commit 7ef60b02c28446d53c3cf768e0584549807ff23fb8abcf64d08de2cc8f395a97 Author: Adrian Schröter Date: Fri May 3 14:15:21 2024 +0200 Sync from SUSE:SLFO:Main krb5 revision 287230d9275888820e67bb25d4c53c40 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-ksu-pam-integration.patch b/0001-ksu-pam-integration.patch new file mode 100644 index 0000000..8f87d16 --- /dev/null +++ b/0001-ksu-pam-integration.patch @@ -0,0 +1,776 @@ +From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH 1/8] ksu pam integration + +Modify ksu so that it performs account and session management on behalf of +the target user account, mimicking the action of regular su. The default +service name is "ksu", because on Fedora at least the configuration used +is determined by whether or not a login shell is being opened, and so +this may need to vary, too. At run-time, ksu's behavior can be reset to +the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] +section of /etc/krb5.conf. + +When enabled, ksu gains a dependency on libpam. + +Originally RT#5939, though it's changed since then to perform the account +and session management before dropping privileges, and to apply on top of +changes we're proposing for how it handles cache collections. + +Last-updated: krb5-1.18-beta1 +--- + src/aclocal.m4 | 68 +++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 88 +++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ + src/configure.ac | 2 + + 6 files changed, 609 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 024d6370c..43eed3b87 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then + OPENLDAP_PLUGIN=yes + fi + ])dnl ++dnl ++dnl ++dnl Use PAM instead of local crypt() compare for checking local passwords, ++dnl and perform PAM account, session management, and password-changing where ++dnl appropriate. ++dnl ++AC_DEFUN(KRB5_WITH_PAM,[ ++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], ++ withpam="$withval",withpam=auto) ++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], ++ withksupamservice="$withval",withksupamservice=ksu) ++old_LIBS="$LIBS" ++if test "$withpam" != no ; then ++ AC_MSG_RESULT([checking for PAM...]) ++ PAM_LIBS= ++ ++ AC_CHECK_HEADERS(security/pam_appl.h) ++ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_pam_start ++ AC_CHECK_FUNCS(putenv pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ unset ac_cv_func_pam_start ++ AC_CHECK_LIB(dl,dlopen) ++ AC_CHECK_FUNCS(pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ AC_CHECK_LIB(pam,pam_start) ++ unset ac_cv_func_pam_start ++ unset ac_cv_func_pam_getenvlist ++ AC_CHECK_FUNCS(pam_start pam_getenvlist) ++ if test "x$ac_cv_func_pam_start" = xyes ; then ++ PAM_LIBS="$LIBS" ++ else ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate libpam.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate libpam.]) ++ fi ++ fi ++ fi ++ fi ++ if test "$withpam" != no ; then ++ AC_MSG_NOTICE([building with PAM support]) ++ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) ++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", ++ [Define to the name of the PAM service name to be used by ksu.]) ++ PAM_LIBS="$LIBS" ++ NON_PAM_MAN=".\\\" " ++ PAM_MAN= ++ else ++ PAM_MAN=".\\\" " ++ NON_PAM_MAN= ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(PAM_LIBS) ++AC_SUBST(PAM_MAN) ++AC_SUBST(NON_PAM_MAN) ++])dnl +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index 8b4edce4d..9d58f29b5 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index af1286172..931f05404 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -26,6 +26,7 @@ + * KSU was written by: Ari Medvinsky, ari@isi.edu + */ + ++#include "autoconf.h" + #include "ksu.h" + #include "adm_proto.h" + #include +@@ -33,6 +34,10 @@ + #include + #include + ++#ifdef USE_PAM ++#include "pam.h" ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define KS_TEMPORARY_CACHE "MEMORY:_ksu" +@@ -536,6 +542,23 @@ main (argc, argv) + prog_name,target_user,client_name, + source_user,ontty()); + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif ++ + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, _("while switching to target for " +@@ -596,6 +619,24 @@ main (argc, argv) + + exit(1); + } ++#ifdef USE_PAM ++ } else { ++ /* we always do PAM account management, even for root */ ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif + } + + if( some_rest_copy){ +@@ -653,6 +694,30 @@ main (argc, argv) + exit(1); + } + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } ++#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); ++ } ++#endif ++ } ++#endif ++ + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -750,7 +815,7 @@ main (argc, argv) + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), params[0]); + sweep_up(ksu_context, cc_target); +@@ -780,16 +845,35 @@ main (argc, argv) + if (ret_pid == -1) { + com_err(prog_name, errno, _("while calling waitpid")); + } +- sweep_up(ksu_context, cc_target); ++ if( !keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (statusp); + case -1: + com_err(prog_name, errno, _("while trying to fork.")); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_setenv() != 0) { ++ fprintf(stderr, "Error setting up environment for %s.\n", ++ target_user); ++ exit (1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Set up PAM environment.\n"); ++ } ++#endif ++ } ++#endif + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), + params[0]); ++ if( keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (1); + } + } +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 000000000..eb5d03bbf +--- /dev/null ++++ b/src/clients/ksu/pam.c +@@ -0,0 +1,389 @@ ++/* ++ * src/clients/ksu/pam.c ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include "autoconf.h" ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#include "k5-int.h" ++#include "pam.h" ++ ++#ifndef MAXPWSIZE ++#define MAXPWSIZE 128 ++#endif ++ ++static int appl_pam_started; ++static pid_t appl_pam_starter = -1; ++static int appl_pam_session_opened; ++static int appl_pam_creds_initialized; ++static int appl_pam_pwchange_required; ++static pam_handle_t *appl_pamh; ++static struct pam_conv appl_pam_conv; ++static char *appl_pam_user; ++struct appl_pam_non_interactive_args { ++ const char *user; ++ const char *password; ++}; ++ ++int ++appl_pam_enabled(krb5_context context, const char *section) ++{ ++ int enabled = 1; ++ if ((context != NULL) && (context->profile != NULL)) { ++ if (profile_get_boolean(context->profile, ++ section, ++ USE_PAM_CONFIGURATION_KEYWORD, ++ NULL, ++ enabled, &enabled) != 0) { ++ enabled = 1; ++ } ++ } ++ return enabled; ++} ++ ++void ++appl_pam_cleanup(void) ++{ ++ if (getpid() != appl_pam_starter) { ++ return; ++ } ++#ifdef DEBUG ++ printf("Called to clean up PAM.\n"); ++#endif ++ if (appl_pam_creds_initialized) { ++#ifdef DEBUG ++ printf("Deleting PAM credentials.\n"); ++#endif ++ pam_setcred(appl_pamh, PAM_DELETE_CRED); ++ appl_pam_creds_initialized = 0; ++ } ++ if (appl_pam_session_opened) { ++#ifdef DEBUG ++ printf("Closing PAM session.\n"); ++#endif ++ pam_close_session(appl_pamh, 0); ++ appl_pam_session_opened = 0; ++ } ++ appl_pam_pwchange_required = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Shutting down PAM.\n"); ++#endif ++ pam_end(appl_pamh, 0); ++ appl_pam_started = 0; ++ appl_pam_starter = -1; ++ free(appl_pam_user); ++ appl_pam_user = NULL; ++ } ++} ++static int ++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, ++ struct pam_response **presp, void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ char *pwstring, pwbuf[MAXPWSIZE]; ++ unsigned int pwsize; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &(msg[0][i]); /* XXX */ ++ message = msg[i]; /* XXX */ ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ printf("[%s]\n", message->msg ? message->msg : ""); ++ fflush(stdout); ++ resp[i].resp = NULL; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ if (fgets(pwbuf, sizeof(pwbuf), ++ stdin) != NULL) { ++ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; ++ pwstring = pwbuf; ++ } ++ } else { ++ pwstring = getpass(message->msg ? ++ message->msg : ++ ""); ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_non_interactive_converse(int num_msg, ++ const struct pam_message **msg, ++ struct pam_response **presp, ++ void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ unsigned int pwsize; ++ struct appl_pam_non_interactive_args *args; ++ const char *pwstring; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ args = appdata_ptr; ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &((*msg)[i]); ++ message = msg[i]; ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ /* assume "user" */ ++ pwstring = args->user; ++ } else { ++ /* assume "password" */ ++ pwstring = args->password; ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_start(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ static int exit_handler_registered; ++ static struct appl_pam_non_interactive_args args; ++ int ret = 0; ++ if (appl_pam_started && ++ (strcmp(login_username, appl_pam_user) != 0)) { ++ appl_pam_cleanup(); ++ appl_pam_user = NULL; ++ } ++ if (!appl_pam_started) { ++#ifdef DEBUG ++ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", ++ service, login_username); ++#endif ++ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); ++ appl_pam_conv.conv = interactive ? ++ &appl_pam_interactive_converse : ++ &appl_pam_non_interactive_converse; ++ memset(&args, 0, sizeof(args)); ++ args.user = strdup(login_username); ++ args.password = non_interactive_password ? ++ strdup(non_interactive_password) : ++ NULL; ++ appl_pam_conv.appdata_ptr = &args; ++ ret = pam_start(service, login_username, ++ &appl_pam_conv, &appl_pamh); ++ if (ret == 0) { ++ if (hostname != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RHOST to \"%s\".\n", hostname); ++#endif ++ pam_set_item(appl_pamh, PAM_RHOST, hostname); ++ } ++ if (ruser != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RUSER to \"%s\".\n", ruser); ++#endif ++ pam_set_item(appl_pamh, PAM_RUSER, ruser); ++ } ++ if (tty != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_TTY to \"%s\".\n", tty); ++#endif ++ pam_set_item(appl_pamh, PAM_TTY, tty); ++ } ++ if (!exit_handler_registered && ++ (atexit(appl_pam_cleanup) != 0)) { ++ pam_end(appl_pamh, 0); ++ appl_pamh = NULL; ++ ret = -1; ++ } else { ++ appl_pam_started = 1; ++ appl_pam_starter = getpid(); ++ appl_pam_user = strdup(login_username); ++ exit_handler_registered = 1; ++ } ++ } ++ } ++ return ret; ++} ++int ++appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ int ret; ++ appl_pam_pwchange_required = 0; ++ ret = appl_pam_start(service, interactive, login_username, ++ non_interactive_password, hostname, ruser, tty); ++ if (ret == 0) { ++#ifdef DEBUG ++ printf("Calling pam_acct_mgmt().\n"); ++#endif ++ ret = pam_acct_mgmt(appl_pamh, 0); ++ switch (ret) { ++ case PAM_IGNORE: ++ ret = 0; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ appl_pam_pwchange_required = 1; ++ ret = 0; ++ break; ++ default: ++ break; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_requires_chauthtok(void) ++{ ++ return appl_pam_pwchange_required; ++} ++int ++appl_pam_session_open(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Opening PAM session.\n"); ++#endif ++ ret = pam_open_session(appl_pamh, 0); ++ if (ret == 0) { ++ appl_pam_session_opened = 1; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_setenv(void) ++{ ++ int ret = 0; ++#ifdef HAVE_PAM_GETENVLIST ++#ifdef HAVE_PUTENV ++ int i; ++ char **list; ++ if (appl_pam_started) { ++ list = pam_getenvlist(appl_pamh); ++ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { ++#ifdef DEBUG ++ printf("Setting \"%s\" in environment.\n", list[i]); ++#endif ++ putenv(list[i]); ++ } ++ } ++#endif ++#endif ++ return ret; ++} ++int ++appl_pam_cred_init(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Initializing PAM credentials.\n"); ++#endif ++ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); ++ if (ret == 0) { ++ appl_pam_creds_initialized = 1; ++ } ++ } ++ return ret; ++} ++#endif +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 000000000..d45b9fd84 +--- /dev/null ++++ b/src/clients/ksu/pam.h +@@ -0,0 +1,57 @@ ++/* ++ * src/clients/ksu/pam.h ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include ++#ifdef HAVE_SECURITY_PAM_APPL_H ++#include ++#endif ++ ++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" ++ ++#ifdef USE_PAM ++int appl_pam_enabled(krb5_context context, const char *section); ++int appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *local_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty); ++int appl_pam_requires_chauthtok(void); ++int appl_pam_session_open(void); ++int appl_pam_setenv(void); ++int appl_pam_cred_init(void); ++void appl_pam_cleanup(void); ++#endif +diff --git a/src/configure.ac b/src/configure.ac +index 4eb080784..693f76a81 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) + + AC_PATH_PROG(GROFF, groff) + ++KRB5_WITH_PAM ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +-- +2.30.0 + diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch new file mode 100644 index 0000000..add8196 --- /dev/null +++ b/0002-krb5-1.9-manpaths.patch @@ -0,0 +1,28 @@ +From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:06:55 +0100 +Subject: [PATCH 2/8] krb5-1.9-manpaths + +Import krb5-1.9-manpaths.dif + +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 +--- + src/man/kpropd.man | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: krb5-1.19.3/src/man/kpropd.man +=================================================================== +--- krb5-1.19.3.orig/src/man/kpropd.man ++++ krb5-1.19.3/src/man/kpropd.man +@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo + .sp + .nf + .ft C +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @SBINDIR@/kpropd kpropd + .ft P + .fi + .UNINDENT diff --git a/0003-Adjust-build-configuration.patch b/0003-Adjust-build-configuration.patch new file mode 100644 index 0000000..e78a59b --- /dev/null +++ b/0003-Adjust-build-configuration.patch @@ -0,0 +1,72 @@ +From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:45:26 -0400 +Subject: [PATCH 3/8] Adjust build configuration + +Build binaries in this package as RELRO PIEs, libraries as partial RELRO, +and install shared libraries with the execute bit set on them. Prune out +the -L/usr/lib* and PIE flags where they might leak out and affect +apps which just want to link with the libraries. FIXME: needs to check and +not just assume that the compiler supports using these flags. + +Last-updated: krb5-1.15-beta1 +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) + +Index: krb5-1.19.3/src/build-tools/krb5-config.in +=================================================================== +--- krb5-1.19.3.orig/src/build-tools/krb5-config.in ++++ krb5-1.19.3/src/build-tools/krb5-config.in +@@ -224,6 +224,13 @@ if test -n "$do_libs"; then + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + ++ if test `dirname $libdir` = /usr ; then ++ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` ++ fi ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` ++ + if test $library = 'kdb'; then + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" + library=krb5 +Index: krb5-1.19.3/src/config/pre.in +=================================================================== +--- krb5-1.19.3.orig/src/config/pre.in ++++ krb5-1.19.3/src/config/pre.in +@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ +Index: krb5-1.19.3/src/config/shlib.conf +=================================================================== +--- krb5-1.19.3.orig/src/config/shlib.conf ++++ krb5-1.19.3/src/config/shlib.conf +@@ -424,7 +424,7 @@ mips-*-netbsd*) + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -436,7 +436,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff --git a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch new file mode 100644 index 0000000..7400647 --- /dev/null +++ b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch @@ -0,0 +1,26 @@ +From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:09:05 +0100 +Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages + +Import krb5-1.6.3-gssapi_improve_errormessages.dif +--- + src/lib/gssapi/generic/disp_com_err_status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c +index bc416107e..22612f970 100644 +--- a/src/lib/gssapi/generic/disp_com_err_status.c ++++ b/src/lib/gssapi/generic/disp_com_err_status.c +@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value, + status_string->value = NULL; + + if (! g_make_string_buffer(((status_value == 0)?no_error: +- error_message(status_value)), ++ error_message((long)status_value)), + status_string)) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +-- +2.25.0 + diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch new file mode 100644 index 0000000..bfca999 --- /dev/null +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -0,0 +1,33 @@ +From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:14:47 +0100 +Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage + +Import krb5-1.6.3-ktutil-manpage.dif +--- + src/man/ktutil.man | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +Index: krb5-1.19.3/src/man/ktutil.man +=================================================================== +--- krb5-1.19.3.orig/src/man/ktutil.man ++++ krb5-1.19.3/src/man/ktutil.man +@@ -153,6 +153,18 @@ ktutil: + .sp + See kerberos(7) for a description of Kerberos environment + variables. ++.SH REMARKS ++Changes to the keytab are appended to the keytab file (i.e., the keytab file ++is never overwritten). To directly modify a keytab, save the changes to a ++temporary file and then overwrite the keytab file of interest. ++.TP ++.nf ++Example: ++ktutil> rkt /etc/krb5.keytab ++(modifications to keytab) ++ktutil> wkt /tmp/krb5.newtab ++ktutil> q ++# mv /tmp/krb5.newtab /etc/krb5.keytab + .SH SEE ALSO + .sp + kadmin(1), kdb5_util(8), kerberos(7) diff --git a/0006-krb5-1.12-api.patch b/0006-krb5-1.12-api.patch new file mode 100644 index 0000000..d639f74 --- /dev/null +++ b/0006-krb5-1.12-api.patch @@ -0,0 +1,42 @@ +From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:15:50 +0100 +Subject: [PATCH 6/8] krb5-1.12-api + +Import krb5-1.12-api.patch + +Reference docs don't define what happens if you call krb5_realm_compare() with +malformed krb5_principal structures. Define a behavior which keeps it from +crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a6936107d..0ed78833b 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, + const krb5_data *realm1 = &princ1->realm; + const krb5_data *realm2 = &princ2->realm; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ if (realm1 == NULL || realm2 == NULL) ++ return FALSE; + if (realm1->length != realm2->length) + return FALSE; + if (realm1->length == 0) +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, + krb5_principal upn2 = NULL; + krb5_boolean ret = FALSE; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { + /* Treat UPNs as if they were real principals */ + if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.25.0 + diff --git a/0007-SELinux-integration.patch b/0007-SELinux-integration.patch new file mode 100644 index 0000000..23136c9 --- /dev/null +++ b/0007-SELinux-integration.patch @@ -0,0 +1,1038 @@ +From cc329567eec2ab99f2dd883b2d48b069054d85b5 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH] SELinux integration + +SELinux bases access to files on the domain of the requesting process, +the operation being performed, and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need to be given a +label which differs from that of /etc/issue or /etc/resolv.conf. The +the kdb stash file needs a different label than the database for which +it's holding a master key, even though both typically live in the same +directory. