * fix some building problems (osf's sia and osfc2 login)
487 Changes in release 0.4b
489 * update the shared library version numbers correctly
491 Changes in release 0.4a
493 * corrected key used for checksum in mk_safe, unfortunately this
494 makes it backwards incompatible
496 * update to autoconf 2.50, libtool 1.4
498 * re-write dns/config lookups (krb5_krbhst API)
500 * make order of using subkeys consistent
506 * remove rfc2052 support, now only rfc2782 is supported
508 * always build with kaserver protocol support in the KDC (assuming
509 KRB4 is enabled) and support for reading kaserver databases in
512 Changes in release 0.3f
514 * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
515 the new keytab type that tries both of these in order (SRVTAB is
516 also an alias for krb4:)
518 * improve error reporting and error handling (error messages should
519 be more detailed and more useful)
521 * improve building with openssl
523 * add kadmin -K, rcp -F
525 * fix two incorrect weak DES keys
527 * fix building of kaserver compat in KDC
529 * the API is closer to what MIT krb5 is using
531 * more compatible with windows 2000
533 * removed some memory leaks
537 Changes in release 0.3e
539 * rcp program included
541 * fix buffer overrun in ftpd
543 * handle omitted sequence numbers as zeroes to handle MIT krb5 that
544 cannot generate zero sequence numbers
546 * handle v4 /.k files better
548 * configure/portability fixes
550 * fixes in parsing of options to kadmin (sub-)commands
552 * handle errors in kadmin load better
556 Changes in release 0.3d
560 * fix a bug in 3des gss-api mechanism, making it compatible with the
561 specification and the MIT implementation
563 * make telnetd only allow a specific list of environment variables to
564 stop it from setting `sensitive' variables
566 * try to use an existing libdes
568 * lib/krb5, kdc: use correct usage type for ap-req messages. This
569 should improve compatability with MIT krb5 when using 3DES
572 * kdc: fix memory allocation problem
574 * update config.guess and config.sub
576 * lib/roken: more stuff implemented
578 * bug fixes and portability enhancements
580 Changes in release 0.3c
582 * lib/krb5: memory caches now support the resolve operation
584 * appl/login: set PATH to some sane default
586 * kadmind: handle several realms
588 * bug fixes (including memory leaks)
590 Changes in release 0.3b
592 * kdc: prefer default-salted keys on v5 requests
594 * kdc: lowercase hostnames in v4 mode
596 * hprop: handle more types of MIT salts
598 * lib/krb5: fix memory leak
602 Changes in release 0.3a:
604 * implement arcfour-hmac-md5 to interoperate with W2K
606 * modularise the handling of the master key, and allow for other
607 encryption types. This makes it easier to import a database from
608 some other source without having to re-encrypt all keys.
