git: 919b10729753 - stable/15 - krb5: import MIT 1.22.2
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 04 May 2026 11:57:35 UTC
The branch stable/15 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=919b10729753336ef16338295c61ebd085348fb9
commit 919b10729753336ef16338295c61ebd085348fb9
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2026-04-30 19:24:20 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-05-04 11:57:26 +0000
krb5: import MIT 1.22.2
Merge commit '90c687295e2d62f9411fc5b571f5af4e8ee187a7'
(cherry picked from commit 736e411a737b9f57c1303e6d15c5afd4f63af0d3)
---
crypto/krb5/NOTICE | 2 +-
crypto/krb5/README | 24 +++++++++++++++-
crypto/krb5/src/configure | 20 ++++++-------
crypto/krb5/src/lib/gssapi/krb5/acquire_cred.c | 1 +
crypto/krb5/src/lib/gssapi/krb5/iakerb.c | 1 +
crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c | 2 +-
crypto/krb5/src/lib/krad/packet.c | 2 +-
crypto/krb5/src/lib/krb5/ccache/cc_file.c | 8 ++++++
crypto/krb5/src/lib/krb5/ccache/cc_mslsa.c | 37 ++++++++++---------------
crypto/krb5/src/man/k5identity.man | 4 +--
crypto/krb5/src/man/k5login.man | 4 +--
crypto/krb5/src/man/k5srvutil.man | 4 +--
crypto/krb5/src/man/kadm5.acl.man | 4 +--
crypto/krb5/src/man/kadmin.man | 4 +--
crypto/krb5/src/man/kadmind.man | 4 +--
crypto/krb5/src/man/kdb5_ldap_util.man | 4 +--
crypto/krb5/src/man/kdb5_util.man | 4 +--
crypto/krb5/src/man/kdc.conf.man | 4 +--
crypto/krb5/src/man/kdestroy.man | 4 +--
crypto/krb5/src/man/kerberos.man | 4 +--
crypto/krb5/src/man/kinit.man | 4 +--
crypto/krb5/src/man/klist.man | 4 +--
crypto/krb5/src/man/kpasswd.man | 4 +--
crypto/krb5/src/man/kprop.man | 4 +--
crypto/krb5/src/man/kpropd.man | 4 +--
crypto/krb5/src/man/kproplog.man | 4 +--
crypto/krb5/src/man/krb5-config.man | 4 +--
crypto/krb5/src/man/krb5.conf.man | 4 +--
crypto/krb5/src/man/krb5kdc.man | 4 +--
crypto/krb5/src/man/ksu.man | 4 +--
crypto/krb5/src/man/kswitch.man | 4 +--
crypto/krb5/src/man/ktutil.man | 4 +--
crypto/krb5/src/man/kvno.man | 4 +--
crypto/krb5/src/man/sclient.man | 4 +--
crypto/krb5/src/man/sserver.man | 4 +--
crypto/krb5/src/patchlevel.h | 6 ++--
crypto/krb5/src/po/mit-krb5.pot | 4 +--
crypto/krb5/src/prototype/prototype.c | 2 +-
crypto/krb5/src/prototype/prototype.h | 2 +-
crypto/krb5/src/windows/version.rc | 2 +-
40 files changed, 120 insertions(+), 97 deletions(-)
diff --git a/crypto/krb5/NOTICE b/crypto/krb5/NOTICE
index 3d78b73035cf..20d8ef24e604 100644
--- a/crypto/krb5/NOTICE
+++ b/crypto/krb5/NOTICE
@@ -1,4 +1,4 @@
-Copyright (C) 1985-2025 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2026 by the Massachusetts Institute of Technology.
All rights reserved.
diff --git a/crypto/krb5/README b/crypto/krb5/README
index d1de8357e388..73eafa585dc9 100644
--- a/crypto/krb5/README
+++ b/crypto/krb5/README
@@ -6,7 +6,7 @@
Copyright and Other Notices
---------------------------
-Copyright (C) 1985-2025 by the Massachusetts Institute of Technology
+Copyright (C) 1985-2026 by the Massachusetts Institute of Technology
and its contributors. All rights reserved.