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we attempt to do here. We lean on THREEPARAMOPEN +and define a similar macro named WRITABLEFOPEN with which we replace +several uses of fopen(). + +The file creation context that we're manipulating here is a process-wide +attribute. While for the most part, applications which need to label +files when they're created have tended to be single-threaded, there's +not much we can do to avoid interfering with an application that +manipulates the creation context directly. Right now we're mediating +access using a library-local mutex, but that can only work for consumers +that are part of this package -- an unsuspecting application will still +stomp all over us. + +The selabel APIs for looking up the context should be thread-safe (per +Red Hat #273081), so switching to using them instead of matchpathcon(), +which we used earlier, is some improvement. + +Last-updated: krb5-1.20.1 +[jrische@redhat.com: Replace deprecated security_context_t by char *: + - src/util/support/selinux.c] +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.ac | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/kprop/kpropd.c | 9 + + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 405 ++++++++++++++++++ + 24 files changed, 573 insertions(+), 21 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index baec309ae..b09c74b1b 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -85,6 +85,7 @@ AC_SUBST_FILE(libnodeps_frag) + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1526,3 +1527,51 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_NOTICE([building with SELinux labeling support]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f153aeb1c..c2f13f38c 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -261,7 +262,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index c96d7c1f4..290f06cc2 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ + KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include + LDFLAGS = @LDFLAGS@ + LIBS = @LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on macOS! +diff --git a/src/configure.ac b/src/configure.ac +index aa970b044..40545f2bf 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1402,6 +1402,8 @@ AC_PATH_PROG(GROFF, groff) + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 44dc1eeb3..c3aecba7d 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -128,6 +128,7 @@ typedef unsigned char u_char; + + + #include "k5-platform.h" ++#include "k5-label.h" + + #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ + #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 000000000..dfaaa847c +--- /dev/null ++++ b/src/include/k5-label.h +@@ -0,0 +1,32 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif ++ ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif ++#endif +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index c0194c3c9..7e1dea2cb 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -87,6 +87,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index a89b5144f..4d6cc0bdf 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) + { + int fd = -1; + FILE *f; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + *tmpname = NULL; + if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0) + goto error; + ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(ofile); ++#endif + fd = mkstemp(*tmpname); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd == -1) + goto error; + +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) + goto cleanup; + } + +- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); + goto cleanup; +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 38b929906..085afc922 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -848,7 +848,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index f2341d720..ffdac9f39 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -488,6 +488,9 @@ doit(int fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN + 1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); +@@ -543,9 +546,15 @@ doit(int fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index c6885edf2..9aec3c05e 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + */ + append = (cp[4] == ':') ? O_APPEND : 0; + if (append || cp[4] == '=') { +- fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, + S_IRUSR | S_IWUSR | S_IRGRP); + if (fd != -1) + f = fdopen(fd, append ? "a" : "w"); +@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a2501..e9b95fce5 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + return ENOMEM; + + if (stat(logname, &st) == -1) { +- log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index 1da40b51d..f3ab7340a 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index e510211fc..f3ea28c8e 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb"); + if (!KTFILEP(id)) { + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { + /* try making it first time around */ + k5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), "rb+"); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+"); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 3369fc4ba..95f82cda0 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -459,7 +459,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a33b..2b9d01921 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with + * POSIX systems + */ +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 2c163d91c..9a344a603 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17f3..d5809a5a9 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "btree.h" + +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 862dbb164..686a960c9 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; + #include + #endif + ++#include "k5-int.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e701..b0daa7c02 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index e87688d66..30f7c00ab 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, _("Failed to open file %s: %s"), file_name, + strerror (errno)); +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + * Delete the existing entry and add the new entry + */ + FILE *newfile; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + mode_t omask; + +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + } + + omask = umask(077); ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file_name); ++#endif + newfile = fopen(tmp_file, "w"); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + umask (omask); + if (newfile == NULL) { + com_err(me, errno, _("Error creating file %s"), tmp_file); +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index aa951df05..79f9500f6 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 86d5a950a..1052d53a1 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -74,6 +74,7 @@ IPC_SYMS= \ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -168,7 +169,7 @@ SRCS=\ + + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + + DEPLIBS= + +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 000000000..807d039da +--- /dev/null ++++ b/src/util/support/selinux.c +@@ -0,0 +1,405 @@ ++/* ++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* #define DEBUG 1 */ ++static void ++debug_log(const char *fmt, ...) ++{ ++#ifdef DEBUG ++ va_list ap; ++ va_start(ap, fmt); ++ if (isatty(fileno(stderr))) { ++ vfprintf(stderr, fmt, ap); ++ } ++ va_end(ap); ++#endif ++ ++ return; ++} ++ ++/* Mutex used to serialize use of the process-global file creation context. */ ++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; ++ ++/* Make sure we finish initializing that mutex before attempting to use it. */ ++k5_once_t labeled_once = K5_ONCE_INIT; ++static void ++label_mutex_init(void) ++{ ++ k5_mutex_finish_init(&labeled_mutex); ++} ++ ++static struct selabel_handle *selabel_ctx; ++static time_t selabel_last_changed; ++ ++MAKE_FINI_FUNCTION(cleanup_fscreatecon); ++ ++static void ++cleanup_fscreatecon(void) ++{ ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++} ++ ++static char * ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ char *previous, *configuredsc, *currentsc, *genpath; ++ const char *derivedsc, *fullpath, *currentuser; ++ context_t current, derived; ++ ++ previous = configuredsc = currentsc = genpath = NULL; ++ derivedsc = NULL; ++ current = derived = NULL; ++ ++ fullpath = pathname; ++ ++ if (!is_selinux_enabled()) { ++ goto fail; ++ } ++ ++ if (getfscreatecon(&previous) != 0) { ++ goto fail; ++ } ++ ++ /* Canonicalize pathname */ ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ goto fail; ++ } ++ ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ goto fail; ++ } ++ ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } ++ ++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode); ++ ++ /* Check whether context file has changed under us */ ++ if (selabel_ctx != NULL || selabel_last_changed == 0) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ ++ cpath = selinux_file_context_path(); ++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 || ++ st.st_mtime != selabel_last_changed) { ++ cleanup_fscreatecon(); ++ ++ selabel_last_changed = i ? time(NULL) : st.st_mtime; ++ } ++ } ++ ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ } ++ ++ if (selabel_ctx != NULL && ++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) { ++ goto fail; ++ } ++ ++ if (genpath != NULL) { ++ free(genpath); ++ genpath = NULL; ++ } ++ ++ if (configuredsc == NULL) { ++ goto fail; ++ } ++ ++ getcon(¤tsc); ++ ++ /* AAAAAAAA */ ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ ++ context_free(current); ++ } ++ ++ context_free(derived); ++ } ++ ++ freecon(currentsc); ++ } ++ ++ debug_log("Setting file creation context to \"%s\".\n", configuredsc); ++ if (setfscreatecon(configuredsc) != 0) { ++ debug_log("Unable to determine current context.\n"); ++ goto fail; ++ } ++ ++ freecon(configuredsc); ++ return previous; ++ ++fail: ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ if (genpath != NULL) { ++ free(genpath); ++ } ++ if (configuredsc != NULL) { ++ freecon(configuredsc); ++ } ++ ++ cleanup_fscreatecon(); ++ return NULL; ++} ++ ++static void ++pop_fscreatecon(char *previous) ++{ ++ if (!is_selinux_enabled()) { ++ return; ++ } ++ ++ if (previous != NULL) { ++ debug_log("Resetting file creation context to \"%s\".\n", previous); ++ } else { ++ debug_log("Resetting file creation context to default.\n"); ++ } ++ ++ /* NULL resets to default */ ++ setfscreatecon(previous); ++ ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ ++ /* Need to clean this up here otherwise it leaks */ ++ cleanup_fscreatecon(); ++} ++ ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ void *retval; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ char *ctx; ++ ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fp = fopen(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fd = creat(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ char *ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ char *ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++#endif /* USE_SELINUX */ +-- +2.39.2 + diff --git a/0008-krb5-1.9-debuginfo.patch b/0008-krb5-1.9-debuginfo.patch new file mode 100644 index 0000000..8d44daa --- /dev/null +++ b/0008-krb5-1.9-debuginfo.patch @@ -0,0 +1,44 @@ +From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:18:16 +0100 +Subject: [PATCH 8/8] krb5-1.9-debuginfo + +Import krb5-1.9-debuginfo.patch + +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index adfea6e2b..8e89cf03b 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index 8669c2436..a22f23c02 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.25.0 + diff --git a/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch b/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch new file mode 100644 index 0000000..b4dd7d6 --- /dev/null +++ b/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch @@ -0,0 +1,67 @@ +From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 21 Jun 2023 10:57:39 -0400 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE-2023-36054: + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd) + +ticket: 9099 +version_fixed: 1.20.2 + +(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df) +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 0411c3fd3..287cae750 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.41.0 + diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..a6cd6f5 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + krb5-mini + + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..30cb51a --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +krb5 + obsoletes "heimdal-lib-" + provides "heimdal-lib-" +krb5-devel diff --git a/krb5-1.20.1.tar.gz b/krb5-1.20.1.tar.gz new file mode 100644 index 0000000..aad5861 --- /dev/null +++ b/krb5-1.20.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 +size 8661660 diff --git a/krb5-1.20.1.tar.gz.asc b/krb5-1.20.1.tar.gz.asc new file mode 100644 index 0000000..8f477a9 --- /dev/null +++ b/krb5-1.20.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D +ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc +UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg +jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn +6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK +0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ +YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL +SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR +jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R +Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH +CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m +twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= +=1WIq +-----END PGP SIGNATURE----- diff --git a/krb5-mini.changes b/krb5-mini.changes new file mode 100644 index 0000000..9649b28 --- /dev/null +++ b/krb5-mini.changes @@ -0,0 +1,2199 @@ +------------------------------------------------------------------- +Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero + +- Ensure array count consistency in kadm5 RPC; (bsc#1214054); + (CVE-2023-36054); +- Added patches: + * 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch + +------------------------------------------------------------------- +Thu May 4 13:42:23 UTC 2023 - Frederic Crozat + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- +Thu Mar 23 10:12:48 UTC 2023 - Dominique Leuenberger + +- Build mini flavor without keyutils support: breaks cycle between + krb5-mini and keyutils. + +------------------------------------------------------------------- +Fri Mar 3 10:20:22 UTC 2023 - Samuel Cabrero + +- Update 0007-SELinux-integration.patch for SELinux 3.5; + (bsc#1208887); + +------------------------------------------------------------------- +Tue Dec 13 10:49:47 UTC 2022 - Samuel Cabrero + +- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, + already fixed in release 1.20.0 + +------------------------------------------------------------------- +Wed Nov 16 07:49:09 UTC 2022 - Samuel Cabrero + +- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898); + * Fix integer overflows in PAC parsing [CVE-2022-42898]. + * Fix null deref in KDC when decoding invalid NDR. + * Fix memory leak in OTP kdcpreauth module. + * Fix PKCS11 module path search. + +------------------------------------------------------------------- +Sun May 29 19:14:02 UTC 2022 - Dirk Müller + +- update to 1.20.0: + * Added a "disable_pac" realm relation to suppress adding PAC authdata + to tickets, for realms which do not need to support S4U requests. + * Most credential cache types will use atomic replacement when a cache + is reinitialized using kinit or refreshed from the client keytab. + * kprop can now propagate databases with a dump size larger than 4GB, + if both the client and server are upgraded. + * kprop can now work over NATs that change the destination IP address, + if the client is upgraded. + * Updated the KDB interface. The sign_authdata() method is replaced + with the issue_pac() method, allowing KDB modules to add logon info + and other buffers to the PAC issued by the KDC. + * Host-based initiator names are better supported in the GSS krb5 + mechanism. + * Replaced AD-SIGNEDPATH authdata with minimal PACs. + * To avoid spurious replay errors, password change requests will not + be attempted over UDP until the attempt over TCP fails. + * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. + * Updated all code using OpenSSL to be compatible with OpenSSL 3. + * Reorganized the libk5crypto build system to allow the OpenSSL + back-end to pull in material from the builtin back-end depending on + the OpenSSL version. + * Simplified the PRNG logic to always use the platform PRNG. + * Converted the remaining Tcl tests to Python. + +------------------------------------------------------------------- +Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller + +- update to 1.19.3 (bsc#1189929, CVE-2021-37750): + * Fix a denial of service attack against the KDC [CVE-2021-37750]. + * Fix KDC null deref on TGS inner body null server + * Fix conformance issue in GSSAPI tests + +------------------------------------------------------------------- +Thu Jan 27 22:21:52 UTC 2022 - David Mulder + +- Resolve "Credential cache directory /run/user/0/krb5cc does not + exist while opening default credentials cache" by using a kernel + keyring instead of a dir cache; (bsc#1109830); + +------------------------------------------------------------------- +Thu Sep 30 14:14:23 UTC 2021 - Johannes Segitz + +- Added hardening to systemd services; (bsc#1181400); + +------------------------------------------------------------------- +Mon Aug 30 12:45:25 UTC 2021 - Samuel Cabrero + +- Fix KDC null pointer dereference via a FAST inner body that + lacks a server field; (CVE-2021-37750); (bsc#1189929); +- Added patches: + * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch + +------------------------------------------------------------------- +Mon Aug 2 08:39:31 UTC 2021 - Samuel Cabrero + +- Update to 1.19.2 + * Fix a denial of service attack against the KDC encrypted challenge + code; (CVE-2021-36222); + * Fix a memory leak when gss_inquire_cred() is called without a + credential handle. + +------------------------------------------------------------------- +Thu Apr 22 15:10:12 UTC 2021 - Samuel Cabrero + +- Use /run instead of /var/run for daemon PID files; (bsc#1185163); + +------------------------------------------------------------------- +Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero + +- Update to 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. + +------------------------------------------------------------------- +Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero + +- Update to 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). + +------------------------------------------------------------------- +Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero + +- Update to 1.18.3 + * Fix a denial of service vulnerability when decoding Kerberos + protocol messages; (CVE-2020-28196); (bsc#1178512); + * Fix a locking issue with the LMDB KDB module which could cause + KDC and kadmind processes to lose access to the database. + * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded + and unloaded while libkrb5support remains loaded. + +------------------------------------------------------------------- +Tue Jul 7 17:38:11 UTC 2020 - Andreas Schwab + +- Don't fail if %{_lto_cflags} is empty + +------------------------------------------------------------------- +Fri Jun 12 08:38:23 UTC 2020 - Dominique Leuenberger + +- Do not mangle libexecdir, bindir, sbindir and datadir: there is + no reasonable justification to step out of the defaults. + +------------------------------------------------------------------- +Fri May 29 08:38:37 UTC 2020 - Samuel Cabrero + +- Update to 1.18.2 + * Fix a SPNEGO regression where an acceptor using the default credential + would improperly filter mechanisms, causing a negotiation failure. + * Fix a bug where the KDC would fail to issue tickets if the local krbtgt + principal's first key has a single-DES enctype. + * Add stub functions to allow old versions of OpenSSL libcrypto to link + against libkrb5. + * Fix a NegoEx bug where the client name and delegated credential might + not be reported. + +------------------------------------------------------------------- +Thu May 28 15:21:46 UTC 2020 - Samuel Cabrero + +- Update logrotate script, call systemd to reload the services + instead of init-scripts. (boo#1169357) + +------------------------------------------------------------------- +Tue May 26 15:36:25 UTC 2020 - Christophe Giboudeaux + +- Don't add the lto flags to the public link options. (boo#1172038) + +------------------------------------------------------------------- +Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18.1 + * Fix a crash when qualifying short hostnames when the system has + no primary DNS domain. + * Fix a regression when an application imports "service@" as a GSS + host-based name for its acceptor credential handle. + * Fix KDC enforcement of auth indicators when they are modified by + the KDB module. + * Fix removal of require_auth string attributes when the LDAP KDB + module is used. + * Fix a compile error when building with musl libc on Linux. + * Fix a compile error when building with gcc 4.x. + * Change the KDC constrained delegation precedence order for consistency + with Windows KDCs. +- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch + +------------------------------------------------------------------- +Wed Apr 29 08:06:31 UTC 2020 - Dominique Leuenberger + +- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d + notation: libexecdir is likely changing away from /usr/lib to + /usr/libexec. + +------------------------------------------------------------------- +Wed Mar 25 09:20:38 UTC 2020 - Samuel Cabrero + +- Fix segfault in k5_primary_domain; (bsc#1167620); +- Added patches: + * 0009-Fix-null-dereference-qualifying-short-hostnames.patch + +------------------------------------------------------------------- +Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal + +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies + +------------------------------------------------------------------- +Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Updated patches: + * 0002-krb5-1.9-manpaths.