2024-08-02 15:14:31 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 1 07:50:59 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.21.3
|
|
|
|
* Fix vulnerabilities in GSS message token handling:
|
|
|
|
* CVE-2024-37370, bsc#1227186
|
|
|
|
* CVE-2024-37371, bsc#1227187
|
|
|
|
* Fix a potential bad pointer free in krb5_cccol_have_contents()
|
|
|
|
* Fix a memory leak in the macOS ccache type
|
|
|
|
- Update patch 0009-Fix-three-memory-leaks.patch
|
|
|
|
|
2024-05-03 14:15:21 +02:00
|
|
|
-------------------------------------------------------------------
|
2024-06-12 22:34:13 +02:00
|
|
|
Mon May 13 14:06:29 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
|
2024-05-03 14:15:21 +02:00
|
|
|
|
2024-06-12 22:34:13 +02:00
|
|
|
- Enable the LMDB backend for KDB
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 2 11:57:25 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
|
|
|
|
|
|
|
- Remove requires for not used cron
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
|
|
|
|
* CVE-2024-26458, bsc#1220770
|
|
|
|
* CVE-2024-26461, bsc#1220771
|
|
|
|
* CVE-2024-26462, bsc#1220772
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Add crypto-policies support [bsc#1211301]
|
|
|
|
* Update krb5.conf in vendor-files.tar.bz2
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Dec 20 23:18:05 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
|
|
|
|
* Fix double-free in KDC TGS processing [CVE-2023-39975].
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.21.1 (CVE-2023-36054):
|
|
|
|
* Fix potential uninitialized pointer free in kadm5 XDR parsing
|
|
|
|
[CVE-2023-36054]; (bsc#1214054).
|
|
|
|
* Added a credential cache type providing compatibility with
|
|
|
|
the macOS 11 native credential cache.
|
|
|
|
* libkadm5 will use the provided krb5_context object to read
|
|
|
|
configuration values, instead of creating its own.
|
|
|
|
* Added an interface to retrieve the ticket session key
|
|
|
|
from a GSS context.
|
|
|
|
* The KDC will no longer issue tickets with RC4 or triple-DES
|
|
|
|
session keys unless explicitly configured with the new
|
|
|
|
allow_rc4 or allow_des3 variables respectively.
|
|
|
|
* The KDC will assume that all services can handle aes256-sha1
|
|
|
|
session keys unless the service principal has a
|
|
|
|
session_enctypes string attribute.
|
|
|
|
* Support for PAC full KDC checksums has been added to
|
|
|
|
mitigate an S4U2Proxy privilege escalation attack.
|
|
|
|
* The PKINIT client will advertise a more modern set
|
|
|
|
of supported CMS algorithms.
|
|
|
|
* Removed unused code in libkrb5, libkrb5support,
|
|
|
|
and the PKINIT module.
|
|
|
|
* Modernized the KDC code for processing TGS requests,
|
|
|
|
the code for encrypting and decrypting key data,
|
|
|
|
the PAC handling code, and the GSS library packet
|
|
|
|
parsing and composition code.
|
|
|
|
* Improved the test framework's detection of memory
|
|
|
|
errors in daemon processes when used with asan.
|
2024-05-03 14:15:21 +02:00
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 4 13:42:23 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
- Add _multibuild to define additional spec files as additional
|
|
|
|
flavors.
|
|
|
|
Eliminates the need for source package links in OBS.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 3 10:20:22 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update 0007-SELinux-integration.patch for SELinux 3.5;
|
|
|
|
(bsc#1208887);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 27 14:46:54 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|
|
|
|
|
|
|
- Migration of PAM settings to /usr/lib/pam.d
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 13 10:49:47 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
|
|
|
|
already fixed in release 1.20.0
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Nov 16 07:49:09 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
|
|
|
|
* Fix integer overflows in PAC parsing [CVE-2022-42898].
|
|
|
|
* Fix null deref in KDC when decoding invalid NDR.
|
|
|
|
* Fix memory leak in OTP kdcpreauth module.
|
|
|
|
* Fix PKCS11 module path search.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sun May 29 19:14:02 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.20.0:
|
|
|
|
* Added a "disable_pac" realm relation to suppress adding PAC authdata
|
|
|
|
to tickets, for realms which do not need to support S4U requests.
|
|
|
|
* Most credential cache types will use atomic replacement when a cache
|
|
|
|
is reinitialized using kinit or refreshed from the client keytab.
|
|
|
|
* kprop can now propagate databases with a dump size larger than 4GB,
|
|
|
|
if both the client and server are upgraded.
|
|
|
|
* kprop can now work over NATs that change the destination IP address,
|
|
|
|
if the client is upgraded.
|
|
|
|
* Updated the KDB interface. The sign_authdata() method is replaced
|
|
|
|
with the issue_pac() method, allowing KDB modules to add logon info
|
|
|
|
and other buffers to the PAC issued by the KDC.
|
|
|
|
* Host-based initiator names are better supported in the GSS krb5
|
|
|
|
mechanism.
|
|
|
|
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
|
|
|
|
* To avoid spurious replay errors, password change requests will not
|
|
|
|
be attempted over UDP until the attempt over TCP fails.
|
|
|
|
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
|
|
|
|
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
|
|
|
|
* Reorganized the libk5crypto build system to allow the OpenSSL
|
|
|
|
back-end to pull in material from the builtin back-end depending on
|
|
|
|
the OpenSSL version.
|
|
|
|
* Simplified the PRNG logic to always use the platform PRNG.
|
|
|
|
* Converted the remaining Tcl tests to Python.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
|
|
|
|
* Fix a denial of service attack against the KDC [CVE-2021-37750].