Please see the file named NOTICE for additional notices.
@@ -97,6 +97,24 @@ removed.
Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.
+Major changes in 1.22.2 (2026-01-29)
+------------------------------------
+
+This is a bug fix release.
+
+* Fix a SPNEGO packet parsing bug which could cause GSS mechanism
+ negotiation failure.
+
+krb5-1.22.2 changes by ticket ID
+--------------------------------
+
+9183 Fix SPNEGO mechListMIC parsing
+9188 Improve MSLSA ccache timestamp conversion
+9189 Fix krb5 gss_acquire_cred() leak on some errors
+9190 Make atomic ccache replacement work on Windows
+9193 Fix uninitialized pointer dereference in libkrad
+9194 Fix IAKERB realm discovery state machine logic
+
Major changes in 1.22.1 (2025-08-20)
------------------------------------
@@ -378,6 +396,7 @@ reports, suggestions, and valuable resources:
Gerald Combs
Simon Cooper
Sylvain Cortes
+ Robert Crowston
Ian Crowther
Arran Cudbard-Bell
Adam Dabrowski
@@ -475,6 +494,7 @@ reports, suggestions, and valuable resources:
Tomas Kuthan
Pierre Labastie
Andreas Ladanyi
+ Yubi Lee
Chris Leick
Volker Lendecke
Jan iankko Lieskovsky
@@ -519,6 +539,7 @@ reports, suggestions, and valuable resources:
Felipe Ortega
Michael Osipov
Andrej Ota
+ Dmitry Ovsyannikov
Dmitri Pal
Javier Palacios
Dilyan Palauzov
@@ -530,6 +551,7 @@ reports, suggestions, and valuable resources:
Zoran Pericic
W. Michael Petullo
Mark Phalan
+ Ben Pope
Sharwan Ram
Brett Randall
Jonathan Reams
diff --git a/crypto/krb5/src/configure b/crypto/krb5/src/configure
index c8dc43de1380..ed823e9244a1 100755
--- a/crypto/krb5/src/configure
+++ b/crypto/krb5/src/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22.1.
+# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22.2.
#
# Report bugs to <krb5-bugs@mit.edu>.
#
@@ -615,8 +615,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='Kerberos 5'
PACKAGE_TARNAME='krb5'
-PACKAGE_VERSION='1.22.1'
-PACKAGE_STRING='Kerberos 5 1.22.1'
+PACKAGE_VERSION='1.22.2'
+PACKAGE_STRING='Kerberos 5 1.22.2'
PACKAGE_BUGREPORT='krb5-bugs@mit.edu'
PACKAGE_URL=''
@@ -1506,7 +1506,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Kerberos 5 1.22.1 to adapt to many kinds of systems.