610 * allow for better control over which encryption types are created
612 * make kinit fallback to v4 if given a v4 KDC
614 * make klist work better with v4 and v5, and add some more MIT
615 compatibility options
617 * make the kdc listen on the krb524 (4444) port for compatibility
618 with MIT krb5 clients
620 * implement more DCE/DFS support, enabled with --enable-dce, see
621 lib/kdfs and appl/dceutils
623 * make the sequence numbers work correctly
627 Changes in release 0.2t:
631 Changes in release 0.2s:
633 * add OpenLDAP support in hdb
635 * login will get v4 tickets when it receives forwarded tickets
637 * xnlock supports both v5 and v4
639 * repair source routing for telnet
641 * fix building problems with krb4 (krb_mk_req)
645 Changes in release 0.2r:
647 * fix realloc memory corruption bug in kdc
649 * `add --key' and `cpw --key' in kadmin
651 * klist supports listing v4 tickets
653 * update config.guess and config.sub
655 * make v4 -> v5 principal name conversion more robust
657 * support for anonymous tickets
661 * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
663 * use and set expiration and not password expiration when dumping
664 to/from ka server databases / krb4 databases
666 * make the code happier with 64-bit time_t
668 * follow RFC2782 and by default do not look for non-underscore SRV names
670 Changes in release 0.2q:
672 * bug fix in tcp-handling in kdc
674 * bug fix in expand_hostname
676 Changes in release 0.2p:
678 * bug fix in `kadmin load/merge'
680 * bug fix in krb5_parse_address
682 Changes in release 0.2o:
684 * gss_{import,export}_sec_context added to libgssapi
686 * new option --addresses to kdc (for listening on an explicit set of
689 * bug fixes in the krb4 and kaserver emulation part of the kdc
693 Changes in release 0.2n:
695 * more robust parsing of dump files in kadmin
696 * changed default timestamp format for log messages to extended ISO
697 8601 format (Y-M-DTH:M:S)
698 * changed md4/md5/sha1 APIes to be de-facto `standard'
699 * always make hostname into lower-case before creating principal
700 * small bits of more MIT-compatability
703 Changes in release 0.2m:
705 * handle glibc's getaddrinfo() that returns several ai_canonname
711 Changes in release 0.2l:
715 Changes in release 0.2k:
719 * make struct sockaddr_storage in roken work better on alphas
721 * some missing [hn]to[hn]s fixed.
723 * allow users to change their own passwords with kadmin (with initial
726 * fix stupid bug in parsing KDC specification
728 * add `ktutil change' and `ktutil purge'
730 Changes in release 0.2j:
734 * ftpd works in passive mode
736 * should build on cygwin
738 * work around broken IPv6-code on OpenBSD 2.6, also add configure
739 option --disable-ipv6
741 Changes in release 0.2i:
743 * use getaddrinfo in the missing places.
745 * fix SRV lookup for admin server
747 * use get{addr,name}info everywhere. and implement it in terms of
748 getipnodeby{name,addr} (which uses gethostbyname{,2} and
751 Changes in release 0.2h:
753 * fix typo in kx (now compiles)
755 Changes in release 0.2g:
759 * repair appl/test programs
760 * sockaddr_storage works on solaris (alignment issues)
761 * works better with non-roken getaddrinfo
763 * some non standard C constructs removed
765 Changes in release 0.2f:
767 * support SRV records for kpasswd
768 * look for both _kerberos and krb5-realm when doing host -> realm mapping
770 Changes in release 0.2e:
772 * changed copyright notices to remove `advertising'-clause.
773 * get{addr,name}info added to roken and used in the other code
774 (this makes things work much better with hosts with both v4 and v6
775 addresses, among other things)
776 * do pre-auth for both password and key-based get_in_tkt
777 * support for having several databases
778 * new command `del_enctype' in kadmin
779 * strptime (and new strftime) add to roken
780 * more paranoia about finding libdb
783 Changes in release 0.2d:
785 * new configuration option [libdefaults]default_etypes_des
786 * internal ls in ftpd builds without KRB4
787 * kx/rsh/push/pop_debug tries v5 and v4 consistenly
791 Changes in release 0.2c:
793 * bug fixes (see ChangeLog's for details)
795 Changes in release 0.2b:
798 * actually bump shared library versions
800 Changes in release 0.2a:
802 * a new program verify_krb5_conf for checking your /etc/krb5.conf
803 * add 3DES keys when changing password
804 * support null keys in database
805 * support multiple local realms
806 * implement a keytab backend for AFS KeyFile's
807 * implement a keytab backend for v4 srvtabs
808 * implement `ktutil copy'
809 * support password quality control in v4 kadmind
810 * improvements in v4 compat kadmind
811 * handle the case of having the correct cred in the ccache but with
812 the wrong encryption type better
813 * v6-ify the remaining programs.