|
|
|
|
* Fix KDC null deref on TGS inner body null server
|
|
|
|
* Fix conformance issue in GSSAPI tests
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jan 27 22:21:52 UTC 2022 - David Mulder <dmulder@suse.com>
|
|
|
|
|
|
|
|
- Resolve "Credential cache directory /run/user/0/krb5cc does not
|
|
|
|
exist while opening default credentials cache" by using a kernel
|
|
|
|
keyring instead of a dir cache; (bsc#1109830);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Sep 30 14:14:23 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
- Added hardening to systemd services; (bsc#1181400);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 30 12:45:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Fix KDC null pointer dereference via a FAST inner body that
|
|
|
|
lacks a server field; (CVE-2021-37750); (bsc#1189929);
|
|
|
|
- Added patches:
|
|
|
|
* 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 2 08:39:31 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.19.2
|
|
|
|
* Fix a denial of service attack against the KDC encrypted challenge
|
|
|
|
code; (CVE-2021-36222);
|
|
|
|
* Fix a memory leak when gss_inquire_cred() is called without a
|
|
|
|
credential handle.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon May 3 09:40:17 UTC 2021 - Rodrigo Lourenço <rzl@rzl.ooo>
|
|
|
|
|
|
|
|
- Build with full Cyrus SASL support
|
|
|
|
* Negotiating SASL credentials with an EXTERNAL bind mechanism requires
|
|
|
|
interaction. Kerberos provides its own interaction function that skips
|
|
|
|
all interaction, thus preventing the mechanism from working.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 22 15:10:12 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 7 16:10:21 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
- do not own %sbindir, it comes from filesystem package
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.19.1
|
|
|
|
* Fix a linking issue with Samba.
|
|
|
|
* Better support multiple pkinit_identities values by checking whether
|
|
|
|
certificates can be loaded for each value.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.19
|
|
|
|
Administrator experience
|
|
|
|
* When a client keytab is present, the GSSAPI krb5 mech will refresh
|
|
|
|
credentials even if the current credentials were acquired manually.
|
|
|
|
* It is now harder to accidentally delete the K/M entry from a KDB.
|
|
|
|
Developer experience
|
|
|
|
* gss_acquire_cred_from() now supports the "password" and "verify"
|
|
|
|
options, allowing credentials to be acquired via password and
|
|
|
|
verified using a keytab key.
|
|
|
|
* When an application accepts a GSS security context, the new
|
|
|
|
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
|
|
|
|
both provided matching channel bindings.
|
|
|
|
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
|
|
|
|
to identify the desired client principal by certificate.
|
|
|
|
* PKINIT certauth modules can now cause the hw-authent flag to be set
|
|
|
|
in issued tickets.
|
|
|
|
* The krb5_init_creds_step() API will now issue the same password
|
|
|
|
expiration warnings as krb5_get_init_creds_password().
|
|
|
|
Protocol evolution
|
|
|
|
* Added client and KDC support for Microsoft's Resource-Based Constrained
|
|
|
|
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
|
|
|
|
database module is required for KDC support.
|
|
|
|
* kadmin/admin is now the preferred server principal name for kadmin
|
|
|
|
connections, and the host-based form is no longer created by default.
|
|
|
|
The client will still try the host-based form as a fallback.
|
|
|
|
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
|
|
|
|
extension, which causes channel bindings to be required for the
|
|
|
|
initiator if the acceptor provided them. The client will send this
|
|
|
|
option if the client_aware_gss_bindings profile option is set.
|
|
|
|
User experience
|
|
|
|
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
|
|
|
|
used in the reply. This encryption type will be deprecated and removed
|
|
|
|
in future releases.
|
|
|
|
* Added kvno flags --out-cache, --no-store, and --cached-only
|
|
|
|
(inspired by Heimdal's kgetcred).
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.18.3
|
|
|
|
* Fix a denial of service vulnerability when decoding Kerberos
|
|
|
|
protocol messages; (CVE-2020-28196); (bsc#1178512);
|
|
|
|
* Fix a locking issue with the LMDB KDB module which could cause
|
|
|
|
KDC and kadmind processes to lose access to the database.
|
|
|
|
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
|
|
|
|
and unloaded while libkrb5support remains loaded.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jul 7 17:38:11 UTC 2020 - Andreas Schwab <schwab@suse.de>
|
|
|
|
|
|
|
|
- Don't fail if %{_lto_cflags} is empty
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 12 08:38:23 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
|
|
|
|
no reasonable justification to step out of the defaults.
|
|
|
|
+ No longer install csh/sh profiles into /etc/profiles.d: as we
|
|
|
|
not install to default paths, there is no need to further
|
|
|
|
inject paths into $PATH; also, now sbin binaries are only in
|
|
|
|
path for admin users.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 29 08:38:37 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update to 1.18.2
|
|
|
|
* Fix a SPNEGO regression where an acceptor using the default credential
|
|
|
|
would improperly filter mechanisms, causing a negotiation failure.
|
|
|
|
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt
|
|
|
|
principal's first key has a single-DES enctype.
|
|
|
|
* Add stub functions to allow old versions of OpenSSL libcrypto to link
|
|
|
|
against libkrb5.
|
|
|
|
* Fix a NegoEx bug where the client name and delegated credential might
|
|
|
|
not be reported.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 28 15:21:46 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Update logrotate script, call systemd to reload the services
|
|
|
|
instead of init-scripts. (boo#1169357)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 26 15:36:25 UTC 2020 - Christophe Giboudeaux <christophe@krop.fr>
|
|
|
|
|
|
|
|
- Don't add the lto flags to the public link options. (boo#1172038)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Upgrade to 1.18.1
|
|
|
|
* Fix a crash when qualifying short hostnames when the system has
|
|
|
|
no primary DNS domain.
|
|
|
|
* Fix a regression when an application imports "service@" as a GSS
|
|
|
|
host-based name for its acceptor credential handle.
|
|
|
|
* Fix KDC enforcement of auth indicators when they are modified by
|
|
|
|
the KDB module.
|
|
|
|
* Fix removal of require_auth string attributes when the LDAP KDB
|
|
|
|
module is used.
|
|
|
|
* Fix a compile error when building with musl libc on Linux.
|
|
|
|
* Fix a compile error when building with gcc 4.x.
|
|
|
|
* Change the KDC constrained delegation precedence order for consistency
|
2024-06-12 22:34:13 +02:00
|
|
|
with Windows KDCs.
|
2024-05-03 14:15:21 +02:00
|
|
|
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 29 08:04:32 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
|
|
|
|
notation: libexecdir is likely changing away from /usr/lib to
|
|
|
|
/usr/libexec.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 25 09:20:38 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Fix segfault in k5_primary_domain; (bsc#1167620);
|
|
|
|
- Added patches:
|
|
|
|
* 0009-Fix-null-dereference-qualifying-short-hostnames.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
|
|
|
|
|
|
|
|
- Remove cruft to support distributions older than SLE 12
|
|
|
|
- Use macros where applicable
|
|
|
|
- Switch to pkgconfig style dependencies
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Upgrade to 1.18
|
|
|
|
Administrator experience:
|
|
|
|
* Remove support for single-DES encryption types.