+\`configure' configures Kerberos 5 1.22.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1577,7 +1577,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Kerberos 5 1.22.1:";;
+ short | recursive ) echo "Configuration of Kerberos 5 1.22.2:";;
esac
cat <<\_ACEOF
@@ -1739,7 +1739,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Kerberos 5 configure 1.22.1
+Kerberos 5 configure 1.22.2
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2439,7 +2439,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Kerberos 5 $as_me 1.22.1, which was
+It was created by Kerberos 5 $as_me 1.22.2, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -8159,7 +8159,7 @@ fi
-KRB5_VERSION=1.22.1
+KRB5_VERSION=1.22.2
@@ -15366,7 +15366,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Kerberos 5 $as_me 1.22.1, which was
+This file was extended by Kerberos 5 $as_me 1.22.2, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15430,7 +15430,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-Kerberos 5 config.status 1.22.1
+Kerberos 5 config.status 1.22.2
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff --git a/crypto/krb5/src/lib/gssapi/krb5/acquire_cred.c b/crypto/krb5/src/lib/gssapi/krb5/acquire_cred.c
index aa1a486dcaa0..12e6b7ea805b 100644
--- a/crypto/krb5/src/lib/gssapi/krb5/acquire_cred.c
+++ b/crypto/krb5/src/lib/gssapi/krb5/acquire_cred.c
@@ -912,6 +912,7 @@ error_out:
if (cred->name)
kg_release_name(context, &cred->name);
krb5_free_principal(context, cred->impersonator);
+ krb5_free_principal(context, cred->acceptor_mprinc);
zapfreestr(cred->password);
k5_mutex_destroy(&cred->lock);
xfree(cred);
diff --git a/crypto/krb5/src/lib/gssapi/krb5/iakerb.c b/crypto/krb5/src/lib/gssapi/krb5/iakerb.c
index 90a9bce11ad7..7cc4710e25d3 100644
--- a/crypto/krb5/src/lib/gssapi/krb5/iakerb.c
+++ b/crypto/krb5/src/lib/gssapi/krb5/iakerb.c
@@ -631,6 +631,7 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
cred->name->princ->realm = server_realm;
server_realm = empty_data();
+ ctx->state = IAKERB_AS_REQ;
/* Done with realm discovery; fall through to AS request. */
case IAKERB_AS_REQ:
if (ctx->icc == NULL) {
diff --git a/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c b/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c
index 43ba63ab2a7b..4a778364336e 100644
--- a/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c
+++ b/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c
@@ -3515,7 +3515,7 @@ get_negTokenResp(OM_uint32 *minor_status, struct k5input *in,
return GSS_S_DEFECTIVE_TOKEN;
}
- if (k5_der_get_value(&seq, CONTEXT | 0x04, &field)) {
+ if (k5_der_get_value(&seq, CONTEXT | 0x03, &field)) {
*mechListMIC = get_octet_string(&field);
/* Handle Windows 2000 duplicate response token */
diff --git a/crypto/krb5/src/lib/krad/packet.c b/crypto/krb5/src/lib/krad/packet.c
index ed19385f71a6..22128350428c 100644
--- a/crypto/krb5/src/lib/krad/packet.c
+++ b/crypto/krb5/src/lib/krad/packet.c
@@ -565,7 +565,7 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
if (cb != NULL) {
for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
- if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
+ if (pkt_id_get(req) == pkt_id_get(tmp))
break;
}
diff --git a/crypto/krb5/src/lib/krb5/ccache/cc_file.c b/crypto/krb5/src/lib/krb5/ccache/cc_file.c
index 198152a9ecd0..f34c0f1064aa 100644
--- a/crypto/krb5/src/lib/krb5/ccache/cc_file.c
+++ b/crypto/krb5/src/lib/krb5/ccache/cc_file.c
@@ -1311,6 +1311,14 @@ fcc_replace(krb5_context context, krb5_ccache id, krb5_principal princ,
goto errno_cleanup;
st = rename(tmpname, data->filename);
+#ifdef _WIN32
+ /* Windows cannot rename over an existing file under most circumstances.
+ * Try ReplaceFile() (which only works if the destination file exists). */
+ if (st != 0) {
+ if (ReplaceFile(data->filename, tmpname, NULL, 0, NULL, NULL))
+ st = 0;
+ }
+#endif
if (st != 0)
goto errno_cleanup;
tmpfile_exists = FALSE;
diff --git a/crypto/krb5/src/lib/krb5/ccache/cc_mslsa.c b/crypto/krb5/src/lib/krb5/ccache/cc_mslsa.c
index 4931e6c172a5..675cf4d11206 100644
--- a/crypto/krb5/src/lib/krb5/ccache/cc_mslsa.c
+++ b/crypto/krb5/src/lib/krb5/ccache/cc_mslsa.c
@@ -249,24 +249,15 @@ KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_conte
return FALSE;
}
-static time_t
-FileTimeToUnixTime(LARGE_INTEGER *ltime)
+/*
+ * Convert a Windows file time (number of 100-nanosecond intervals since
+ * 1601-01-01 UTC) to a POSIX timestamp (number of seconds since 1970-01-01
+ * UTC).