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch +- Deleted patches: + * 0007-krb5-1.12-ksu-path.patch + +------------------------------------------------------------------- +Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17.1 + * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. + * Fix a bug preventing time skew correction from working when a KCM + credential cache is used. + +------------------------------------------------------------------- +Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero + +- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); + (bsc#1144047); + +------------------------------------------------------------------- +Wed Jul 24 09:57:59 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust + (CVE-2018-20217). + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +------------------------------------------------------------------- +Tue Oct 9 20:13:24 UTC 2018 - James McDonough + +- Upgrade to 1.16.1 + * kdc client cert matching on client principal entry + * Allow ktutil addent command to ignore key version and use + non-default salt string. + * add kpropd pidfile support + * enable "encrypted_challenge_indicator" realm option on tickets + obtained using FAST encrypted challenge pre-authentication. + * dates through 2106 accepted + * KDC support for trivially renewable tickets + * stop caching referral and alternate cross-realm TGTs to prevent + duplicate credential cache entries + +------------------------------------------------------------------- +Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com + +- Upgrade to 1.15.3 + * Fix flaws in LDAP DN checking, including a null dereference KDC + crash which could be triggered by kadmin clients with administrative + privileges [CVE-2018-5729, CVE-2018-5730]. + * Fix a KDC PKINIT memory leak. + * Fix a small KDC memory leak on transited or authdata errors when + processing TGS requests. + * Fix a null dereference when the KDC sends a large TGS reply. + * Fix "kdestroy -A" with the KCM credential cache type. + * Fix the handling of capaths "." values. + * Fix handling of repeated subsection specifications in profile files + (such as when multiple included files specify relations in the same + subsection). + +------------------------------------------------------------------- +Wed Apr 25 21:56:35 UTC 2018 - luizluca@gmail.com + +- Added support for /etc/krb5.conf.d/ for configuration snippets + +------------------------------------------------------------------- +Thu Nov 23 13:38:33 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de + +- Update package descriptions. + +------------------------------------------------------------------- +Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com + +- Upgrade to 1.15.2 + * Fix a KDC denial of service vulnerability caused by unset status + strings [CVE-2017-11368] + * Preserve GSS contexts on init/accept failure [CVE-2017-11462] + * Fix kadm5 setkey operation with LDAP KDB module + * Use a ten-second timeout after successful connection for HTTPS KDC + requests, as we do for TCP requests + * Fix client null dereference when KDC offers encrypted challenge + without FAST + * Ignore dotfiles when processing profile includedir directive + * Improve documentation + +------------------------------------------------------------------- +Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com + +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) + +------------------------------------------------------------------- +Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355 + krb5: denial of service in krb5_read_message +- bug#912002 owned by varkoly@suse.com: VUL-0 + CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: + krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token +- bug#910458 owned by varkoly@suse.com: VUL-1 + CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries +- bug#928978 owned by varkoly@suse.com: VUL-0 + CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading + to requires_preauth bypass +- bug#910457 owned by varkoly@suse.com: VUL-1 + CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy + name as a password policy name +- bug#991088 owned by hguo@suse.com: VUL-1 + CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted +- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires +- [fate#320326](https://fate.suse.com/320326) +- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference + from \cite + +------------------------------------------------------------------- +Thu Apr 6 13:00:26 CEST 2017 - kukuk@suse.de + +- Remove wrong PreRequires + +------------------------------------------------------------------- +Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com + +- use HTTPS project and source URLs + +------------------------------------------------------------------- +Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com + +- use source urls. +- krb5.keyring: Added Greg Hudson + +------------------------------------------------------------------- +Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com + +- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch +- Upgrade to 1.15.1 + * Allow KDB modules to determine how the e_data field of principal + fields is freed + * Fix udp_preference_limit when the KDC location is configured with + SRV records + * Fix KDC and kadmind startup on some IPv4-only systems + * Fix the processing of PKINIT certificate matching rules which have + two components and no explicit relation + * Improve documentation + +------------------------------------------------------------------- +Thu Jan 19 16:01:27 UTC 2017 - asn@cryptomilk.org + +- Introduce patch + krb5-1.15-fix_kdb_free_principal_e_data.patch + to fix freeing of e_data in the kdb principal + +------------------------------------------------------------------- +Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com + +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 +- doc/CHANGES not available in 1.15 source anymore + +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + #1 signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. + +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation + +------------------------------------------------------------------- +Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com + +- Upgrade from 1.14.2 to 1.14.3: + * Improve some error messages + * Improve documentation + * Allow a principal with nonexistent policy to bypass the minimum + password lifetime check, consistent with other aspects of + nonexistent policies + * Fix a rare KDC denial of service vulnerability when anonymous client + principals are restricted to obtaining TGTs only [CVE-2016-3120] + +------------------------------------------------------------------ +Tue May 10 12:41:14 UTC 2016 - hguo@suse.com + +- Remove source file ccapi/common/win/OldCC/autolock.hxx + that is not needed and does not carry an acceptable license. + (bsc#968111) + +------------------------------------------------------------------- +Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com + +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms + +------------------------------------------------------------------- +Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com + +- Upgrade from 1.14 to 1.14.1: + * Remove expired patches: + 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + krbdev.mit.edu-8301.patch + * Replace source archives: + krb5-1.14.tar.gz -> + krb5-1.14.1.tar.gz + krb5-1.14.tar.gz.asc -> + krb5-1.14.1.tar.gz.asc + * Adjust line numbers in: + krb5-fix_interposer.patch + +------------------------------------------------------------------- +Thu Feb 11 15:07:26 UTC 2016 - hguo@suse.com + +- Remove krb5 pieces from spec file. + Hence remove pre_checkin.sh +- Remove expired macros and other minor clena-ups in spec file. +- Change package description to explain what "mini" means. + +------------------------------------------------------------------- +Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + +------------------------------------------------------------------- +Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com + +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + +Major changes in 1.13.3 (2015-12-04) +==================================== + +This is a bug fix release. The krb5-1.13 release series is in +maintenance, and for new deployments, installers should prefer the +krb5-1.14 release series or later. + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] +* Allow an iprop slave to receive full resyncs from KDCs running + krb5-1.10 or earlier. + +------------------------------------------------------------------- +Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +------------------------------------------------------------------- +Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +------------------------------------------------------------------- +Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com + +- Let server depend on libev (module of libverto). This was the + preferred implementation before the seperation of libverto from krb. + +------------------------------------------------------------------- +Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +------------------------------------------------------------------- +Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +------------------------------------------------------------------- +Fri May 22 09:27:11 UTC 2015 - meissner@suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +------------------------------------------------------------------- +Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com + +- update to krb5 1.13.2 + +- DES transition +============== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables "weak" enctypes, which defaults to "false" +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) +==================================== + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues with some less-used kadm5.acl functionality. + +* Improve documentation. + +------------------------------------------------------------------- +Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com + +- Use externally built libverto + +------------------------------------------------------------------- +Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com + +- update to krb5 1.13.1 + +Major changes in 1.13.1 (2015-02-11) +==================================== + +This is a bug fix release. + +* Fix multiple vulnerabilities in the LDAP KDC back end. + [CVE-2014-5354] [CVE-2014-5353] + +* Fix multiple kadmind vulnerabilities, some of which are based in the + gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 + CVE-2014-9422 CVE-2014-9423] + +------------------------------------------------------------------- +Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com + +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the + MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves + can act as intermediates between an upstream master and other downstream + slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf + files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using + SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the "keepold" option + to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host + is running a Heimdal kcm daemon, caches served by the daemon can be + accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use "KCM:" as the default cache type, + unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, + which would allow the KDC and kadmind to continue accessing the database + during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch + +------------------------------------------------------------------- +Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com + +- Work around replay cache creation race; (bnc#898439). + krb5-1.13-work-around-replay-cache-creation-race.patch + +------------------------------------------------------------------- +Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com + +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- added patches: + * bnc#897874-CVE-2014-5351.diff +------------------------------------------------------------------- +Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de + +- krb5 5.12.2: + * Work around a gcc optimizer bug that could cause DB2 KDC + database operations to spin in an infinite loop + * Fix a backward compatibility problem with the LDAP KDB schema + that could prevent krb5-1.11 and later from decoding entries + created by krb5-1.6. + * Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + * Fix krb5kdc argument parsing so "-w" and "-r" options work + togetherreliably. +- Vulnerability fixes previously fixed in package via patches: + * Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + * Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + * Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] +- updated patches: + * krb5-1.7-doublelog.patch for context change + * krb5-1.6.3-ktutil-manpage.dif, same +- removed patches, in upstream: + * krb5-master-keyring-kdcsync.patch + * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch + * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch + from upstream + +------------------------------------------------------------------- +Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com + +- buffer overrun in kadmind with LDAP backend + CVE-2014-4345 (bnc#891082) + krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch + +------------------------------------------------------------------- +Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com + +- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) + krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + +------------------------------------------------------------------- +Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com + +- Do not depend of insserv if systemd is used + +------------------------------------------------------------------- +Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + +------------------------------------------------------------------- +Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com + +- don't deliver SysV init files to systemd distributions + +------------------------------------------------------------------- +Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com + +- update to version 1.12.1 + * Make KDC log service principal names more consistently during + some error conditions, instead of "" + * Fix several bugs related to building AES-NI support on less + common configurations + * Fix several bugs related to keyring credential caches +- upstream obsoletes: + krb5-1.12-copy_context.patch + krb5-1.12-enable-NX.patch + krb5-1.12-pic-aes-ni.patch + krb5-master-no-malloc0.patch + krb5-master-ignore-empty-unnecessary-final-token.patch + krb5-master-gss_oid_leak.patch + krb5-master-keytab_close.patch + krb5-master-spnego_error_messages.patch +- Fix Get time offsets for all keyring ccaches + krb5-master-keyring-kdcsync.patch (RT#7820) + +------------------------------------------------------------------- +Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch + +------------------------------------------------------------------- +Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +------------------------------------------------------------------- +Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com + +- update to version 1.11.4 + - Fix a KDC null pointer dereference [CVE-2013-1417] that could + affect realms with an uncommon configuration. + - Fix a KDC null pointer dereference [CVE-2013-1418] that could + affect KDCs that serve multiple realms. + - Fix a number of bugs related to KDC master key rollover. + +------------------------------------------------------------------- +Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com + +- install and enable systemd service files also in -mini package + +------------------------------------------------------------------- +Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org + +- remove fstack-protector-all from CFLAGS, just use the + lighter/fast version already present in %optflags + +- Use LFS_CFLAGS to build in 32 bit archs. + +------------------------------------------------------------------- +Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com + +- update to version 1.11.3 + - Fix a UDP ping-pong vulnerability in the kpasswd + (password changing) service. [CVE-2002-2443] + - Improve interoperability with some Windows native PKINIT clients. +- install translation files +- remove outdated configure options + +------------------------------------------------------------------- +Tue May 28 17:08:01 UTC 2013 - mc@suse.com + +- cleanup systemd files (remove syslog.target) + +------------------------------------------------------------------- +Fri May 3 09:43:47 CEST 2013 - mc@suse.de + +- let krb5-mini conflict with all main packages + +------------------------------------------------------------------- +Thu May 2 16:43:16 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5-server + +------------------------------------------------------------------- +Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de + +- update to version 1.11.2 + * Incremental propagation could erroneously act as if a slave's + database were current after the slave received a full dump + that failed to