|
|
|
|
* Change the replay cache format to be more efficient and robust.
|
|
|
|
Replay cache filenames using the new format end with ".rcache2"
|
|
|
|
by default.
|
|
|
|
* setuid programs will automatically ignore environment variables
|
|
|
|
that normally affect krb5 API functions, even if the caller does
|
|
|
|
not use krb5_init_secure_context().
|
|
|
|
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
|
|
|
|
credential forwarding during GSSAPI authentication unless the KDC
|
|
|
|
sets the ok-as-delegate bit in the service ticket.
|
|
|
|
* Use the permitted_enctypes krb5.conf setting as the default value
|
|
|
|
for default_tkt_enctypes and default_tgs_enctypes.
|
|
|
|
Developer experience:
|
|
|
|
* Implement krb5_cc_remove_cred() for all credential cache types.
|
|
|
|
* Add the krb5_pac_get_client_info() API to get the client account
|
|
|
|
name from a PAC.
|
|
|
|
Protocol evolution:
|
|
|
|
* Add KDC support for S4U2Self requests where the user is identified
|
|
|
|
by X.509 certificate. (Requires support for certificate lookup from
|
|
|
|
a third-party KDB module.)
|
|
|
|
* Remove support for an old ("draft 9") variant of PKINIT.
|
|
|
|
* Add support for Microsoft NegoEx. (Requires one or more third-party
|
|
|
|
GSS modules implementing NegoEx mechanisms.)
|
|
|
|
User experience:
|
|
|
|
* Add support for "dns_canonicalize_hostname=fallback", causing
|
|
|
|
host-based principal names to be tried first without DNS
|
|
|
|
canonicalization, and again with DNS canonicalization if the
|
|
|
|
un-canonicalized server is not found.
|
|
|
|
* Expand single-component hostnames in host-based principal names
|
|
|
|
when DNS canonicalization is not used, adding the system's first DNS
|
|
|
|
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
|
|
|
|
to override this suffix or disable expansion.
|
|
|
|
* Honor the transited-policy-checked ticket flag on application servers,
|
|
|
|
eliminating the requirement to configure capaths on servers in some
|
|
|
|
scenarios.
|
|
|
|
Code quality:
|
|
|
|
* The libkrb5 serialization code (used to export and import krb5 GSS
|
|
|
|
security contexts) has been simplified and made type-safe.
|
|
|
|
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
|
|
|
|
messages has been revised to conform to current coding practices.
|
|
|
|
* The test suite has been modified to work with macOS System Integrity
|
|
|
|
Protection enabled.
|
|
|
|
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
|
|
|
|
can always be tested.
|
|
|
|
- Updated patches:
|
|
|
|
* 0002-krb5-1.9-manpaths.patch
|
|
|
|
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
|
|
|
* 0005-krb5-1.6.3-ktutil-manpage.patch
|
|
|
|
* 0006-krb5-1.12-api.patch
|
|
|
|
- Renamed patches:
|
|
|
|
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
|
|
|
|
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
|
|
|
|
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
|
|
|
|
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
|
|
|
|
- Deleted patches:
|
|
|
|
* 0007-krb5-1.12-ksu-path.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Upgrade to 1.17.1
|
|
|
|
* Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
|
|
|
|
* Fix a bug preventing time skew correction from working when a KCM
|
|
|
|
credential cache is used.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
|
|
|
|
(bsc#1144047);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jul 24 09:57:44 UTC 2019 - matthias.gerstner@suse.com
|
|
|
|
|
|
|
|
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
|
|
|
|
firewalld, see [1].
|
|
|
|
|
|
|
|
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 7 10:08:00 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Move LDAP schema files from /usr/share/doc/packages/krb5 to
|
|
|
|
/usr/share/kerberos/ldap; (bsc#1134217);
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
- Replace old $RPM_* shell vars
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
- Upgrade to 1.17. Major changes:
|
|
|
|
Administrator experience:
|
|
|
|
* A new Kerberos database module using the Lightning Memory-Mapped
|
|
|
|
Database library (LMDB) has been added. The LMDB KDB module should
|
|
|
|
be more performant and more robust than the DB2 module, and may
|
|
|
|
become the default module for new databases in a future release.
|
|
|
|
* "kdb5_util dump" will no longer dump policy entries when specific
|
|
|
|
principal names are requested.
|
|
|
|
Developer experience:
|
|
|
|
* The new krb5_get_etype_info() API can be used to retrieve enctype,
|
|
|
|
salt, and string-to-key parameters from the KDC for a client
|
|
|
|
principal.
|
|
|
|
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
|
|
|
|
principal names to be used with GSS-API functions.
|
|
|
|
* KDC and kadmind modules which call com_err() will now write to the
|
|
|
|
log file in a format more consistent with other log messages.
|
|
|
|
* Programs which use large numbers of memory credential caches should
|
|
|
|
perform better.
|
|
|
|
Protocol evolution:
|
|
|
|
* The SPAKE pre-authentication mechanism is now supported. This
|
|
|
|
mechanism protects against password dictionary attacks without
|
|
|
|
requiring any additional infrastructure such as certificates. SPAKE
|
|
|
|
is enabled by default on clients, but must be manually enabled on
|
|
|
|
the KDC for this release.
|
|
|
|
* PKINIT freshness tokens are now supported. Freshness tokens can
|
|
|
|
protect against scenarios where an attacker uses temporary access to
|
|
|
|
a smart card to generate authentication requests for the future.
|
|
|
|
* Password change operations now prefer TCP over UDP, to avoid
|
|
|
|
spurious error messages about replays when a response packet is
|
|
|
|
dropped.
|
|
|
|
* The KDC now supports cross-realm S4U2Self requests when used with a
|
|
|
|
third-party KDB module such as Samba's. The client code for
|
|
|
|
cross-realm S4U2Self requests is also now more robust
|
|
|
|
(CVE-2018-20217).
|
|
|
|
User experience:
|
|
|
|
* The new ktutil addent -f flag can be used to fetch salt information
|
|
|
|
from the KDC for password-based keys.