+ */
+static inline time_t
+FileTimeToUnixTime(int64_t ft)
{
- FILETIME filetime, localfiletime;
- SYSTEMTIME systime;
- struct tm utime;
- filetime.dwLowDateTime=ltime->LowPart;
- filetime.dwHighDateTime=ltime->HighPart;
- FileTimeToLocalFileTime(&filetime, &localfiletime);
- FileTimeToSystemTime(&localfiletime, &systime);
- utime.tm_sec=systime.wSecond;
- utime.tm_min=systime.wMinute;
- utime.tm_hour=systime.wHour;
- utime.tm_mday=systime.wDay;
- utime.tm_mon=systime.wMonth-1;
- utime.tm_year=systime.wYear-1900;
- utime.tm_isdst=-1;
- return(mktime(&utime));
+ return ft / 10000000 - 11644473600;
}
static void
@@ -346,9 +337,9 @@ MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm,
MSSessionKeyToMITKeyblock(&msticket->SessionKey, context,
&creds->keyblock);
MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags);
- creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime);
- creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
- creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
+ creds->times.starttime=FileTimeToUnixTime(msticket->StartTime.QuadPart);
+ creds->times.endtime=FileTimeToUnixTime(msticket->EndTime.QuadPart);
+ creds->times.renew_till=FileTimeToUnixTime(msticket->RenewUntil.QuadPart);
creds->addresses = NULL;
@@ -377,9 +368,9 @@ CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info,
creds->keyblock.enctype = info->SessionKeyType;
creds->ticket_flags = info->TicketFlags;
MSFlagsToMITFlags(info->TicketFlags, &creds->ticket_flags);
- creds->times.starttime=FileTimeToUnixTime(&info->StartTime);
- creds->times.endtime=FileTimeToUnixTime(&info->EndTime);
- creds->times.renew_till=FileTimeToUnixTime(&info->RenewTime);
+ creds->times.starttime=FileTimeToUnixTime(info->StartTime.QuadPart);
+ creds->times.endtime=FileTimeToUnixTime(info->EndTime.QuadPart);
+ creds->times.renew_till=FileTimeToUnixTime(info->RenewTime.QuadPart);
/* MS Tickets are addressless. MIT requires an empty address
* not a NULL list of addresses.
diff --git a/crypto/krb5/src/man/k5identity.man b/crypto/krb5/src/man/k5identity.man
index a7d533f077fd..40962b7a49c2 100644
--- a/crypto/krb5/src/man/k5identity.man
+++ b/crypto/krb5/src/man/k5identity.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5IDENTITY" "5" " " "1.22.1" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.22.2" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.SH DESCRIPTION
@@ -96,6 +96,6 @@ kerberos(1), \fI\%krb5.conf\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/k5login.man b/crypto/krb5/src/man/k5login.man
index 906f8854f87c..d0e327d1bfa4 100644
--- a/crypto/krb5/src/man/k5login.man
+++ b/crypto/krb5/src/man/k5login.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5LOGIN" "5" " " "1.22.1" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.22.2" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.SH DESCRIPTION
@@ -87,6 +87,6 @@ kerberos(1)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/k5srvutil.man b/crypto/krb5/src/man/k5srvutil.man
index 537ed15d8f3b..e926a1eb3b3f 100644
--- a/crypto/krb5/src/man/k5srvutil.man
+++ b/crypto/krb5/src/man/k5srvutil.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5SRVUTIL" "1" " " "1.22.1" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.SH SYNOPSIS
@@ -90,6 +90,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kadm5.acl.man b/crypto/krb5/src/man/kadm5.acl.man
index 3517c08bd6fe..95cf849d7493 100644
--- a/crypto/krb5/src/man/kadm5.acl.man
+++ b/crypto/krb5/src/man/kadm5.acl.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADM5.ACL" "5" " " "1.22.1" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.22.2" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.SH DESCRIPTION
@@ -271,6 +271,6 @@ To operate without an ACL file, set the \fIacl_file\fP variable in
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kadmin.man b/crypto/krb5/src/man/kadmin.man
index 005c2add8135..15ddc17dc573 100644
--- a/crypto/krb5/src/man/kadmin.man
+++ b/crypto/krb5/src/man/kadmin.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADMIN" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.SH SYNOPSIS
@@ -1089,6 +1089,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kadmind.man b/crypto/krb5/src/man/kadmind.man