814 * internal ls in ftpd
815 * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
816 * add `ank --random-password' and `cpw --random-password' in kadmin
817 * some programs and documentation for trying to talk to a W2K KDC
820 Changes in release 0.1m:
822 * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
823 From Miroslav Ruda <ruda@ics.muni.cz>
824 * v6-ify hprop and hpropd
825 * support numeric addresses in krb5_mk_req
826 * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
827 * make rsh/rshd IPv6-aware
828 * make the gssapi sample applications better at reporting errors
830 * handle systems with v6-aware libc and non-v6 kernels (like Linux
831 with glibc 2.1) better
832 * hide failure of ERPT in ftp
835 Changes in release 0.1l:
837 * make ftp and ftpd IPv6-aware
838 * add inet_pton to roken
839 * more IPv6-awareness
840 * make mini_inetd v6 aware
842 Changes in release 0.1k:
844 * bump shared libraries versions
845 * add roken version of inet_ntop
846 * merge more changes to rshd
848 Changes in release 0.1j:
850 * restore back to the `old' 3DES code. This was supposed to be done
851 in 0.1h and 0.1i but I did a CVS screw-up.
852 * make telnetd handle v6 connections
854 Changes in release 0.1i:
856 * start using `struct sockaddr_storage' which simplifies the code
857 (with a fallback definition if it's not defined)
858 * bug fixes (including in hprop and kf)
859 * don't use mawk which seems to mishandle roken.awk
860 * get_addrs should be able to handle v6 addresses on Linux (with the
861 required patch to the Linux kernel -- ask within)
862 * rshd builds with shadow passwords
864 Changes in release 0.1h:
866 * kf: new program for forwarding credentials
868 * make forwarding credentials work with MIT code
869 * better conversion of ka database
870 * add etc/services.append
871 * correct `modified by' from kpasswdd
874 Changes in release 0.1g:
876 * kgetcred: new program for explicitly obtaining tickets
881 Changes in release 0.1f;
883 * experimental support for v4 kadmin protokoll in kadmind
886 Changes in release 0.1e:
888 * try to handle old DCE and MIT kdcs
889 * support for older versions of credential cache files and keytabs
890 * postdated tickets work
891 * support for password quality checks in kpasswdd
892 * new flag --enable-kaserver for kdc
894 * prototype su program
895 * updated (some) manpages
896 * support for KDC resource records
897 * should build with --without-krb4
900 Changes in release 0.1d:
902 * Support building with DB2 (uses 1.85-compat API)
903 * Support krb5-realm.DOMAIN in DNS
904 * new `ktutil srvcreate'
905 * v4/kafs support in klist/kdestroy
908 Changes in release 0.1c:
910 * fix ASN.1 encoding of signed integers
911 * somewhat working `ktutil get'
912 * some documentation updates
913 * update to Autoconf 2.13 and Automake 1.4
914 * the usual bug fixes
916 Changes in release 0.1b:
918 * some old -> new crypto conversion utils
921 Changes in release 0.1a:
925 * make sure we ask for DES keys in gssapi
926 * support signed ints in ASN1
929 Changes in release 0.0u:
933 Changes in release 0.0t:
935 * more robust parsing of krb5.conf
936 * include net{read,write} in lib/roken
939 Changes in release 0.0s:
941 * kludges for parsing options to rsh
942 * more robust parsing of krb5.conf
943 * removed some arbitrary limits
946 Changes in release 0.0r:
948 * default options for some programs
951 Changes in release 0.0q:
953 * support for building shared libraries with libtool
956 Changes in release 0.0p:
958 * keytab moved to /etc/krb5.keytab
959 * avoid false detection of IPv6 on Linux
960 * Lots of more functionality in the gssapi-library
961 * hprop can now read ka-server databases
964 Changes in release 0.0o:
966 * FTP with GSSAPI support.
969 Changes in release 0.0n:
971 * Incremental database propagation.
972 * Somewhat improved kadmin ui; the stuff in admin is now removed.
973 * Some support for using enctypes instead of keytypes.
974 * Lots of other improvement and bug fixes, see ChangeLog for details.