|
|
|
|
* The new kdestroy -p option can be used to destroy a credential cache
|
|
|
|
within a collection by client principal name.
|
|
|
|
* The Kerberos man page has been restored, and documents the
|
|
|
|
environment variables that affect programs using the Kerberos
|
|
|
|
library.
|
|
|
|
Code quality:
|
|
|
|
* Python test scripts now use Python 3.
|
|
|
|
* Python test scripts now display markers in verbose output, making it
|
|
|
|
easier to find where a failure occurred within the scripts.
|
|
|
|
* The Windows build system has been simplified and updated to work
|
|
|
|
with more recent versions of Visual Studio. A large volume of
|
|
|
|
unused Windows-specific code has been removed. Visual Studio 2013
|
|
|
|
or later is now required.
|
|
|
|
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
|
|
|
|
by transactional updates; (bsc#1100126);
|
|
|
|
- Rename patches:
|
|
|
|
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
|
|
|
|
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
|
|
|
|
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
|
|
|
|
* krb5-1.6.3-gssapi_improve_errormessages.dif to
|
|
|
|
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
|
|
|
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
|
|
|
|
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
|
|
|
|
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
|
|
|
|
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
|
|
|
|
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Oct 9 20:00:21 UTC 2018 - James McDonough <jmcdonough@suse.com>
|
|
|
|
|
|
|
|
- Upgrade to 1.16.1
|
|
|
|
* kdc client cert matching on client principal entry
|
|
|
|
* Allow ktutil addent command to ignore key version and use
|
|
|
|
non-default salt string.
|
|
|
|
* add kpropd pidfile support
|
|
|
|
* enable "encrypted_challenge_indicator" realm option on tickets
|
|
|
|
obtained using FAST encrypted challenge pre-authentication.
|
|
|
|
* dates through 2106 accepted
|
|
|
|
* KDC support for trivially renewable tickets
|
|
|
|
* stop caching referral and alternate cross-realm TGTs to prevent
|
|
|
|
duplicate credential cache entries
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 18 11:02:57 UTC 2018 - mcepl@suse.com
|
|
|
|
|
|
|
|
- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package
|
|
|
|
so it is avaiable for krb5-client as well.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Upgrade to 1.15.3
|
|
|
|
* Fix flaws in LDAP DN checking, including a null dereference KDC
|
|
|
|
crash which could be triggered by kadmin clients with administrative
|
|
|
|
privileges [CVE-2018-5729, CVE-2018-5730].
|
|
|
|
* Fix a KDC PKINIT memory leak.
|
|
|
|
* Fix a small KDC memory leak on transited or authdata errors when
|
|
|
|
processing TGS requests.
|
|
|
|
* Fix a null dereference when the KDC sends a large TGS reply.
|
|
|
|
* Fix "kdestroy -A" with the KCM credential cache type.
|
|
|
|
* Fix the handling of capaths "." values.
|
|
|
|
* Fix handling of repeated subsection specifications in profile files
|
|
|
|
(such as when multiple included files specify relations in the same
|
|
|
|
subsection).
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 25 21:54:39 UTC 2018 - luizluca@gmail.com
|
|
|
|
|
|
|
|
- Added support for /etc/krb5.conf.d/ for configuration snippets
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com
|
|
|
|
|
|
|
|
- Replace references to /var/adm/fillup-templates with new
|
|
|
|
%_fillupdir macro (boo#1069468)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 6 10:23:00 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
- Remove build dependency doxygen, python-Cheetah, python-Sphinx,
|
|
|
|
python-libxml2, python-lxml, most of which are python 2 programs.
|
|
|
|
Consequently remove -doc subpackage. Users are encouraged to use
|
|
|
|
online documentation. (bsc#1066461)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de
|
|
|
|
|
|
|
|
- Update package descriptions.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Upgrade to 1.15.2
|
|
|
|
* Fix a KDC denial of service vulnerability caused by unset status
|
|
|
|
strings [CVE-2017-11368]
|
|
|
|
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]
|
|
|
|
* Fix kadm5 setkey operation with LDAP KDB module
|
|
|
|
* Use a ten-second timeout after successful connection for HTTPS KDC
|
|
|
|
requests, as we do for TCP requests
|
|
|
|
* Fix client null dereference when KDC offers encrypted challenge
|
|
|
|
without FAST
|
|
|
|
* Ignore dotfiles when processing profile includedir directive
|
|
|
|
* Improve documentation
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
|
|
|
|
in order to improve client security in handling service principle
|
|
|
|
names. (bsc#1054028)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 11 09:08:58 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
- Prevent kadmind.service startup failure caused by absence of
|
|
|
|
LDAP service. (bsc#903543)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
- There is no change made about the package itself, this is only
|
|
|
|
copying over some changelog texts from SLE package:
|
|
|
|
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
|
|
|
|
krb5: denial of service in krb5_read_message
|
|
|
|
- bug#912002 owned by varkoly@suse.com: VUL-0
|
|
|
|
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
|
|
|
|
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
|
|
|
|
- bug#910458 owned by varkoly@suse.com: VUL-1
|
|
|
|
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
|
|
|
|
- bug#928978 owned by varkoly@suse.com: VUL-0
|
|
|
|
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
|
|
|
|
to requires_preauth bypass
|
|
|
|
- bug#910457 owned by varkoly@suse.com: VUL-1
|
|
|
|
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
|
|
|
|
name as a password policy name
|
|
|
|
- bug#991088 owned by hguo@suse.com: VUL-1
|
|
|
|
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
|
|
|
|
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
|
|
|
|
- [fate#320326](https://fate.suse.com/320326)
|
|
|
|
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
|
|
|
|
from \cite
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 6 12:58:53 CEST 2017 - kukuk@suse.de
|
|
|
|
|
|
|
|
- Remove wrong PreRequires from krb5
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
- use HTTPS project and source URLs
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com
|
|
|
|
|
|
|
|
- use source urls.