index c0b355c79a9b..842b5082c8b7 100644
--- a/crypto/krb5/src/man/kadmind.man
+++ b/crypto/krb5/src/man/kadmind.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADMIND" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.SH SYNOPSIS
@@ -156,6 +156,6 @@ activation is used.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kdb5_ldap_util.man b/crypto/krb5/src/man/kdb5_ldap_util.man
index 7cfda216e399..23461beafc60 100644
--- a/crypto/krb5/src/man/kdb5_ldap_util.man
+++ b/crypto/krb5/src/man/kdb5_ldap_util.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDB5_LDAP_UTIL" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.SH SYNOPSIS
@@ -500,6 +500,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kdb5_util.man b/crypto/krb5/src/man/kdb5_util.man
index 0e5f1d1bf5fe..a777ad8ec933 100644
--- a/crypto/krb5/src/man/kdb5_util.man
+++ b/crypto/krb5/src/man/kdb5_util.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDB5_UTIL" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.SH SYNOPSIS
@@ -563,6 +563,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kdc.conf.man b/crypto/krb5/src/man/kdc.conf.man
index 33bbb13c6157..ca82a2f1796e 100644
--- a/crypto/krb5/src/man/kdc.conf.man
+++ b/crypto/krb5/src/man/kdc.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDC.CONF" "5" " " "1.22.1" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.22.2" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.sp
@@ -1178,6 +1178,6 @@ Here\(aqs an example of a kdc.conf file:
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kdestroy.man b/crypto/krb5/src/man/kdestroy.man
index 88888d590133..e91ed47d35bf 100644
--- a/crypto/krb5/src/man/kdestroy.man
+++ b/crypto/krb5/src/man/kdestroy.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDESTROY" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.SH SYNOPSIS
@@ -90,6 +90,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kerberos.man b/crypto/krb5/src/man/kerberos.man
index 64d9290688cb..295d154c44d3 100644
--- a/crypto/krb5/src/man/kerberos.man
+++ b/crypto/krb5/src/man/kerberos.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KERBEROS" "7" " " "1.22.1" "MIT Kerberos"
+.TH "KERBEROS" "7" " " "1.22.2" "MIT Kerberos"
.SH NAME
kerberos \- Overview of using Kerberos
.SH DESCRIPTION
@@ -210,6 +210,6 @@ Institute of Technology
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kinit.man b/crypto/krb5/src/man/kinit.man
index 9934f21b6895..6153166a1165 100644
--- a/crypto/krb5/src/man/kinit.man
+++ b/crypto/krb5/src/man/kinit.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KINIT" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.SH SYNOPSIS
@@ -250,6 +250,6 @@ default location for the local host\(aqs keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/klist.man b/crypto/krb5/src/man/klist.man
index e4e505bc6573..aa5e44ab4298 100644
--- a/crypto/krb5/src/man/klist.man
+++ b/crypto/krb5/src/man/klist.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KLIST" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.SH SYNOPSIS
@@ -151,6 +151,6 @@ Default location for the local host\(aqs keytab file.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kpasswd.man b/crypto/krb5/src/man/kpasswd.man
index 7577b9213beb..0321cac4d0a2 100644
--- a/crypto/krb5/src/man/kpasswd.man
+++ b/crypto/krb5/src/man/kpasswd.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPASSWD" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.SH SYNOPSIS
@@ -63,6 +63,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kprop.man b/crypto/krb5/src/man/kprop.man
index c21bd9692735..f3fc60a71b43 100644
--- a/crypto/krb5/src/man/kprop.man
+++ b/crypto/krb5/src/man/kprop.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROP" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a replica server
.SH SYNOPSIS
@@ -77,6 +77,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kpropd.man b/crypto/krb5/src/man/kpropd.man
index b1caad000718..182ecfe8b7f7 100644
--- a/crypto/krb5/src/man/kpropd.man
+++ b/crypto/krb5/src/man/kpropd.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROPD" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 replica KDC update server
.SH SYNOPSIS