load. + * gss_import_sec_context incorrectly set internal state that + identifies whether an imported context is from an interposer + mechanism or from the underlying mechanism. +- upstream fix obsolete krb5-lookup_etypes-leak.patch + +------------------------------------------------------------------- +Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini-devel and krb5-devel + +------------------------------------------------------------------- +Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5 and krb5-client + +------------------------------------------------------------------- +Wed Mar 27 11:36:00 CET 2013 - mc@suse.de + +- enable selinux and set openssl as crypto implementation + +------------------------------------------------------------------- +Fri Mar 22 10:34:55 CET 2013 - mc@suse.de + +- fix path to executables in service files + (bnc#810926) + +------------------------------------------------------------------- +Fri Mar 15 11:14:21 CET 2013 - mc@suse.de + +- update to version 1.11.1 + * Improve ASN.1 support code, making it table-driven for + decoding as well as encoding + * Refactor parts of KDC + * Documentation consolidation + * build docs in the main package + * bugfixing +- changes of patches: + * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: + upstream + * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: + upstream + * krb5-1.10-gcc47.patch: upstream + * krb5-1.10-selinux-label.patch replaced by + krb5-1.11-selinux-label.patch + * krb5-1.10-spin-loop.patch: upstream + * krb5-1.3.5-perlfix.dif: the tool was removed from upstream + * krb5-1.8-pam.patch replaced by + krb5-1.11-pam.patch + +------------------------------------------------------------------- +Wed Mar 6 12:01:32 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif + +------------------------------------------------------------------- +Fri Jan 25 15:29:37 CET 2013 - mc@suse.de + +- package missing file (bnc#794784) + +------------------------------------------------------------------- +Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com + +- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc + (bnc#793336) + +------------------------------------------------------------------- +Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com + +- revert the -p usage in %postun to fix SLE build + +------------------------------------------------------------------- +Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com + +- buildrequire systemd by pkgconfig provide to get systemd-mini + +------------------------------------------------------------------- +Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com + +- do not require systemd in krb5-mini + +------------------------------------------------------------------- +Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de + +- add systemd service files for kadmind, krb5kdc and kpropd +- add sysconfig templates for kadmind and krb5kdc + +------------------------------------------------------------------- +Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com + +- fix %files section for krb5-mini + +------------------------------------------------------------------- +Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de + +- fix gcc47 issues + +------------------------------------------------------------------- +Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de + +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the "create" + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. + +------------------------------------------------------------------- +Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de + +- add autoconf macro to devel subpackage + +------------------------------------------------------------------- +Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de + +- fix license in krb5-mini + +------------------------------------------------------------------- +Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com + +- add autoconf as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com + +- remove call to suse_update_config, very old work around + +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + +------------------------------------------------------------------- +Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de + +- fix kdc remote denial of service + (MITKRB5-SA-2011-006, bnc#719393) + CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 + +------------------------------------------------------------------- +Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de + +- use --without-pam to build krb5-mini + +------------------------------------------------------------------- +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- +Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de + +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 + +------------------------------------------------------------------- +Tue Mar 1 12:43:22 CET 2011 - mc@suse.de + +- Fix vulnerability to a double-free condition in KDC daemon + (MITKRB5-SA-2011-003, bnc#671717) + CVE-2011-0284 + +------------------------------------------------------------------- +Wed Jan 19 14:42:27 CET 2011 - mc@suse.de + +- Fix kpropd denial of service + (MITKRB5-SA-2011-001, bnc#662665) + CVE-2010-4022 +- Fix KDC denial of service attacks with LDAP back end + (MITKRB5-SA-2011-002, bnc#663619) + CVE-2011-0281, CVE-2011-0282 + +------------------------------------------------------------------- +Wed Dec 1 11:44:15 CET 2010 - mc@suse.de + +- Fix multiple checksum handling vulnerabilities + (MITKRB5-SA-2010-007, bnc#650650) + CVE-2010-1324 + * krb5 GSS-API applications may accept unkeyed checksums + * krb5 application services may accept unkeyed PAC checksums + * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums + CVE-2010-1323 + * krb5 clients may accept unkeyed SAM-2 challenge checksums + * krb5 may accept KRB-SAFE checksums with low-entropy derived keys + CVE-2010-4020 + * krb5 may accept authdata checksums with low-entropy derived keys + CVE-2010-4021 + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery + +------------------------------------------------------------------- +Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de + +- fix csh profile (bnc#649856) + +------------------------------------------------------------------- +Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de + +- update to krb5-1.8.3 + * remove patches which are now upstrem + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif + +------------------------------------------------------------------- +Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de + +- change environment variable PATH directly for csh + (bnc#642080) + +------------------------------------------------------------------- +Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de + +- fix a dereference of an uninitialized pointer while processing + authorization data. + CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) + +------------------------------------------------------------------- +Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com + +- add correct error table when initializing gss-krb5 (bnc#606584, + bnc#608295) + +------------------------------------------------------------------- +Wed May 19 14:27:19 CEST 2010 - mc@suse.de + +- fix GSS-API library null pointer dereference + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) + +------------------------------------------------------------------- +Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de + +- fix a double free vulnerability in the KDC + CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) + +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) +- fix KDC denial of service in cross-realm referral processing + CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) +- fix integer underflow in AES and RC4 decryption + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri Nov 13 16:51:37 CET 2009 - mc@suse.de + +- enhance '$PATH' only if the directories are available + and not empty (bnc#544949) + +------------------------------------------------------------------- +Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com + +- readd lost baselibs.conf + +------------------------------------------------------------------- +Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de + +- update to final 1.7 release + +------------------------------------------------------------------- +Wed May 13 11:30:42 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + * Incremental propagation support for the KDC database. + * Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. + +------------------------------------------------------------------- +Mon Feb 16 13:04:26 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * Remove support for version 4 of the Kerberos protocol (krb4). + * New libdefaults configuration variable "allow_weak_crypto". + * Client library now follows client principal referrals, for + compatibility with Windows. + * KDC can issue realm referrals for service principals based on domain + names. + * Encryption algorithm negotiation (RFC 4537). + * In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + * DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + * NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + * KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. + * Master key rollover support. + +------------------------------------------------------------------- +Wed Jan 14 09:21:36 CET 2009 - olh@suse.de + +- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit + +------------------------------------------------------------------- +Thu Dec 11 14:12:57 CET 2008 - mc@suse.de + +- do not query IPv6 addresses if no IPv6 address exists on this host + [bnc#449143] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de + +- in case we use ldap as database backend, ldap should be + started before krb5kdc + +------------------------------------------------------------------- +Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de + +- add new fixes to post 1.6.3 patch + * fix mem leak in krb5_gss_accept_sec_context() + * keep minor_status + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" + * Reject socket fds > FD_SETSIZE + +------------------------------------------------------------------- +Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes + +------------------------------------------------------------------- +Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de + +- add case-insensitive.dif (FATE#300771) +- minor fixes for ktutil man page +- reduce rpmlint warnings + +------------------------------------------------------------------- +Wed May 14 17:44:59 CEST 2008 - mc@suse.de + +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de + +- modify krb5-config to not output rpath and cflags in --libs + (bnc#378270) + +------------------------------------------------------------------- +Fri Mar 14 11:27:55 CET 2008 - mc@suse.de + +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. + +------------------------------------------------------------------- +Fri Dec 14 10:48:52 CET 2007 - mc@suse.de + +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] + +------------------------------------------------------------------- +Tue Dec 4 16:36:07 CET 2007 - mc@suse.de + +- improve GSSAPI error messages + +------------------------------------------------------------------- +Tue Nov 6 13:53:17 CET 2007 - mc@suse.de + +- add coreutils to PreReq + +------------------------------------------------------------------- +Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + +------------------------------------------------------------------- +Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. + [#310540] + +------------------------------------------------------------------- +Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop + +------------------------------------------------------------------- +Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de + +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] + +------------------------------------------------------------------- +Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de + +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] + +------------------------------------------------------------------- +Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + +------------------------------------------------------------------- +Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de + +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release + +------------------------------------------------------------------- +Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de + +- change requires to libcom_err-devel + +------------------------------------------------------------------- +Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de + +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] + +------------------------------------------------------------------- +Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de + +- fix unstripped-binary-or-object rpmlint warning + +------------------------------------------------------------------- +Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de + +- fixing rpmlint warnings and errors: + * merged logrotate scripts kadmin and krb5kdc into a single file + krb5-server. + * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl + from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. + adapted krb5.spec and README.ConvertHeimdalMIT accordingly. + * added surpression filter for + "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" + (see [#147912]). + * set default runlevel of init scripts in chkconfig line to 3 and + 5 + +------------------------------------------------------------------- +Wed May 9 15:30:53 CEST 2007 - mc@suse.de + +- fix uninitialized salt length +- add extra check for keytab file + +------------------------------------------------------------------- +Thu May 3 12:11:29 CEST 2007 - mc@suse.de + +- adding krb5-1.6.1-post.dif + * fix segfault in krb5_get_init_creds_password + * remove debug output in ftp client + * profile stores empty string values without double quotes + +------------------------------------------------------------------- +Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de + +- update to final 1.6.1 version + +------------------------------------------------------------------- +Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de + +- add plugin directories to main package + +------------------------------------------------------------------- +Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de + +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) +- rework compile_pie patch + +------------------------------------------------------------------- +Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de + +- update krb5-1.6-post.dif + * fix kadmind stack overflow in krb5_klog_syslog + (MITKRB5-SA-2007-002 - CVE-2007-0957) + [#253548] + * fix double free attack in the RPC library + (MITKRB5-SA-2007-003 - CVE-2007-1216) + [#252487] + * fix krb5 telnetd login injection + (MIT-SA-2007-001 - CVE-2007-0956) + #247765 + +------------------------------------------------------------------- +Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de + +- add ncurses-devel and bison to BuildRequires +- rework some patches + +------------------------------------------------------------------- +Mon Mar 5 11:01:20 CET 2007 - mc@suse.de + +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services + +------------------------------------------------------------------- +Thu Feb 22 11:13:48 CET 2007 - mc@suse.de + +- add firewall definition to krb5-server, FATE #300687 + +------------------------------------------------------------------- +Mon Feb 19 13:59:43 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif +- move some applications into the right package + +------------------------------------------------------------------- +Fri Feb 9 13:31:22 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif + +------------------------------------------------------------------- +Mon Jan 29 11:27:23 CET 2007 - mc@suse.de + +- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif + are now upstream. Remove patches. +- fix leak in krb5_kt_resolve and krb5_kt_wresolve + +------------------------------------------------------------------- +Tue Jan 23 17:21:12 CET 2007 - mc@suse.de + +- fix "local variable used before set" in ftp.c + [#237684] + +------------------------------------------------------------------- +Mon Jan 22 16:39:27 CET 2007 - mc@suse.de + +- krb5-devel should require keyutils-devel + +------------------------------------------------------------------- +Mon Jan 22 12:19:49 CET 2007 - mc@suse.de + +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. +- remove obsolete patches + +------------------------------------------------------------------- +Wed Jan 10 11:16:30 CET 2007 - mc@suse.de + +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif + +------------------------------------------------------------------- +Tue Jan 2 14:53:33 CET 2007 - mc@suse.de + +- Fix Requires in krb5-devel + [Bug #231008] + +------------------------------------------------------------------- +Mon Nov 6 11:49:39 CET 2006 - mc@suse.de + +- fix "local variable used before set" [#217692] +- fix strncat warning + +------------------------------------------------------------------- +Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de + +- add a default kadm5.dict file +- require $network on daemon start + +------------------------------------------------------------------- +Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de + +- fix function call with too few arguments [#203837] + +------------------------------------------------------------------- +Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de + +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif + +------------------------------------------------------------------- +Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de + +- krb5 setuid return check fixes + krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + [#182351] + +------------------------------------------------------------------- +Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de + +- remove update-messages + +------------------------------------------------------------------- +Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de + +- add check for krb5_prop in services to kpropd init script. + [#192446] + +------------------------------------------------------------------- +Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de + +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new + +------------------------------------------------------------------- +Fri May 26 14:50:00 CEST 2006 - ro@suse.de + +- libcom is not in e2fsck-devel but in its own package now, change + Requires accordingly. + +------------------------------------------------------------------- +Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de + +- add all daemons to %stop_on_removal and %restart_on_update +- add reload to kpropd init script +- add force-reload to all init scripts + +------------------------------------------------------------------- +Mon Mar 13 18:20:36 CET 2006 - mc@suse.de + +- add libgssapi_krb5.so link to main package [#147912] + +------------------------------------------------------------------- +Fri Feb 3 18:17:01 CET 2006 - mc@suse.de + +- fix logging section for kadmind in convert script + +------------------------------------------------------------------- +Wed Jan 25 21:30:24 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 13 14:44:24 CET 2006 - mc@suse.de + +- change the logging defaults + +------------------------------------------------------------------- +Wed