|
|
|
|
- krb5.keyring: Added Greg Hudson
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch
|
|
|
|
- Upgrade to 1.15.1
|
|
|
|
* Allow KDB modules to determine how the e_data field of principal
|
|
|
|
fields is freed
|
|
|
|
* Fix udp_preference_limit when the KDC location is configured with
|
|
|
|
SRV records
|
|
|
|
* Fix KDC and kadmind startup on some IPv4-only systems
|
|
|
|
* Fix the processing of PKINIT certificate matching rules which have
|
|
|
|
two components and no explicit relation
|
|
|
|
* Improve documentation
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jan 27 14:50:39 UTC 2017 - bwiedemann@suse.com
|
|
|
|
|
|
|
|
- remove useless environment.pickle to make build-compare happy
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jan 19 15:59:38 UTC 2017 - asn@cryptomilk.org
|
|
|
|
|
|
|
|
- Introduce patch
|
|
|
|
krb5-1.15-fix_kdb_free_principal_e_data.patch
|
|
|
|
to fix freeing of e_data in the kdb principal
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Upgrade to 1.15
|
|
|
|
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2
|
|
|
|
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since
|
|
|
|
file is not available in upstream source anymore
|
|
|
|
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15
|
|
|
|
|
|
|
|
- Upgrade from 1.14.4 to 1.15 - major changes:
|
|
|
|
Administrator experience:
|
|
|
|
* Add support to kadmin for remote extraction of current keys without
|
|
|
|
changing them (requires a special kadmin permission that is excluded
|
|
|
|
from the wildcard permission), with the exception of highly
|
|
|
|
protected keys.
|
|
|
|
* Add a lockdown_keys principal attribute to prevent retrieval of the
|
|
|
|
principal's keys (old or new) via the kadmin protocol. In newly
|
|
|
|
created databases, this attribute is set on the krbtgt and kadmin
|
|
|
|
principals.
|
|
|
|
* Restore recursive dump capability for DB2 back end, so sites can
|
|
|
|
more easily recover from database corruption resulting from power
|
|
|
|
failure events.
|
|
|
|
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,
|
|
|
|
in addition to SRV records. URI records can convey TCP and UDP
|
|
|
|
servers and master KDC status in a single DNS lookup, and can also
|
|
|
|
point to HTTPS proxy servers.
|
|
|
|
* Add support for password history to the LDAP back end.
|
|
|
|
* Add support for principal renaming to the LDAP back end.
|
|
|
|
* Use the getrandom system call on supported Linux kernels to avoid
|
|
|
|
blocking problems when getting entropy from the operating system.
|
|
|
|
* In the PKINIT client, use the correct DigestInfo encoding for PKCS
|
|
|
|
#1 signatures, so that some especially strict smart cards will work.
|
|
|
|
Code quality:
|
|
|
|
* Clean up numerous compilation warnings.
|
|
|
|
* Remove various infrequently built modules, including some preauth
|
|
|
|
modules that were not built by default.
|
|
|
|
Developer experience:
|
|
|
|
* Add support for building with OpenSSL 1.1.
|
|
|
|
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
|
|
|
|
authenticators in the replay cache. This helps sites that must
|
|
|
|
build with FIPS 140 conformant libraries that lack MD5.
|
|
|
|
Protocol evolution:
|
|
|
|
* Add support for the AES-SHA2 enctypes, which allows sites to conform
|
|
|
|
to Suite B crypto requirements.
|
|
|
|
|
|
|
|
- Upgrade from 1.14.3 to 1.14.4 - major changes:
|
|
|
|
* Fix some rare btree data corruption bugs
|
|
|
|
* Fix numerous minor memory leaks
|
|
|
|
* Improve portability (Linux-ppc64el, FreeBSD)
|
|
|
|
* Improve some error messages
|
|
|
|
* Improve documentation
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de
|
|
|
|
|
|
|
|
- add pam configuration file required for ksu
|
|
|
|
just use a copy of "su" one from Tumbleweed
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Upgrade from 1.14.2 to 1.14.3:
|
|
|
|
* Improve some error messages
|
|
|
|
* Improve documentation
|
|
|
|
* Allow a principal with nonexistent policy to bypass the minimum
|
|
|
|
password lifetime check, consistent with other aspects of
|
|
|
|
nonexistent policies
|
|
|
|
* Fix a rare KDC denial of service vulnerability when anonymous client
|
|
|
|
principals are restricted to obtaining TGTs only [CVE-2016-3120]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com
|
|
|
|
|
|
|
|
- Remove comments breaking post scripts.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com
|
|
|
|
|
|
|
|
- Do no use systemd_requires macros in main package, it adds
|
|
|
|
unneeded dependencies which pulls systemd into minimal chroot.
|
|
|
|
- Only call %insserv_prereq when building for pre-systemd
|
|
|
|
distributions.
|
|
|
|
- Optimise some %post/%postun when only /sbin/ldconfig is called.
|
|
|
|
|
|
|
|
------------------------------------------------------------------
|
|
|
|
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Remove source file ccapi/common/win/OldCC/autolock.hxx
|
|
|
|
that is not needed and does not carry an acceptable license.
|
|
|
|
(bsc#968111)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
- removed obsolete patches:
|
|
|
|
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
|
|
|
* krb5-mechglue_inqure_attrs.patch
|
|
|
|
- Upgrade from 1.14.1 to 1.14.2:
|
|
|
|
* Fix a moderate-severity vulnerability in the LDAP KDC back end that
|
|
|
|
could be exploited by a privileged kadmin user [CVE-2016-3119]
|
|
|
|
* Improve documentation
|
|
|
|
* Fix some interactions with GSSAPI interposer mechanisms
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Upgrade from 1.14 to 1.14.1:
|
|
|
|
* Remove expired patches:
|
|
|
|
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
|
|
|
|
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
|
|
|
|
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
|
|
|
|
krbdev.mit.edu-8301.patch
|
|
|
|
* Replace source archives:
|
|
|
|
krb5-1.14.tar.gz ->
|
|
|
|
krb5-1.14.1.tar.gz
|
|
|
|
krb5-1.14.tar.gz.asc ->
|
|
|
|
krb5-1.14.1.tar.gz.asc
|
|
|
|
* Adjust line numbers in:
|
|
|
|
krb5-fix_interposer.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Introduce patch
|
|
|
|
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
|
|
|
to fix CVE-2016-3119 (bsc#971942)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Remove krb5-mini pieces from spec file.