@@ -164,6 +164,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kproplog.man b/crypto/krb5/src/man/kproplog.man
index 8d404de88b48..95a4b0800ca6 100644
--- a/crypto/krb5/src/man/kproplog.man
+++ b/crypto/krb5/src/man/kproplog.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROPLOG" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.SH SYNOPSIS
@@ -108,6 +108,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/krb5-config.man b/crypto/krb5/src/man/krb5-config.man
index 0b743cf5d124..ecc696a7919e 100644
--- a/crypto/krb5/src/man/krb5-config.man
+++ b/crypto/krb5/src/man/krb5-config.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5-CONFIG" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.SH SYNOPSIS
@@ -135,6 +135,6 @@ shell% krb5\-config \-\-libs krb5
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/krb5.conf.man b/crypto/krb5/src/man/krb5.conf.man
index 2590f2151eaf..eaba2b4cdab0 100644
--- a/crypto/krb5/src/man/krb5.conf.man
+++ b/crypto/krb5/src/man/krb5.conf.man
@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5.CONF" "5" " " "1.22.1" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.22.2" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.sp
@@ -1500,6 +1500,6 @@ syslog(3)
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/krb5kdc.man b/crypto/krb5/src/man/krb5kdc.man
index bcbd19d01a98..3f38828b8b0f 100644
--- a/crypto/krb5/src/man/krb5kdc.man
+++ b/crypto/krb5/src/man/krb5kdc.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5KDC" "8" " " "1.22.1" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.SH SYNOPSIS
@@ -140,6 +140,6 @@ caller\-provided sockets will be ignored if socket activation is used.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/ksu.man b/crypto/krb5/src/man/ksu.man
index 59015c2dd4dc..e1f1c16efab6 100644
--- a/crypto/krb5/src/man/ksu.man
+++ b/crypto/krb5/src/man/ksu.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KSU" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KSU" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.SH SYNOPSIS
@@ -462,6 +462,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kswitch.man b/crypto/krb5/src/man/kswitch.man
index 7c21199fcee4..0ed5168aaa67 100644
--- a/crypto/krb5/src/man/kswitch.man
+++ b/crypto/krb5/src/man/kswitch.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KSWITCH" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.SH SYNOPSIS
@@ -66,6 +66,6 @@ Default location of Kerberos 5 credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/ktutil.man b/crypto/krb5/src/man/ktutil.man
index 8e4ec837732a..53077975bb87 100644
--- a/crypto/krb5/src/man/ktutil.man
+++ b/crypto/krb5/src/man/ktutil.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KTUTIL" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.SH SYNOPSIS
@@ -157,6 +157,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/kvno.man b/crypto/krb5/src/man/kvno.man
index f068f0664ab4..b63ba3b238d2 100644
--- a/crypto/krb5/src/man/kvno.man
+++ b/crypto/krb5/src/man/kvno.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KVNO" "1" " " "1.22.1" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.SH SYNOPSIS
@@ -136,6 +136,6 @@ Default location of the credentials cache
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/sclient.man b/crypto/krb5/src/man/sclient.man
index e697bd44b281..10976c05a46a 100644
--- a/crypto/krb5/src/man/sclient.man
+++ b/crypto/krb5/src/man/sclient.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "SCLIENT" "1" " " "1.22.1" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.22.2" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.SH SYNOPSIS
@@ -49,6 +49,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/man/sserver.man b/crypto/krb5/src/man/sserver.man
index c71194e59aaa..e60cb696d9c3 100644
--- a/crypto/krb5/src/man/sserver.man
+++ b/crypto/krb5/src/man/sserver.man
@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "SSERVER" "8" " " "1.22.1" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.22.2" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.SH SYNOPSIS
@@ -177,6 +177,6 @@ variables.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2025, MIT
+1985-2026, MIT
.\" Generated by docutils manpage writer.