|
|
|
|
Hence remove pre_checkin.sh
|
|
|
|
- Remove expired macros and other minor clean-ups in spec file.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 2 08:41:13 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
|
|
|
|
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
|
|
|
|
(bsc#963968)
|
|
|
|
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request
|
|
|
|
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
|
|
|
|
(bsc#963975)
|
|
|
|
- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
|
|
|
|
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
|
|
|
|
(bsc#963964)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
|
|
|
|
|
|
|
|
- Add two patches from Fedora, fixing two crashes:
|
|
|
|
* krb5-fix_interposer.patch
|
|
|
|
* krb5-mechglue_inqure_attrs.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Update to 1.14
|
|
|
|
- dropped krb5-kvno-230379.patch
|
|
|
|
- added krbdev.mit.edu-8301.patch fixing wrong function call
|
|
|
|
|
|
|
|
Major changes in 1.14 (2015-11-20)
|
|
|
|
==================================
|
|
|
|
|
|
|
|
Administrator experience:
|
|
|
|
|
|
|
|
* Add a new kdb5_util tabdump command to provide reporting-friendly
|
|
|
|
tabular dump formats (tab-separated or CSV) for the KDC database.
|
|
|
|
Unlike the normal dump format, each output table has a fixed number
|
|
|
|
of fields. Some tables include human-readable forms of data that
|
|
|
|
are opaque in ordinary dump files. This format is also suitable for
|
|
|
|
importing into relational databases for complex queries.
|
|
|
|
* Add support to kadmin and kadmin.local for specifying a single
|
|
|
|
command line following any global options, where the command
|
|
|
|
arguments are split by the shell--for example, "kadmin getprinc
|
|
|
|
principalname". Commands issued this way do not prompt for
|
|
|
|
confirmation or display warning messages, and exit with non-zero
|
|
|
|
status if the operation fails.
|
|
|
|
* Accept the same principal flag names in kadmin as we do for the
|
|
|
|
default_principal_flags kdc.conf variable, and vice versa. Also
|
|
|
|
accept flag specifiers in the form that kadmin prints, as well as
|
|
|
|
hexadecimal numbers.
|
|
|
|
* Remove the triple-DES and RC4 encryption types from the default
|
|
|
|
value of supported_enctypes, which determines the default key and
|
|
|
|
salt types for new password-derived keys. By default, keys will
|
|
|
|
only created only for AES128 and AES256. This mitigates some types
|
|
|
|
of password guessing attacks.
|
|
|
|
* Add support for directory names in the KRB5_CONFIG and
|
|
|
|
KRB5_KDC_PROFILE environment variables.
|
|
|
|
* Add support for authentication indicators, which are ticket
|
|
|
|
annotations to indicate the strength of the initial authentication.
|
|
|
|
Add support for the "require_auth" string attribute, which can be
|
|
|
|
set on server principal entries to require an indicator when
|
|
|
|
authenticating to the server.
|
|
|
|
* Add support for key version numbers larger than 255 in keytab files,
|
|
|
|
and for version numbers up to 65535 in KDC databases.
|
|
|
|
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
|
|
|
|
during pre-authentication, corresponding to the client's most
|
|
|
|
preferred encryption type.
|
|
|
|
* Add support for server name identification (SNI) when proxying KDC
|
|
|
|
requests over HTTPS.
|
|
|
|
* Add support for the err_fmt profile parameter, which can be used to
|
|
|
|
generate custom-formatted error messages.
|
|
|
|
|
|
|
|
Code quality:
|
|
|
|
|
|
|
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
|
|
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
|
|
|
[CVE-2015-2698]
|
|
|
|
* Fix build_principal memory bug that could cause a KDC
|
|
|
|
crash. [CVE-2015-2697]
|
|
|
|
|
|
|
|
Developer experience:
|
|
|
|
|
|
|
|
* Change gss_acquire_cred_with_password() to acquire credentials into
|
|
|
|
a private memory credential cache. Applications can use
|
|
|
|
gss_store_cred() to make the resulting credentials visible to other
|
|
|
|
processes.
|
|
|
|
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
|
|
|
|
IAKERB or for non-standard variants of the krb5 mechanism OID unless
|
|
|
|
explicitly requested. (SPNEGO will still accept the Microsoft
|
|
|
|
variant of the krb5 mechanism OID during negotiation.)
|
|
|
|
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
|
|
|
|
for non-standard variants of the krb5 mechanism OID unless an
|
|
|
|
acceptor credential is acquired for those mechanisms.
|
|
|
|
* Change gss_acquire_cred() to immediately resolve credentials if the
|
|
|
|
time_rec parameter is not NULL, so that a correct expiration time
|
|
|
|
can be returned. Normally credential resolution is delayed until
|
|
|
|
the target name is known.
|
|
|
|
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
|
|
|
|
which can be used by plugin modules or applications to add prefixes
|
|
|
|
to existing detailed error messages.
|
|
|
|
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
|
|
|
|
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
|
|
|
|
* Add support for pre-authentication mechanisms which use multiple
|
|
|
|
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
|
|
|
|
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
|
|
|
|
interface; these callbacks can be used to save marshalled state
|
|
|
|
information in an encrypted cookie for the next request.
|
|
|
|
* Add a client_key() callback to the kdcpreauth interface to retrieve
|
|
|
|
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
|
|
|
|
by the KDC.
|
|
|
|
* Add an add_auth_indicator() callback to the kdcpreauth interface,
|
|
|
|
allowing pre-authentication modules to assert authentication
|
|
|
|
indicators.
|
|
|
|
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
|
|
|
|
suppress sending the confidentiality and integrity flags in GSS
|
|
|
|
initiator tokens unless they are requested by the caller. These
|
|
|
|
flags control the negotiated SASL security layer for the Microsoft
|
|
|
|
GSS-SPNEGO SASL mechanism.
|
|
|
|
* Make the FILE credential cache implementation less prone to
|
|
|
|
corruption issues in multi-threaded programs, especially on
|
|
|
|
platforms with support for open file description locks.
|
|
|
|
|
|
|
|
Performance:
|
|
|
|
|
|
|
|
* On slave KDCs, poll the master KDC immediately after processing a
|
|
|
|
full resync, and do not require two full resyncs after the master
|
|
|
|
KDC's log file is reset.
|
|
|
|
|
|
|
|
User experience:
|
|
|
|
|
|
|
|
* Make gss_accept_sec_context() accept tickets near their expiration
|
|
|
|
but within clock skew tolerances, rather than rejecting them
|
|
|
|
immediately after the server's view of the ticket expiration time.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Update to 1.13.3
|
|
|
|
- removed patches for security fixes now in upstream source:
|
|
|
|
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
|
|
|
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
|
|
|
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
|
|
|
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
|
|
|
|
|
|
|
Major changes in 1.13.3 (2015-12-04)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release. The krb5-1.13 release series is in
|
|
|
|
maintenance, and for new deployments, installers should prefer the
|
|
|
|
krb5-1.14 release series or later.
|
|
|
|
|
|
|
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
|
|
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
|
|
|
[CVE-2015-2698]
|
|
|
|
* Fix build_principal memory bug that could cause a KDC
|
|
|
|
crash. [CVE-2015-2697]
|
|
|
|
* Allow an iprop slave to receive full resyncs from KDCs running
|
|
|
|
krb5-1.10 or earlier.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
|
|
|
to fix a memory corruption regression introduced by resolution of
|
|
|
|
CVE-2015-2698. bsc#954204
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
|
|
|
|
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
|
|
|
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
|
|
|
|
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
|
|
|
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
|
|
|
|
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
|
|
|
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Let server depend on libev (module of libverto). This was the
|
|
|
|
preferred implementation before the seperation of libverto from krb.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
- Drop libverto and libverto-libev Requires from the -server
|
|
|
|
package: those package names don't exist and the shared libs
|
|
|
|
are pulled in automatically.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
- Unconditionally buildrequire libverto-devel: krb5-mini also
|
|
|
|
depends on it.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com
|
|
|
|
|
|
|
|
- pre_checkin.sh aligned changes between krb5/krb5-mini
|
|
|
|
- added krb5.keyring
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- update to krb5 1.13.2
|
|
|
|
|
|
|
|
- DES transition
|
|
|
|
==============
|
|
|
|
|
|
|
|
The Data Encryption Standard (DES) is widely recognized as weak. The
|
|
|
|
krb5-1.7 release contains measures to encourage sites to migrate away
|
|
|
|
- From using single-DES cryptosystems. Among these is a configuration
|
|
|
|
variable that enables "weak" enctypes, which defaults to "false"
|
|
|
|
beginning with krb5-1.8.
|
|
|
|
|
|
|
|
|
|
|
|
Major changes in 1.13.2 (2015-05-08)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release.
|
|
|
|
|
|
|
|
* Fix a minor vulnerability in krb5_read_message, which is primarily
|
|
|
|
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
|
|
|
|
|
|
|
|
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
|
|
|
|
[CVE-2015-2694]
|
|
|
|
|
|
|
|
* Fix some issues with the LDAP KDC database back end.
|
|
|
|
|
|
|
|
* Fix an iteration-related memory leak in the DB2 KDC database back
|
|
|
|
end.
|
|
|
|
|
|
|
|
* Fix issues with some less-used kadm5.acl functionality.
|
|
|
|
|
|
|
|
* Improve documentation.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Use externally built libverto
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- update to krb5 1.13.1
|
|
|
|
|
|
|
|
Major changes in 1.13.1 (2015-02-11)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release.
|
|
|
|
|
|
|
|
* Fix multiple vulnerabilities in the LDAP KDC back end.
|
|
|
|
[CVE-2014-5354] [CVE-2014-5353]
|
|
|
|
|
|
|
|
* Fix multiple kadmind vulnerabilities, some of which are based in the
|
|
|
|
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
|
|
|
|
CVE-2014-9422 CVE-2014-9423]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com
|
|
|
|
|
|
|
|
- Update to krb5 1.13
|
|
|
|
* Add support for accessing KDCs via an HTTPS proxy server using the
|
|
|
|
MS-KKDCP protocol.
|
|
|
|
* Add support for hierarchical incremental propagation, where slaves
|
|
|
|
can act as intermediates between an upstream master and other downstream
|
|
|
|
slaves.
|
|
|
|
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
|
|
|
|
files in addition to /etc/gss/mech.
|
|
|
|
* Add support to the LDAP KDB module for binding to the LDAP server using
|
|
|
|
SASL.
|
|
|
|
* The KDC listens for TCP connections by default.
|
|
|
|
* Fix a minor key disclosure vulnerability where using the "keepold" option
|
|
|
|
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
|
|
|
|
* Add client support for the Kerberos Cache Manager protocol. If the host
|
|
|
|
is running a Heimdal kcm daemon, caches served by the daemon can be
|
|
|
|
accessed with the KCM: cache type.
|
|
|
|
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
|
|
|
|
unless overridden by command-line options or krb5-config values.
|
|
|
|
* Add support for doing unlocked database dumps for the DB2 KDC back end,
|
|
|
|
which would allow the KDC and kadmind to continue accessing the database
|
|
|
|
during lengthy database dumps.
|
|
|
|
- Removed patches, useless or upstreamed
|
|
|
|
* krb5-1.9-kprop-mktemp.patch
|
|
|
|
* krb5-1.10-ksu-access.patch
|
|
|
|
* krb5-1.12-doxygen.patch
|
|
|
|
* bnc#897874-CVE-2014-5351.diff
|
|
|
|
* krb5-1.13-work-around-replay-cache-creation-race.patch
|
|
|
|
* krb5-1.10-kpasswd_tcp.patch
|
|
|
|
- Refreshed patches
|
|
|
|
* krb5-1.12-pam.patch
|
|
|
|
* krb5-1.12-selinux-label.patch
|
|
|
|
* krb5-1.7-doublelog.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com
|
|
|
|
|
|
|
|
- Work around replay cache creation race; (bnc#898439).
|
|
|
|
krb5-1.13-work-around-replay-cache-creation-race.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com
|
|
|
|
|
|
|
|
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
|
|
|
|
- added patches:
|
|
|
|
* bnc#897874-CVE-2014-5351.diff
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
|
|
|
|
|
|
|
|
- krb5 5.12.2:
|
|
|
|
* Work around a gcc optimizer bug that could cause DB2 KDC
|
|
|
|
database operations to spin in an infinite loop
|
|
|
|
* Fix a backward compatibility problem with the LDAP KDB schema
|
|
|
|
that could prevent krb5-1.11 and later from decoding entries
|
|
|
|
created by krb5-1.6.