.
diff --git a/crypto/krb5/src/patchlevel.h b/crypto/krb5/src/patchlevel.h
index 1a6d3e47098f..7cde36884833 100644
--- a/crypto/krb5/src/patchlevel.h
+++ b/crypto/krb5/src/patchlevel.h
@@ -51,7 +51,7 @@
*/
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 22
-#define KRB5_PATCHLEVEL 1
+#define KRB5_PATCHLEVEL 2
/* #undef KRB5_RELTAIL */
-#define KRB5_RELDATE "20250820"
-#define KRB5_RELTAG "krb5-1.22.1-final"
+#define KRB5_RELDATE "20260129"
+#define KRB5_RELTAG "krb5-1.22.2-final"
diff --git a/crypto/krb5/src/po/mit-krb5.pot b/crypto/krb5/src/po/mit-krb5.pot
index 6358f57081b2..6b4ba3bc3121 100644
--- a/crypto/krb5/src/po/mit-krb5.pot
+++ b/crypto/krb5/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: mit-krb5 1.22.1\n"
+"Project-Id-Version: mit-krb5 1.22.2\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-20 15:43-0400\n"
+"POT-Creation-Date: 2026-01-28 19:53-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
diff --git a/crypto/krb5/src/prototype/prototype.c b/crypto/krb5/src/prototype/prototype.c
index a9c225f92b0f..ada2a0d8b7ed 100644
--- a/crypto/krb5/src/prototype/prototype.c
+++ b/crypto/krb5/src/prototype/prototype.c
@@ -1,7 +1,7 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* prototype/prototype.c - <<< One-line description of file >>> */
/*
- * Copyright (C) 2025 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2026 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/crypto/krb5/src/prototype/prototype.h b/crypto/krb5/src/prototype/prototype.h
index 94ab86d5859d..d17862561a6f 100644
--- a/crypto/krb5/src/prototype/prototype.h
+++ b/crypto/krb5/src/prototype/prototype.h
@@ -1,7 +1,7 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* prototype/prototype.h - <<< One-line description of file >>> */
/*
- * Copyright (C) 2025 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2026 by the Massachusetts Institute of Technology.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
diff --git a/crypto/krb5/src/windows/version.rc b/crypto/krb5/src/windows/version.rc
index 491daf417785..8d36ec6c682e 100644
--- a/crypto/krb5/src/windows/version.rc
+++ b/crypto/krb5/src/windows/version.rc
@@ -41,7 +41,7 @@
#define K5_PRODUCT_VERSION_STRING MAJOR_MINOR MAYBE_PATCH RELTAIL "\0"
#define K5_PRODUCT_VERSION KRB5_MAJOR_RELEASE, KRB5_MINOR_RELEASE, KRB5_PATCHLEVEL, KRB5_BUILDLEVEL
-#define K5_COPYRIGHT "Copyright (C) 1997-2025 by the Massachusetts Institute of Technology\0"
+#define K5_COPYRIGHT "Copyright (C) 1997-2026 by the Massachusetts Institute of Technology\0"
#define K5_COMPANY_NAME "Massachusetts Institute of Technology.\0"
/*