|
|
|
|
* Avoid an infinite loop under some circumstances when the GSS
|
|
|
|
mechglue loads a dynamic mechanism.
|
|
|
|
* Fix krb5kdc argument parsing so "-w" and "-r" options work
|
|
|
|
togetherreliably.
|
|
|
|
- Vulnerability fixes previously fixed in package via patches:
|
|
|
|
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
|
|
|
|
invalid memory reference vulnerabilities. [CVE-2014-4341
|
|
|
|
CVE-2014-4342]
|
|
|
|
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
|
|
|
|
[CVE-2014-4343 CVE-2014-4344]
|
|
|
|
* Fix buffer overflow vulnerability in LDAP KDB back end.
|
|
|
|
[CVE-2014-4345]
|
|
|
|
- updated patches:
|
|
|
|
* krb5-1.7-doublelog.patch for context change
|
|
|
|
* krb5-1.6.3-ktutil-manpage.dif, same
|
|
|
|
- removed patches, in upstream:
|
|
|
|
* krb5-master-keyring-kdcsync.patch
|
|
|
|
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
|
|
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
|
|
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
|
|
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
|
|
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
|
|
|
|
from upstream
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- buffer overrun in kadmind with LDAP backend
|
|
|
|
CVE-2014-4345 (bnc#891082)
|
|
|
|
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
|
|
|
|
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
|
|
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
|
|
|
|
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
|
|
|
|
|
|
|
|
- Do not depend of insserv if systemd is used
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
|
|
|
|
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
|
|
- start krb5kdc after slapd (bnc#886102)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
|
|
|
|
similar functionality is provided by krb5-plugin-preauth-pkinit
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- don't deliver SysV init files to systemd distributions
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.12.1
|
|
|
|
* Make KDC log service principal names more consistently during
|
|
|
|
some error conditions, instead of "<unknown server>"
|
|
|
|
* Fix several bugs related to building AES-NI support on less
|
|
|
|
common configurations
|
|
|
|
* Fix several bugs related to keyring credential caches
|
|
|
|
- upstream obsoletes:
|
|
|
|
krb5-1.12-copy_context.patch
|
|
|
|
krb5-1.12-enable-NX.patch
|
|
|
|
krb5-1.12-pic-aes-ni.patch
|
|
|
|
krb5-master-no-malloc0.patch
|
|
|
|
krb5-master-ignore-empty-unnecessary-final-token.patch
|
|
|
|
krb5-master-gss_oid_leak.patch
|
|
|
|
krb5-master-keytab_close.patch
|
|
|
|
krb5-master-spnego_error_messages.patch
|
|
|
|
- Fix Get time offsets for all keyring ccaches
|
|
|
|
krb5-master-keyring-kdcsync.patch (RT#7820)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.12
|
|
|
|
* Add GSSAPI extensions for constructing MIC tokens using IOV lists
|
|
|
|
* Add a FAST OTP preauthentication module for the KDC which uses
|
|
|
|
RADIUS to validate OTP token values.
|
|
|
|
* The AES-based encryption types will use AES-NI instructions
|
|
|
|
when possible for improved performance.
|
|
|
|
- revert dependency on libcom_err-mini-devel since it's not yet
|
|
|
|
available
|
|
|
|
- update and rebase patches
|
|
|
|
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
|
|
|
|
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch
|
|
|
|
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
|
|
|
|
* krb5-1.8-api.patch -> krb5-1.12-api.patch
|
|
|
|
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
|
|
|
|
* krb5-1.9-debuginfo.patch
|
|
|
|
* krb5-1.9-kprop-mktemp.patch
|
|
|
|
* krb5-kvno-230379.patch
|
|
|
|
- added upstream patches
|
|
|
|
- Fix krb5_copy_context
|
|
|
|
* krb5-1.12-copy_context.patch
|
|
|
|
- Mark AESNI files as not needing executable stacks
|
|
|
|
* krb5-1.12-enable-NX.patch
|
|
|
|
* krb5-1.12-pic-aes-ni.patch
|
|
|
|
- Fix memory leak in SPNEGO initiator
|
|
|
|
* krb5-master-gss_oid_leak.patch
|
|
|
|
- Fix SPNEGO one-hop interop against old IIS
|
|
|
|
* krb5-master-ignore-empty-unnecessary-final-token.patch
|
|
|
|
- Fix GSS krb5 acceptor acquire_cred error handling
|
|
|
|
* krb5-master-keytab_close.patch
|
|
|
|
- Avoid malloc(0) in SPNEGO get_input_token
|
|
|
|
* krb5-master-no-malloc0.patch
|
|
|
|
- Test SPNEGO error message in t_s4u.py
|
|
|
|
* krb5-master-spnego_error_messages.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
|
|
|
|
|
|
|
|
- Reduce build dependencies for krb5-mini by removing
|
|
|
|
doxygen and changing libcom_err-devel to
|
|
|
|
libcom_err-mini-devel
|
|
|
|
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.11.4
|
|
|
|
- Fix a KDC null pointer dereference [CVE-2013-1417] that could
|
|
|
|
affect realms with an uncommon configuration.
|
|
|
|
- Fix a KDC null pointer dereference [CVE-2013-1418] that could
|
|
|
|
affect KDCs that serve multiple realms.
|
|
|
|
- Fix a number of bugs related to KDC master key rollover.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- install and enable systemd service files also in -mini package
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
- remove fstack-protector-all from CFLAGS, just use the
|
|
|
|
lighter/fast version already present in %optflags
|
|
|
|
|
|
|
|
- Use LFS_CFLAGS to build in 32 bit archs.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- update to version 1.11.3
|
|
|
|
- Fix a UDP ping-pong vulnerability in the kpasswd
|
|
|
|
(password changing) service. [CVE-2002-2443]
|
|
|
|
- Improve interoperability with some Windows native PKINIT clients.
|
|
|
|
- install translation files
|
|
|
|
- remove outdated configure options
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 28 17:08:01 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- cleanup systemd files (remove syslog.target)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 3 09:43:47 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- let krb5-mini conflict with all main packages
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 2 16:43:16 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- add conflicts between krb5-mini and krb5-server
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.11.2
|
|
|
|
* Incremental propagation could erroneously act as if a slave's
|
|
|
|
database were current after the slave received a full dump
|
|
|
|
that failed to load.
|
|
|
|
* gss_import_ |