Jan 11 12:59:08 CET 2006 - mc@suse.de + +- add tools and README for heimdal => MIT update + +------------------------------------------------------------------- +Mon Jan 9 14:41:07 CET 2006 - mc@suse.de + +- fix build problems, define _GNU_SOURCE + (krb5-1.4.3-set_gnu_source.dif ) + +------------------------------------------------------------------- +Tue Jan 3 16:00:13 CET 2006 - mc@suse.de + +- added "make %{?jobs:-j%jobs}" + +------------------------------------------------------------------- +Fri Nov 18 12:12:01 CET 2005 - mc@suse.de + +- update to version 1.4.3 + * some memmory leaks fixed + * fix for "AS_REP padata has wrong enctype" + * fix for "AS_REP padata missing PA-ETYPE-INFO" + * ... and more + +------------------------------------------------------------------- +Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de + +- don't build as root + +------------------------------------------------------------------- +Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de + +- update to version 1.4.2 +- remove some obsolet patches + +------------------------------------------------------------------- +Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de + +- build with --disable-static + +------------------------------------------------------------------- +Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de + +- remove devel-static subpackage + +------------------------------------------------------------------- +Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de + +- better patch for princ_comp problem + +------------------------------------------------------------------- +Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de + +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-gcc4.dif + - krb5-1.4-reduce-namespace-polution.dif + - krb5-1.4-VUL-0-telnet.dif + +------------------------------------------------------------------- +Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de + +- fixed krb5 KDC heap corruption by random free + [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] +- fixed krb5 double free() + [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] +- fix krb5 NULL pointer reference while comparing principals + [#91600] + +------------------------------------------------------------------- +Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de + +- fix uninitialized variables +- compile with -fPIE/ link with -pie + +------------------------------------------------------------------- +Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de + +- fixed wrong xinetd files [#77149] + +------------------------------------------------------------------- +Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de + +- removed krb5-1.4-fix-error_tables.dif patch obsoleted + by libcom_err locking patches + +------------------------------------------------------------------- +Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de + +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] + +------------------------------------------------------------------- +Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de + +- enhance $PATH via /etc/profile.d/ [#74018] +- remove the "links to important programs" + +------------------------------------------------------------------- +Fri Mar 18 11:09:43 CET 2005 - mc@suse.de + +- fixed not running converter script [#72854] + +------------------------------------------------------------------- +Thu Mar 17 14:15:17 CET 2005 - mc@suse.de + +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer + Overflow +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer + Overflow + [#73618] + +------------------------------------------------------------------- +Wed Mar 16 13:10:18 CET 2005 - mc@suse.de + +- fixed wrong PreReqs [#73020] + +------------------------------------------------------------------- +Tue Mar 15 19:54:58 CET 2005 - mc@suse.de + +- add a simple krb5.conf converter [#72854] + +------------------------------------------------------------------- +Mon Mar 14 17:08:59 CET 2005 - mc@suse.de + +- fixed: rckrb5kdc restart gives wrong status with non-running service + [#72446] + +------------------------------------------------------------------- +Thu Mar 10 10:48:07 CET 2005 - mc@suse.de + +- add requires: e2fsprogs-devel to krb5-devel package [#71732] + +------------------------------------------------------------------- +Fri Feb 25 17:35:37 CET 2005 - mc@suse.de + +- fix double free [#66534] + krb5-1.4-fix-error_tables.dif + +------------------------------------------------------------------- +Fri Feb 11 14:01:32 CET 2005 - mc@suse.de + +- change mode for shared libraries to 755 + +------------------------------------------------------------------- +Fri Feb 4 16:48:16 CET 2005 - mc@suse.de + +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. +- add a check for spx.c in the spec-file +- use rich-text for update-messages [#50250] + +------------------------------------------------------------------- +Tue Feb 1 12:13:45 CET 2005 - mc@suse.de + +- add krb5-1.4-reduce-namespace-polution.dif + reduce namespace polution in gssapi.h [#50356] + +------------------------------------------------------------------- +Fri Jan 28 13:25:42 CET 2005 - mc@suse.de + +- update to version 1.4 +- Add implementation of the RPCSEC_GSS authentication flavor to the + RPC library. +- Thread safety for krb5 libraries. +- Merged Athena telnetd changes for creating a new option for + requiring encryption. +- The kadmind4 backwards-compatibility admin server and the v5passwdd + backwards-compatibility password-changing server have been removed. +- Yarrow code now uses AES. +- Merged Athena changes to allow ftpd to require encrypted passwords. +- Incorporate gss_krb5_set_allowable_enctypes() and + gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. +- remove obsolet patches + +------------------------------------------------------------------- +Mon Jan 17 11:34:52 CET 2005 - mc@suse.de + +- add proofreaded update-messages + +------------------------------------------------------------------- +Fri Jan 14 14:38:25 CET 2005 - mc@suse.de + +- remove Conflicts: and add Provides: +- add some insserv stuff + +------------------------------------------------------------------- +Thu Jan 13 11:54:01 CET 2005 - mc@suse.de + +- move vendor files to vendor-files.tar.bz2 +- add obsoletes: heimdal +- add %pre and %post sections to detect update + from heimdal and backup invalid configuration files +- add update-messages for heimdal update + +------------------------------------------------------------------- +Mon Jan 10 12:18:02 CET 2005 - mc@suse.de + +- update to version 1.3.6 +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] + +------------------------------------------------------------------- +Tue Dec 14 15:30:23 CET 2004 - mc@suse.de + +- build doc subpackage in an own specfile +- removed unnecessary neededforbuild requirements + +------------------------------------------------------------------- +Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de + +- fix build with gcc 4 + +------------------------------------------------------------------- +Mon Nov 15 17:25:56 CET 2004 - mc@suse.de + +- added Conflicts with heimdal* +- rename some manpages to avoid conflicts + +------------------------------------------------------------------- +Thu Nov 4 18:03:11 CET 2004 - mc@suse.de + +- new init scripts +- fix logrotate scripts +- add some 64Bit fixes +- add default krb5.conf, kdc.conf and kadm5.acl + +------------------------------------------------------------------- +Wed Nov 3 18:52:07 CET 2004 - mc@suse.de + +- add e2fsprogs to NFB +- use system-et and system-ss +- fix includes of com_err.h + +------------------------------------------------------------------- +Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de + +- Initital checkin diff --git a/krb5-mini.spec b/krb5-mini.spec new file mode 100644 index 0000000..85f4c5a --- /dev/null +++ b/krb5-mini.spec @@ -0,0 +1,347 @@ +# +# spec file for package krb5-mini +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define srcRoot krb5-%{version} +%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ +%define krb5docdir %{_defaultdocdir}/krb5 +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: krb5-mini +Version: 1.20.1 +Release: 0 +Summary: MIT Kerberos5 implementation and libraries with minimal dependencies +License: MIT +URL: https://kerberos.org/dist/ +Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source2: krb5.keyring +Source3: vendor-files.tar.bz2 +Source4: baselibs.conf +Source5: krb5-rpmlintrc +Source6: krb5.tmpfiles +Patch1: 0001-ksu-pam-integration.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-Adjust-build-configuration.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-SELinux-integration.patch +Patch8: 0008-krb5-1.9-debuginfo.patch +Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: pkgconfig +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(ncurses) +Requires(post): %fillup_prereq +Conflicts: krb5 +Conflicts: krb5-client +Conflicts: krb5-mini +Conflicts: krb5-plugin-kdb-ldap +Conflicts: krb5-plugin-preauth-otp +Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-server +Obsoletes: krb5-plugin-preauth-pkinit-nss + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of clear text passwords. +The package delivers MIT Kerberos with reduced features and minimal +dependencies + +%package devel +Summary: Development files for MIT Kerberos5 (openSUSE mini variant) +Requires: %{name} = %{version} +Requires: pkgconfig(com_err) +Requires: pkgconfig(libverto) +Requires: pkgconfig(ss) +Conflicts: krb5-devel +Provides: krb5-devel = %{version} + +%description devel +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes Libraries and +Include Files for Development + +%prep +%setup -q -n %{srcRoot} +%setup -q -a 3 -T -D -n %{srcRoot} +%autopatch -p1 + +%build +# needs to be re-generated +rm -f src/lib/krb5/krb/deltat.c +cd src +autoreconf -fi +DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME +# FIXME: you should use the %%configure macro +%configure \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CPPFLAGS="-I%{_includedir}/et " \ + SS_LIB="-lss" \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ + --localstatedir=%{_localstatedir}/lib/kerberos \ + --localedir=%{_datadir}/locale \ + --enable-shared \ + --disable-static \ + --enable-dns-for-realm \ + --disable-rpath \ + --disable-pkinit \ + --without-pam \ + --with-selinux \ + --with-system-et \ + --with-system-ss \ + --with-system-verto + +%make_build + +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + +%install +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src +# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks +# of the buildconf patch already conspire to strip out /usr/ from the +# list of link flags, and it helps prevent file conflicts on multilib systems. +sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config + +# install autoconf macro +mkdir -p %{buildroot}/%{_datadir}/aclocal +install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ +# install sample config files +# I'll probably do something about this later on +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d +mkdir -p %{buildroot}%{_localstatedir}/log/krb5 +# create plugin directories +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls +install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + +# all libs must have permissions 0755 +for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` +do + chmod 0755 ${lib} +done +# and binaries too +chmod 0755 %{buildroot}%{_bindir}/ksu +# install systemd files +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir} +# install sysconfig templates +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ +# install logrotate files +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server +find . -type f -name '*.ps' -exec gzip -9 {} \; +# create rc* links +mkdir -p %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_sbindir}/ +ln -s service %{buildroot}%{_sbindir}/rckadmind +ln -s service %{buildroot}%{_sbindir}/rckrb5kdc +ln -s service %{buildroot}%{_sbindir}/rckpropd +# install doc +install -d -m 755 %{buildroot}/%{krb5docdir} +install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README +# cleanup +rm -f %{buildroot}%{_mandir}/man1/tmac.doc* +rm -f %{_mandir}/man1/tmac.doc* +rm -rf %{buildroot}%{_datadir}/examples +# manually remove otp, spake and test plugin for krb5-mini since configure +# doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so + +%if "%{_lto_cflags}" != "" +# Don't add the lto flags to the public link flags. +sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config +%endif + +%find_lang mit-krb5 + +##################################################### +# krb5-mini pre/post/postun +##################################################### + +%preun +%service_del_preun krb5kdc.service kadmind.service kpropd.service + +%postun +/sbin/ldconfig +%service_del_postun krb5kdc.service kadmind.service kpropd.service + +%post +/sbin/ldconfig +%service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf +%{fillup_only -n kadmind} +%{fillup_only -n krb5kdc} +%{fillup_only -n kpropd} + +%pre +%service_add_pre krb5kdc.service kadmind.service kpropd.service + +######################################################## +# files sections +######################################################## + +%files devel +%dir %{_datadir}/aclocal +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc +%{_includedir}/* +%{_bindir}/krb5-config +%{_sbindir}/krb5-send-pr +%{_mandir}/man1/krb5-config.1%{?ext_man} +%{_datadir}/aclocal/ac_check_krb5.m4 + +%files -f mit-krb5.lang +%dir %{krb5docdir} +# add directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +%dir %{_libdir}/krb5/plugins/tls +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%dir %{_sysconfdir}/krb5.conf.d +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%{_fillupdir}/sysconfig.* +%{_unitdir}/kadmind.service +%{_unitdir}/krb5kdc.service +%{_unitdir}/kpropd.service +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/libkrad.so.* +%{_libdir}/krb5/plugins/kdb/* +%{_libdir}/krb5/plugins/tls/* +%{_tmpfilesdir}/krb5.conf +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict +%{_sbindir}/kadmin.local +%{_sbindir}/kadmind +%{_sbindir}/kpropd +%{_sbindir}/kproplog +%{_sbindir}/kprop +%{_sbindir}/kdb5_util +%{_sbindir}/krb5kdc +%{_sbindir}/uuserver +%{_sbindir}/sserver +%{_sbindir}/gss-server +%{_sbindir}/sim_server +%{_bindir}/k5srvutil +%{_bindir}/kvno +%{_bindir}/kinit +%{_bindir}/kdestroy +%{_bindir}/kpasswd +%{_bindir}/klist +%{_bindir}/kadmin +%{_bindir}/ktutil +%{_bindir}/kswitch +%attr(0755,root,root) %{_bindir}/ksu +%{_bindir}/uuclient +%{_bindir}/sclient +%{_bindir}/gss-client +%{_bindir}/sim_client +%{_bindir}/kinit +%{_bindir}/klist +%{_sbindir}/rc* +%{_mandir}/man1/kvno.1%{?ext_man} +%{_mandir}/man1/kinit.1%{?ext_man} +%{_mandir}/man1/kdestroy.1%{?ext_man} +%{_mandir}/man1/kpasswd.1%{?ext_man} +%{_mandir}/man1/klist.1%{?ext_man} +%{_mandir}/man1/ksu.1%{?ext_man} +%{_mandir}/man1/sclient.1%{?ext_man} +%{_mandir}/man1/kadmin.1%{?ext_man} +%{_mandir}/man1/ktutil.1%{?ext_man} +%{_mandir}/man1/k5srvutil.1%{?ext_man} +%{_mandir}/man1/kswitch.1%{?ext_man} +%{_mandir}/man5/* +%{_mandir}/man5/.k5login.5%{?ext_man} +%{_mandir}/man5/.k5identity.5%{?ext_man} +%{_mandir}/man7/kerberos.7%{?ext_man} +%{_mandir}/man8/* + +%changelog diff --git a/krb5-rpmlintrc b/krb5-rpmlintrc new file mode 100644 index 0000000..a50983e --- /dev/null +++ b/krb5-rpmlintrc @@ -0,0 +1,8 @@ +addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz") +addFilter("files-duplicate .*css") +addFilter("files-duplicate .*img.*png") +addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") +addFilter("shlib-policy-missing-suffix") +addFilter("non-etc-or-var-file-marked-as-conffile") diff --git a/krb5.changes b/krb5.changes new file mode 100644 index 0000000..2f561fc --- /dev/null +++ b/krb5.changes @@ -0,0 +1,2284 @@ +------------------------------------------------------------------- +Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero + +- Ensure array count consistency in kadm5 RPC; (bsc#1214054); + (CVE-2023-36054); +- Added patches: + * 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch + +------------------------------------------------------------------- +Thu May 4 13:42:23 UTC 2023 - Frederic Crozat + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- +Fri Mar 3 10:20:22 UTC 2023 - Samuel Cabrero + +- Update 0007-SELinux-integration.patch for SELinux 3.5; + (bsc#1208887); + +------------------------------------------------------------------- +Tue Dec 27 14:46:54 UTC 2022 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d + +------------------------------------------------------------------- +Tue Dec 13 10:49:47 UTC 2022 - Samuel Cabrero + +- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, + already fixed in release 1.20.0 + +------------------------------------------------------------------- +Wed Nov 16 07:49:09 UTC 2022 - Samuel Cabrero + +- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898); + * Fix integer overflows in PAC parsing [CVE-2022-42898]. + * Fix null deref in KDC when decoding invalid NDR. + * Fix memory leak in OTP kdcpreauth module. + * Fix PKCS11 module path search. + +------------------------------------------------------------------- +Sun May 29 19:14:02 UTC 2022 - Dirk Müller + +- update to 1.20.0: + * Added a "disable_pac" realm relation to suppress adding PAC authdata + to tickets, for realms which do not need to support S4U requests. + * Most credential cache types will use atomic replacement when a cache + is reinitialized using kinit or refreshed from the client keytab. + * kprop can now propagate databases with a dump size larger than 4GB, + if both the client and server are upgraded. + * kprop can now work over NATs that change the destination IP address, + if the client is upgraded. + * Updated the KDB interface. The sign_authdata() method is replaced + with the issue_pac() method, allowing KDB modules to add logon info + and other buffers to the PAC issued by the KDC. + * Host-based initiator names are better supported in the GSS krb5 + mechanism. + * Replaced AD-SIGNEDPATH authdata with minimal PACs. + * To avoid spurious replay errors, password change requests will not + be attempted over UDP until the attempt over TCP fails. + * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. + * Updated all code using OpenSSL to be compatible with OpenSSL 3. + * Reorganized the libk5crypto build system to allow the OpenSSL + back-end to pull in material from the builtin back-end depending on + the OpenSSL version. + * Simplified the PRNG logic to always use the platform PRNG. + * Converted the remaining Tcl tests to Python. + +------------------------------------------------------------------- +Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller + +- update to 1.19.3 (bsc#1189929, CVE-2021-37750): + * Fix a denial of service attack against the KDC [CVE-2021-37750]. + * Fix KDC null deref on TGS inner body null server + * Fix conformance issue in GSSAPI tests + +------------------------------------------------------------------- +Thu Jan 27 22:21:52 UTC 2022 - David Mulder + +- Resolve "Credential cache directory /run/user/0/krb5cc does not + exist while opening default credentials cache" by using a kernel + keyring instead of a dir cache; (bsc#1109830); + +------------------------------------------------------------------- +Thu Sep 30 14:14:23 UTC 2021 - Johannes Segitz + +- Added hardening to systemd services; (bsc#1181400); + +------------------------------------------------------------------- +Mon Aug 30 12:45:25 UTC 2021 - Samuel Cabrero + +- Fix KDC null pointer dereference via a FAST inner body that + lacks a server field; (CVE-2021-37750); (bsc#1189929); +- Added patches: + * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch + +------------------------------------------------------------------- +Mon Aug 2 08:39:31 UTC 2021 - Samuel Cabrero + +- Update to 1.19.2 + * Fix a denial of service attack against the KDC encrypted challenge + code; (CVE-2021-36222); + * Fix a memory leak when gss_inquire_cred() is called without a + credential handle. + +------------------------------------------------------------------- +Mon May 3 09:40:17 UTC 2021 - Rodrigo Lourenço + +- Build with full Cyrus SASL support + * Negotiating SASL credentials with an EXTERNAL bind mechanism requires + interaction. Kerberos provides its own interaction function that skips + all interaction, thus preventing the mechanism from working. + +------------------------------------------------------------------- +Thu Apr 22 15:10:12 UTC 2021 - Samuel Cabrero + +- Use /run instead of /var/run for daemon PID files; (bsc#1185163); + +------------------------------------------------------------------- +Wed Apr 7 16:10:21 UTC 2021 - Dirk Müller + +- do not own %sbindir, it comes from filesystem package + +------------------------------------------------------------------- +Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero + +- Update to 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. + +------------------------------------------------------------------- +Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero + +- Update to 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). + +------------------------------------------------------------------- +Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero + +- Update to 1.18.3 + * Fix a denial of service vulnerability when decoding Kerberos + protocol messages; (CVE-2020-28196); (bsc#1178512); + * Fix a locking issue with the LMDB KDB module which could cause + KDC and kadmind processes to lose access to the database. + * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded + and unloaded while libkrb5support remains loaded. + +------------------------------------------------------------------- +Tue Jul 7 17:38:11 UTC 2020 - Andreas Schwab + +- Don't fail if %{_lto_cflags} is empty + +------------------------------------------------------------------- +Fri Jun 12 08:38:23 UTC 2020 - Dominique Leuenberger + +- Do not mangle libexecdir, bindir, sbindir and datadir: there is + no reasonable justification to step out of the defaults. + + No longer install csh/sh profiles into /etc/profiles.d: as we + not install to default paths, there is no need to further + inject paths into $PATH; also, now sbin binaries are only in + path for admin users. + +------------------------------------------------------------------- +Fri May 29 08:38:37 UTC 2020 - Samuel Cabrero + +- Update to 1.18.2 + * Fix a SPNEGO regression where an acceptor using the default credential + would improperly filter mechanisms, causing a negotiation failure. + * Fix a bug where the KDC would fail to issue tickets if the local krbtgt + principal's first key has a single-DES enctype. + * Add stub functions to allow old versions of OpenSSL libcrypto to link + against libkrb5. + * Fix a NegoEx bug where the client name and delegated credential might + not be reported. + +------------------------------------------------------------------- +Thu May 28 15:21:46 UTC 2020 - Samuel Cabrero + +- Update logrotate script, call systemd to reload the services + instead of init-scripts. (boo#1169357) + +------------------------------------------------------------------- +Tue May 26 15:36:25 UTC 2020 - Christophe Giboudeaux + +- Don't add the lto flags to the public link options. (boo#1172038) + +------------------------------------------------------------------- +Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18.1 + * Fix a crash when qualifying short hostnames when the system has + no primary DNS domain. + * Fix a regression when an application imports "service@" as a GSS + host-based name for its acceptor credential handle. + * Fix KDC enforcement of auth indicators when they are modified by + the KDB module. + * Fix removal of require_auth string attributes when the LDAP KDB + module is used. + * Fix a compile error when building with musl libc on Linux. + * Fix a compile error when building with gcc 4.x. + * Change the KDC constrained delegation precedence order for consistency + with Windows KDCs. +- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch + +------------------------------------------------------------------- +Wed Apr 29 08:04:32 UTC 2020 - Dominique Leuenberger + +- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d + notation: libexecdir is likely changing away from /usr/lib to + /usr/libexec. + +------------------------------------------------------------------- +Wed Mar 25 09:20:38 UTC 2020 - Samuel Cabrero + +- Fix segfault in k5_primary_domain; (bsc#1167620); +- Added patches: + * 0009-Fix-null-dereference-qualifying-short-hostnames.patch + +------------------------------------------------------------------- +Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal + +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies + +------------------------------------------------------------------- +Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Updated patches: + * 0002-krb5-1.9-manpaths.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch +- Deleted patches: + * 0007-krb5-1.12-ksu-path.patch + +------------------------------------------------------------------- +Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17.1 + * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. + * Fix a bug preventing time skew correction from working when a KCM + credential cache is used. + +------------------------------------------------------------------- +Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero + +- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); + (bsc#1144047); + +------------------------------------------------------------------- +Wed Jul 24 09:57:44 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Tue May 7 10:08:00 UTC 2019 - Samuel Cabrero + +- Move LDAP schema files from /usr/share/doc/packages/krb5 to + /usr/share/kerberos/ldap; (bsc#1134217); + +------------------------------------------------------------------- +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust + (CVE-2018-20217). + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +------------------------------------------------------------------- +Tue Oct 9 20:00:21 UTC 2018 - James McDonough + +- Upgrade to 1.16.1 + * kdc client cert matching on client principal entry + * Allow ktutil addent command to ignore key version and use + non-default salt string. + * add kpropd pidfile support + * enable "encrypted_challenge_indicator" realm option on tickets + obtained using FAST encrypted challenge pre-authentication. + * dates through 2106 accepted + * KDC support for trivially renewable tickets + * stop caching referral and alternate cross-realm TGTs to prevent + duplicate credential cache entries + +------------------------------------------------------------------- +Mon Jun 18 11:02:57 UTC 2018 - mcepl@suse.com + +- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package + so it is avaiable for krb5-client as well. + +------------------------------------------------------------------- +Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com + +- Upgrade to 1.15.3 + * Fix flaws in LDAP DN checking, including a null dereference KDC + crash which could be triggered by kadmin clients with administrative + privileges [CVE-2018-5729, CVE-2018-5730]. + * Fix a KDC PKINIT memory leak. + * Fix a small KDC memory leak on transited or authdata errors when + processing TGS requests. + * Fix a null dereference when the KDC sends a large TGS reply. + * Fix "kdestroy -A" with the KCM credential cache type. + * Fix the handling of capaths "." values. + * Fix handling of repeated subsection specifications in profile files + (such as when multiple included files specify relations in the same + subsection). + +------------------------------------------------------------------- +Wed Apr 25 21:54:39 UTC 2018 - luizluca@gmail.com + +- Added support for /etc/krb5.conf.d/ for configuration snippets + +------------------------------------------------------------------- +Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Mon Nov 6 10:23:00 UTC 2017 - hguo@suse.com + +- Remove build dependency doxygen, python-Cheetah, python-Sphinx, + python-libxml2, python-lxml, most of which are python 2 programs. + Consequently remove -doc subpackage. Users are encouraged to use + online documentation. (bsc#1066461) + +------------------------------------------------------------------- +Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de + +- Update package descriptions. + +------------------------------------------------------------------- +Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com + +- Upgrade to 1.15.2 + * Fix a KDC denial of service vulnerability caused by unset status + strings [CVE-2017-11368] + * Preserve GSS contexts on init/accept failure [CVE-2017-11462] + * Fix kadm5 setkey operation with LDAP KDB module + * Use a ten-second timeout after successful connection for HTTPS KDC + requests, as we do for TCP requests + * Fix client null dereference when KDC offers encrypted challenge + without FAST + * Ignore dotfiles when processing profile includedir directive + * Improve documentation + +------------------------------------------------------------------- +Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com + +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) + +------------------------------------------------------------------- +Fri Aug 11 09:08:58 UTC 2017 - hguo@suse.com + +- Prevent kadmind.service startup failure caused by absence of + LDAP service. (bsc#903543) + +------------------------------------------------------------------- +Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355 + krb5: denial of service in krb5_read_message +- bug#912002 owned by varkoly@suse.com: VUL-0 + CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: + krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token +- bug#910458 owned by varkoly@suse.com: VUL-1 + CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries +- bug#928978 owned by varkoly@suse.com: VUL-0 + CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading + to requires_preauth bypass +- bug#910457 owned by varkoly@suse.com: VUL-1 + CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy + name as a password policy name +- bug#991088 owned by hguo@suse.com: VUL-1 + CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted +- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires +- [fate#320326](https://fate.suse.com/320326) +- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference + from \cite + +------------------------------------------------------------------- +Thu Apr 6 12:58:53 CEST 2017 - kukuk@suse.de + +- Remove wrong PreRequires from krb5 + +------------------------------------------------------------------- +Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com + +- use HTTPS project and source URLs + +------------------------------------------------------------------- +Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com + +- use source urls. +- krb5.keyring: Added Greg Hudson + +------------------------------------------------------------------- +Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com + +- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch +- Upgrade to 1.15.1 + * Allow KDB modules to determine how the e_data field of principal + fields is freed + * Fix udp_preference_limit when the KDC location is configured with + SRV records + * Fix KDC and kadmind startup on some IPv4-only systems + * Fix the processing of PKINIT certificate matching rules which have + two components and no explicit relation + * Improve documentation + +------------------------------------------------------------------- +Fri Jan 27 14:50:39 UTC 2017 - bwiedemann@suse.com + +- remove useless environment.pickle to make build-compare happy + +------------------------------------------------------------------- +Thu Jan 19 15:59:38 UTC 2017 - asn@cryptomilk.org + +- Introduce patch + krb5-1.15-fix_kdb_free_principal_e_data.patch + to fix freeing of e_data in the kdb principal + +------------------------------------------------------------------- +Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com + +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 + +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + #1 signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. + +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation + +------------------------------------------------------------------- +Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de + +- add pam configuration file required for ksu + just use a copy of "su" one from Tumbleweed + +------------------------------------------------------------------- +Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com + +- Upgrade from 1.14.2 to 1.14.3: + * Improve some error messages + * Improve documentation + * Allow a principal with nonexistent policy to bypass the minimum + password lifetime check, consistent with other aspects of + nonexistent policies + * Fix a rare KDC denial of service vulnerability when anonymous client + principals are restricted to obtaining TGTs only [CVE-2016-3120] + +------------------------------------------------------------------- +Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com + +- Remove comments breaking post scripts. + +------------------------------------------------------------------- +Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com + +- Do no use systemd_requires macros in main package, it adds + unneeded dependencies which pulls systemd into minimal chroot. +- Only call %insserv_prereq when building for pre-systemd + distributions. +- Optimise some %post/%postun when only /sbin/ldconfig is called. + +------------------------------------------------------------------ +Tue May 10 12:41:14 UTC 2016 - hguo@suse.com + +- Remove source file ccapi/common/win/OldCC/autolock.hxx + that is not needed and does not carry an acceptable license. + (bsc#968111) + +------------------------------------------------------------------- +Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com + +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms + +------------------------------------------------------------------- +Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com + +- Upgrade from 1.14 to 1.14.1: + * Remove expired patches: + 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + krbdev.mit.edu-8301.patch + * Replace source archives: + krb5-1.14.tar.gz -> + krb5-1.14.1.tar.gz + krb5-1.14.tar.gz.asc -> + krb5-1.14.1.tar.gz.asc + * Adjust line numbers in: + krb5-fix_interposer.patch + +------------------------------------------------------------------- +Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com + +- Introduce patch + 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + to fix CVE-2016-3119 (bsc#971942) + +------------------------------------------------------------------- +Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com + +- Remove krb5-mini pieces from spec file. + Hence remove pre_checkin.sh +- Remove expired macros and other minor clean-ups in spec file. + +------------------------------------------------------------------- +Tue Feb 2 08:41:13 UTC 2016 - hguo@suse.com + +- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character + with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + (bsc#963968) +- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request + with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + (bsc#963975) +- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask + with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + (bsc#963964) + +------------------------------------------------------------------- +Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + +------------------------------------------------------------------- +Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com + +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + +Major changes in 1.13.3 (2015-12-04) +==================================== + +This is a bug fix release. The krb5-1.13 release series is in +maintenance, and for new deployments, installers should prefer the +krb5-1.14 release series or later. + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] +* Allow an iprop slave to receive full resyncs from KDCs running + krb5-1.10 or earlier. + +------------------------------------------------------------------- +Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +------------------------------------------------------------------- +Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +------------------------------------------------------------------- +Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com + +- Let server depend on libev (module of libverto). This was the + preferred implementation before the seperation of libverto from krb. + +------------------------------------------------------------------- +Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +------------------------------------------------------------------- +Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +------------------------------------------------------------------- +Fri May 22 09:27:11 UTC 2015 - meissner@suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +------------------------------------------------------------------- +Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com + +- update to krb5 1.13.2 + +- DES transition +============== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables "weak" enctypes, which defaults to "false" +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) +==================================== + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues with some less-used kadm5.acl functionality. + +* Improve documentation. + +------------------------------------------------------------------- +Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com + +- Use externally built libverto + +------------------------------------------------------------------- +Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com + +- update to krb5 1.13.1 + +Major changes in 1.13.1 (2015-02-11) +==================================== + +This is a bug fix release. + +* Fix multiple vulnerabilities in the LDAP KDC back end. + [CVE-2014-5354] [CVE-2014-5353] + +* Fix multiple kadmind vulnerabilities, some of which are based in the + gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 + CVE-2014-9422 CVE-2014-9423] + +------------------------------------------------------------------- +Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com + +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the + MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves + can act as intermediates between an upstream master and other downstream + slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf + files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using + SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the "keepold" option + to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host + is running a Heimdal kcm daemon, caches served by the daemon can be + accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use "KCM:" as the default cache type, + unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, + which would allow the KDC and kadmind to continue accessing the database + during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch + +------------------------------------------------------------------- +Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com + +- Work around replay cache creation race; (bnc#898439). + krb5-1.13-work-around-replay-cache-creation-race.patch + +------------------------------------------------------------------- +Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com + +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- added patches: + * bnc#897874-CVE-2014-5351.diff +------------------------------------------------------------------- +Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de + +- krb5 5.12.2: + * Work around a gcc optimizer bug that could cause DB2 KDC + database operations to spin in an infinite loop + * Fix a backward compatibility problem with the LDAP KDB schema + that could prevent krb5-1.11 and later from decoding entries + created by krb5-1.6. + * Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + * Fix krb5kdc argument parsing so "-w" and "-r" options work + togetherreliably. +- Vulnerability fixes previously fixed in package via patches: + * Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + * Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + * Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] +- updated patches: + * krb5-1.7-doublelog.patch for context change + * krb5-1.6.3-ktutil-manpage.dif, same +- removed patches, in upstream: + * krb5-master-keyring-kdcsync.patch + * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch + * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch + from upstream + +------------------------------------------------------------------- +Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com + +- buffer overrun in kadmind with LDAP backend + CVE-2014-4345 (bnc#891082) + krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch + +------------------------------------------------------------------- +Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com + +- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) + krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + +------------------------------------------------------------------- +Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com + +- Do not depend of insserv if systemd is used + +------------------------------------------------------------------- +Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com + +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) + +------------------------------------------------------------------- +Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com + +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit + +------------------------------------------------------------------- +Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com + +- don't deliver SysV init files to systemd distributions + +------------------------------------------------------------------- +Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com + +- update to version 1.12.1 + * Make KDC log service principal names more consistently during + some error conditions, instead of "" + * Fix several bugs related to building AES-NI support on less + common configurations + * Fix several bugs related to keyring credential caches +- upstream obsoletes: + krb5-1.12-copy_context.patch + krb5-1.12-enable-NX.patch + krb5-1.12-pic-aes-ni.patch + krb5-master-no-malloc0.patch + krb5-master-ignore-empty-unnecessary-final-token.patch + krb5-master-gss_oid_leak.patch + krb5-master-keytab_close.patch + krb5-master-spnego_error_messages.patch +- Fix Get time offsets for all keyring ccaches + krb5-master-keyring-kdcsync.patch (RT#7820) + +------------------------------------------------------------------- +Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch + +------------------------------------------------------------------- +Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +------------------------------------------------------------------- +Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com + +- update to version 1.11.4 + - Fix a KDC null pointer dereference [CVE-2013-1417] that could + affect realms with an uncommon configuration. + - Fix a KDC null pointer dereference [CVE-2013-1418] that could + affect KDCs that serve multiple realms. + - Fix a number of bugs related to KDC master key rollover. + +------------------------------------------------------------------- +Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com + +- install and enable systemd service files also in -mini package + +------------------------------------------------------------------- +Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org + +- remove fstack-protector-all from CFLAGS, just use the + lighter/fast version already present in %optflags + +- Use LFS_CFLAGS to build in 32 bit archs. + +------------------------------------------------------------------- +Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com + +- update to version 1.11.3 + - Fix a UDP ping-pong vulnerability in the kpasswd + (password changing) service. [CVE-2002-2443] + - Improve interoperability with some Windows native PKINIT clients. +- install translation files +- remove outdated configure options + +------------------------------------------------------------------- +Tue May 28 17:08:01 UTC 2013 - mc@suse.com + +- cleanup systemd files (remove syslog.target) + +------------------------------------------------------------------- +Fri May 3 09:43:47 CEST 2013 - mc@suse.de + +- let krb5-mini conflict with all main packages + +------------------------------------------------------------------- +Thu May 2 16:43:16 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5-server + +------------------------------------------------------------------- +Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de + +- update to version 1.11.2 + * Incremental propagation could erroneously act as if a slave's + database were current after the slave received a full dump + that failed to load. + * gss_import_sec_context incorrectly set internal state that + identifies whether an imported context is from an interposer + mechanism or from the underlying mechanism. +- upstream fix obsolete krb5-lookup_etypes-leak.patch + +------------------------------------------------------------------- +Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini-devel and krb5-devel + +------------------------------------------------------------------- +Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de + +- add conflicts between krb5-mini and krb5 and krb5-client + +------------------------------------------------------------------- +Wed Mar 27 11:36:00 CET 2013 - mc@suse.de + +- enable selinux and set openssl as crypto implementation + +------------------------------------------------------------------- +Fri Mar 22 10:34:55 CET 2013 - mc@suse.de + +- fix path to executables in service files + (bnc#810926) + +------------------------------------------------------------------- +Fri Mar 15 11:14:21 CET 2013 - mc@suse.de + +- update to version 1.11.1 + * Improve ASN.1 support code, making it table-driven for + decoding as well as encoding + * Refactor parts of KDC + * Documentation consolidation + * build docs in the main package + * bugfixing +- changes of patches: + * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: + upstream + * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: + upstream + * krb5-1.10-gcc47.patch: upstream + * krb5-1.10-selinux-label.patch replaced by + krb5-1.11-selinux-label.patch + * krb5-1.10-spin-loop.patch: upstream + * krb5-1.3.5-perlfix.dif: the tool was removed from upstream + * krb5-1.8-pam.patch replaced by + krb5-1.11-pam.patch + +------------------------------------------------------------------- +Wed Mar 6 12:01:32 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif + +------------------------------------------------------------------- +Mon Mar 4 11:23:10 CET 2013 - mc@suse.de + +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif + +------------------------------------------------------------------- +Fri Jan 25 15:29:37 CET 2013 - mc@suse.de + +- package missing file (bnc#794784) + +------------------------------------------------------------------- +Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com + +- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc + (bnc#793336) + +------------------------------------------------------------------- +Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com + +- revert the -p usage in %postun to fix SLE build + +------------------------------------------------------------------- +Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com + +- buildrequire systemd by pkgconfig provide to get systemd-mini + +------------------------------------------------------------------- +Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com + +- do not require systemd in krb5-mini + +------------------------------------------------------------------- +Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de + +- add systemd service files for kadmind, krb5kdc and kpropd +- add sysconfig templates for kadmind and krb5kdc + +------------------------------------------------------------------- +Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com + +- fix %files section for krb5-mini + +------------------------------------------------------------------- +Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de + +- fix gcc47 issues + +------------------------------------------------------------------- +Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de + +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the "create" + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. + +------------------------------------------------------------------- +Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de + +- add autoconf macro to devel subpackage + +------------------------------------------------------------------- +Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de + +- fix license in krb5-mini + +------------------------------------------------------------------- +Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com + +- add autoconf as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com + +- remove call to suse_update_config, very old work around + +------------------------------------------------------------------- +Mon Nov 21 11:24:12 CET 2011 - mc@suse.de + +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 + +------------------------------------------------------------------- +Mon Nov 21 11:11:54 CET 2011 - mc@suse.de + +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) + +------------------------------------------------------------------- +Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de + +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) + +------------------------------------------------------------------- +Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de + +- fix kdc remote denial of service + (MITKRB5-SA-2011-006, bnc#719393) + CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 + +------------------------------------------------------------------- +Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de + +- use --without-pam to build krb5-mini + +------------------------------------------------------------------- +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- +Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de + +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 + +------------------------------------------------------------------- +Tue Mar 1 12:43:22 CET 2011 - mc@suse.de + +- Fix vulnerability to a double-free condition in KDC daemon + (MITKRB5-SA-2011-003, bnc#671717) + CVE-2011-0284 + +------------------------------------------------------------------- +Wed Jan 19 14:42:27 CET 2011 - mc@suse.de + +- Fix kpropd denial of service + (MITKRB5-SA-2011-001, bnc#662665) + CVE-2010-4022 +- Fix KDC denial of service attacks with LDAP back end + (MITKRB5-SA-2011-002, bnc#663619) + CVE-2011-0281, CVE-2011-0282 + +------------------------------------------------------------------- +Wed Dec 1 11:44:15 CET 2010 - mc@suse.de + +- Fix multiple checksum handling vulnerabilities + (MITKRB5-SA-2010-007, bnc#650650) + CVE-2010-1324 + * krb5 GSS-API applications may accept unkeyed checksums + * krb5 application services may accept unkeyed PAC checksums + * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums + CVE-2010-1323 + * krb5 clients may accept unkeyed SAM-2 challenge checksums + * krb5 may accept KRB-SAFE checksums with low-entropy derived keys + CVE-2010-4020 + * krb5 may accept authdata checksums with low-entropy derived keys + CVE-2010-4021 + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery + +------------------------------------------------------------------- +Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de + +- fix csh profile (bnc#649856) + +------------------------------------------------------------------- +Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de + +- update to krb5-1.8.3 + * remove patches which are now upstrem + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif + +------------------------------------------------------------------- +Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de + +- change environment variable PATH directly for csh + (bnc#642080) + +------------------------------------------------------------------- +Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de + +- fix a dereference of an uninitialized pointer while processing + authorization data. + CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) + +------------------------------------------------------------------- +Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com + +- add correct error table when initializing gss-krb5 (bnc#606584, + bnc#608295) + +------------------------------------------------------------------- +Wed May 19 14:27:19 CEST 2010 - mc@suse.de + +- fix GSS-API library null pointer dereference + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) + +------------------------------------------------------------------- +Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de + +- fix a double free vulnerability in the KDC + CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) + +------------------------------------------------------------------- +Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 + +------------------------------------------------------------------- +Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de + +- update krb5-1.8-POST.dif + +------------------------------------------------------------------- +Tue Mar 23 14:32:41 CET 2010 - mc@suse.de + +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + +------------------------------------------------------------------- +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) +- fix KDC denial of service in cross-realm referral processing + CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) +- fix integer underflow in AES and RC4 decryption + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + +------------------------------------------------------------------- +Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri Nov 13 16:51:37 CET 2009 - mc@suse.de + +- enhance '$PATH' only if the directories are available + and not empty (bnc#544949) + +------------------------------------------------------------------- +Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com + +- readd lost baselibs.conf + +------------------------------------------------------------------- +Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de + +- update to final 1.7 release + +------------------------------------------------------------------- +Wed May 13 11:30:42 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + * Incremental propagation support for the KDC database. + * Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. + +------------------------------------------------------------------- +Mon Feb 16 13:04:26 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * Remove support for version 4 of the Kerberos protocol (krb4). + * New libdefaults configuration variable "allow_weak_crypto". + * Client library now follows client principal referrals, for + compatibility with Windows. + * KDC can issue realm referrals for service principals based on domain + names. + * Encryption algorithm negotiation (RFC 4537). + * In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + * DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + * NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + * KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. + * Master key rollover support. + +------------------------------------------------------------------- +Wed Jan 14 09:21:36 CET 2009 - olh@suse.de + +- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit + +------------------------------------------------------------------- +Thu Dec 11 14:12:57 CET 2008 - mc@suse.de + +- do not query IPv6 addresses if no IPv6 address exists on this host + [bnc#449143] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de + +- in case we use ldap as database backend, ldap should be + started before krb5kdc + +------------------------------------------------------------------- +Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de + +- add new fixes to post 1.6.3 patch + * fix mem leak in krb5_gss_accept_sec_context() + * keep minor_status + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" + * Reject socket fds > FD_SETSIZE + +------------------------------------------------------------------- +Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes + +------------------------------------------------------------------- +Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de + +- add case-insensitive.dif (FATE#300771) +- minor fixes for ktutil man page +- reduce rpmlint warnings + +------------------------------------------------------------------- +Wed May 14 17:44:59 CEST 2008 - mc@suse.de + +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de + +- modify krb5-config to not output rpath and cflags in --libs + (bnc#378270) + +------------------------------------------------------------------- +Fri Mar 14 11:27:55 CET 2008 - mc@suse.de + +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. + +------------------------------------------------------------------- +Fri Dec 14 10:48:52 CET 2007 - mc@suse.de + +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] + +------------------------------------------------------------------- +Tue Dec 4 16:36:07 CET 2007 - mc@suse.de + +- improve GSSAPI error messages + +------------------------------------------------------------------- +Tue Nov 6 13:53:17 CET 2007 - mc@suse.de + +- add coreutils to PreReq + +------------------------------------------------------------------- +Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + +------------------------------------------------------------------- +Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. + [#310540] + +------------------------------------------------------------------- +Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop + +------------------------------------------------------------------- +Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de + +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] + +------------------------------------------------------------------- +Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de + +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] + +------------------------------------------------------------------- +Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + +------------------------------------------------------------------- +Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de + +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release + +------------------------------------------------------------------- +Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de + +- change requires to libcom_err-devel + +------------------------------------------------------------------- +Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de + +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] + +------------------------------------------------------------------- +Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de + +- fix unstripped-binary-or-object rpmlint warning + +------------------------------------------------------------------- +Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de + +- fixing rpmlint warnings and errors: + * merged logrotate scripts kadmin and krb5kdc into a single file + krb5-server. + * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl + from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. + adapted krb5.spec and README.ConvertHeimdalMIT accordingly. + * added surpression filter for + "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" + (see [#147912]). + * set default runlevel of init scripts in chkconfig line to 3 and + 5 + +------------------------------------------------------------------- +Wed May 9 15:30:53 CEST 2007 - mc@suse.de + +- fix uninitialized salt length +- add extra check for keytab file + +------------------------------------------------------------------- +Thu May 3 12:11:29 CEST 2007 - mc@suse.de + +- adding krb5-1.6.1-post.dif + * fix segfault in krb5_get_init_creds_password + * remove debug output in ftp client + * profile stores empty string values without double quotes + +------------------------------------------------------------------- +Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de + +- update to final 1.6.1 version + +------------------------------------------------------------------- +Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de + +- add plugin directories to main package + +------------------------------------------------------------------- +Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de + +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) +- rework compile_pie patch + +------------------------------------------------------------------- +Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de + +- update krb5-1.6-post.dif + * fix kadmind stack overflow in krb5_klog_syslog + (MITKRB5-SA-2007-002 - CVE-2007-0957) + [#253548] + * fix double free attack in the RPC library + (MITKRB5-SA-2007-003 - CVE-2007-1216) + [#252487] + * fix krb5 telnetd login injection + (MIT-SA-2007-001 - CVE-2007-0956) + #247765 + +------------------------------------------------------------------- +Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de + +- add ncurses-devel and bison to BuildRequires +- rework some patches + +------------------------------------------------------------------- +Mon Mar 5 11:01:20 CET 2007 - mc@suse.de + +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services + +------------------------------------------------------------------- +Thu Feb 22 11:13:48 CET 2007 - mc@suse.de + +- add firewall definition to krb5-server, FATE #300687 + +------------------------------------------------------------------- +Mon Feb 19 13:59:43 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif +- move some applications into the right package + +------------------------------------------------------------------- +Fri Feb 9 13:31:22 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif + +------------------------------------------------------------------- +Mon Jan 29 11:27:23 CET 2007 - mc@suse.de + +- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif + are now upstream. Remove patches. +- fix leak in krb5_kt_resolve and krb5_kt_wresolve + +------------------------------------------------------------------- +Tue Jan 23 17:21:12 CET 2007 - mc@suse.de + +- fix "local variable used before set" in ftp.c + [#237684] + +------------------------------------------------------------------- +Mon Jan 22 16:39:27 CET 2007 - mc@suse.de + +- krb5-devel should require keyutils-devel + +------------------------------------------------------------------- +Mon Jan 22 12:19:49 CET 2007 - mc@suse.de + +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. +- remove obsolete patches + +------------------------------------------------------------------- +Wed Jan 10 11:16:30 CET 2007 - mc@suse.de + +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif + +------------------------------------------------------------------- +Tue Jan 2 14:53:33 CET 2007 - mc@suse.de + +- Fix Requires in krb5-devel + [Bug #231008] + +------------------------------------------------------------------- +Mon Nov 6 11:49:39 CET 2006 - mc@suse.de + +- fix "local variable used before set" [#217692] +- fix strncat warning + +------------------------------------------------------------------- +Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de + +- add a default kadm5.dict file +- require $network on daemon start + +------------------------------------------------------------------- +Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de + +- fix function call with too few arguments [#203837] + +------------------------------------------------------------------- +Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de + +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif + +------------------------------------------------------------------- +Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de + +- krb5 setuid return check fixes + krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + [#182351] + +------------------------------------------------------------------- +Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de + +- remove update-messages + +------------------------------------------------------------------- +Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de + +- add check for krb5_prop in services to kpropd init script. + [#192446] + +------------------------------------------------------------------- +Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de + +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new + +------------------------------------------------------------------- +Fri May 26 14:50:00 CEST 2006 - ro@suse.de + +- libcom is not in e2fsck-devel but in its own package now, change + Requires accordingly. + +------------------------------------------------------------------- +Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de + +- add all daemons to %stop_on_removal and %restart_on_update +- add reload to kpropd init script +- add force-reload to all init scripts + +------------------------------------------------------------------- +Mon Mar 13 18:20:36 CET 2006 - mc@suse.de + +- add libgssapi_krb5.so link to main package [#147912] + +------------------------------------------------------------------- +Fri Feb 3 18:17:01 CET 2006 - mc@suse.de + +- fix logging section for kadmind in convert script + +------------------------------------------------------------------- +Wed Jan 25 21:30:24 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 13 14:44:24 CET 2006 - mc@suse.de + +- change the logging defaults + +------------------------------------------------------------------- +Wed Jan 11 12:59:08 CET 2006 - mc@suse.de + +- add tools and README for heimdal => MIT update + +------------------------------------------------------------------- +Mon Jan 9 14:41:07 CET 2006 - mc@suse.de + +- fix build problems, define _GNU_SOURCE + (krb5-1.4.3-set_gnu_source.dif ) + +------------------------------------------------------------------- +Tue Jan 3 16:00:13 CET 2006 - mc@suse.de + +- added "make %{?jobs:-j%jobs}" + +------------------------------------------------------------------- +Fri Nov 18 12:12:01 CET 2005 - mc@suse.de + +- update to version 1.4.3 + * some memmory leaks fixed + * fix for "AS_REP padata has wrong enctype" + * fix for "AS_REP padata missing PA-ETYPE-INFO" + * ... and more + +------------------------------------------------------------------- +Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de + +- don't build as root + +------------------------------------------------------------------- +Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de + +- update to version 1.4.2 +- remove some obsolet patches + +------------------------------------------------------------------- +Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de + +- build with --disable-static + +------------------------------------------------------------------- +Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de + +- remove devel-static subpackage + +------------------------------------------------------------------- +Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de + +- better patch for princ_comp problem + +------------------------------------------------------------------- +Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de + +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-gcc4.dif + - krb5-1.4-reduce-namespace-polution.dif + - krb5-1.4-VUL-0-telnet.dif + +------------------------------------------------------------------- +Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de + +- fixed krb5 KDC heap corruption by random free + [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] +- fixed krb5 double free() + [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] +- fix krb5 NULL pointer reference while comparing principals + [#91600] + +------------------------------------------------------------------- +Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de + +- fix uninitialized variables +- compile with -fPIE/ link with -pie + +------------------------------------------------------------------- +Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de + +- fixed wrong xinetd files [#77149] + +------------------------------------------------------------------- +Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de + +- removed krb5-1.4-fix-error_tables.dif patch obsoleted + by libcom_err locking patches + +------------------------------------------------------------------- +Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de + +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] + +------------------------------------------------------------------- +Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de + +- enhance $PATH via /etc/profile.d/ [#74018] +- remove the "links to important programs" + +------------------------------------------------------------------- +Fri Mar 18 11:09:43 CET 2005 - mc@suse.de + +- fixed not running converter script [#72854] + +------------------------------------------------------------------- +Thu Mar 17 14:15:17 CET 2005 - mc@suse.de + +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer + Overflow +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer + Overflow + [#73618] + +------------------------------------------------------------------- +Wed Mar 16 13:10:18 CET 2005 - mc@suse.de + +- fixed wrong PreReqs [#73020] + +------------------------------------------------------------------- +Tue Mar 15 19:54:58 CET 2005 - mc@suse.de + +- add a simple krb5.conf converter [#72854] + +------------------------------------------------------------------- +Mon Mar 14 17:08:59 CET 2005 - mc@suse.de + +- fixed: rckrb5kdc restart gives wrong status with non-running service + [#72446] + +------------------------------------------------------------------- +Thu Mar 10 10:48:07 CET 2005 - mc@suse.de + +- add requires: e2fsprogs-devel to krb5-devel package [#71732] + +------------------------------------------------------------------- +Fri Feb 25 17:35:37 CET 2005 - mc@suse.de + +- fix double free [#66534] + krb5-1.4-fix-error_tables.dif + +------------------------------------------------------------------- +Fri Feb 11 14:01:32 CET 2005 - mc@suse.de + +- change mode for shared libraries to 755 + +------------------------------------------------------------------- +Fri Feb 4 16:48:16 CET 2005 - mc@suse.de + +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. +- add a check for spx.c in the spec-file +- use rich-text for update-messages [#50250] + +------------------------------------------------------------------- +Tue Feb 1 12:13:45 CET 2005 - mc@suse.de + +- add krb5-1.4-reduce-namespace-polution.dif + reduce namespace polution in gssapi.h [#50356] + +------------------------------------------------------------------- +Fri Jan 28 13:25:42 CET 2005 - mc@suse.de + +- update to version 1.4 +- Add implementation of the RPCSEC_GSS authentication flavor to the + RPC library. +- Thread safety for krb5 libraries. +- Merged Athena telnetd changes for creating a new option for + requiring encryption. +- The kadmind4 backwards-compatibility admin server and the v5passwdd + backwards-compatibility password-changing server have been removed. +- Yarrow code now uses AES. +- Merged Athena changes to allow ftpd to require encrypted passwords. +- Incorporate gss_krb5_set_allowable_enctypes() and + gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. +- remove obsolet patches + +------------------------------------------------------------------- +Mon Jan 17 11:34:52 CET 2005 - mc@suse.de + +- add proofreaded update-messages + +------------------------------------------------------------------- +Fri Jan 14 14:38:25 CET 2005 - mc@suse.de + +- remove Conflicts: and add Provides: +- add some insserv stuff + +------------------------------------------------------------------- +Thu Jan 13 11:54:01 CET 2005 - mc@suse.de + +- move vendor files to vendor-files.tar.bz2 +- add obsoletes: heimdal +- add %pre and %post sections to detect update + from heimdal and backup invalid configuration files +- add update-messages for heimdal update + +------------------------------------------------------------------- +Mon Jan 10 12:18:02 CET 2005 - mc@suse.de + +- update to version 1.3.6 +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] + +------------------------------------------------------------------- +Tue Dec 14 15:30:23 CET 2004 - mc@suse.de + +- build doc subpackage in an own specfile +- removed unnecessary neededforbuild requirements + +------------------------------------------------------------------- +Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de + +- fix build with gcc 4 + +------------------------------------------------------------------- +Mon Nov 15 17:25:56 CET 2004 - mc@suse.de + +- added Conflicts with heimdal* +- rename some manpages to avoid conflicts + +------------------------------------------------------------------- +Thu Nov 4 18:03:11 CET 2004 - mc@suse.de + +- new init scripts +- fix logrotate scripts +- add some 64Bit fixes +- add default krb5.conf, kdc.conf and kadm5.acl + +------------------------------------------------------------------- +Wed Nov 3 18:52:07 CET 2004 - mc@suse.de + +- add e2fsprogs to NFB +- use system-et and system-ss +- fix includes of com_err.h + +------------------------------------------------------------------- +Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de + +- Initital checkin diff --git a/krb5.keyring b/krb5.keyring new file mode 100644 index 0000000..bfb9bd6 Binary files /dev/null and b/krb5.keyring differ diff --git a/krb5.spec b/krb5.spec new file mode 100644 index 0000000..a431bfa --- /dev/null +++ b/krb5.spec @@ -0,0 +1,502 @@ +# +# spec file for package krb5 +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: krb5 +Version: 1.20.1 +Release: 0 +Summary: MIT Kerberos5 implementation +License: MIT +URL: https://kerberos.org/dist/ +Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source2: krb5.keyring +Source3: vendor-files.tar.bz2 +Source4: baselibs.conf +Source5: krb5-rpmlintrc +Source6: ksu-pam.d +Source7: krb5.tmpfiles +Patch1: 0001-ksu-pam-integration.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-Adjust-build-configuration.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-SELinux-integration.patch +Patch8: 0008-krb5-1.9-debuginfo.patch +Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: cyrus-sasl-devel +BuildRequires: keyutils +BuildRequires: keyutils-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(libssl) +BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(ncurses) +BuildRequires: pkgconfig(ss) +BuildRequires: pkgconfig(systemd) +Conflicts: krb5-mini +Obsoletes: krb5-plugin-preauth-pkinit-nss + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of clear text passwords. + +%package client +Summary: Client programs of the MIT Kerberos5 implementation +Conflicts: krb5-mini + +%description client +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes some required +client programs, like kinit, kadmin, ... + +%package server +Summary: Server program of the MIT Kerberos5 implementation +Requires: cron +Requires: libverto-libev1 +Requires: logrotate +Requires: perl-Date-Calc +Requires(post): %fillup_prereq +%{?systemd_requires} + +%description server +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes the kdc, kadmind +and more. + +%package plugin-kdb-ldap +Summary: LDAP database plugin for MIT Kerberos5 +Requires: krb5-server = %{version} + +%description plugin-kdb-ldap +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of clear text passwords. This package contains the LDAP +database plugin. + +%package plugin-preauth-pkinit +Summary: PKINIT preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-pkinit +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a PKINIT plugin. + +%package plugin-preauth-otp +Summary: OTP preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + +%package plugin-preauth-spake +Summary: SPAKE preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-spake +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a SPAKE plugin. + +%package doc +Summary: Documentation for the MIT Kerberos5 implementation + +%description doc +Kerberos V5 is a trusted-third-party network authentication +system,which can improve network security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. + +%package devel +Summary: Development files for MIT Kerberos5 +Requires: %{name} = %{version} +Requires: keyutils-devel +Requires: pkgconfig(com_err) +Requires: pkgconfig(libverto) +Requires: pkgconfig(ss) +Conflicts: krb5-mini-devel + +%description devel +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes Libraries and +Include Files for Development + +%define srcRoot krb5-%{version} +%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ +%define krb5docdir %{_defaultdocdir}/krb5 + +%prep +%setup -q -n %{srcRoot} +%setup -q -a 3 -T -D -n %{srcRoot} +%autopatch -p1 + +%build +# needs to be re-generated +rm -f src/lib/krb5/krb/deltat.c +cd src +autoreconf -fi +DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME +%configure \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CPPFLAGS="-I%{_includedir}/et " \ + SS_LIB="-lss" \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ + --localstatedir=%{_localstatedir}/lib/kerberos \ + --localedir=%{_datadir}/locale \ + --enable-shared \ + --disable-static \ + --enable-dns-for-realm \ + --disable-rpath \ + --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-crypto-impl=openssl \ + --with-selinux \ + --with-system-et \ + --with-system-ss \ + --with-system-verto + +%make_build + +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + +%install +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src +# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks +# of the buildconf patch already conspire to strip out /usr/ from the +# list of link flags, and it helps prevent file conflicts on multilib systems. +sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config + +# install autoconf macro +mkdir -p %{buildroot}/%{_datadir}/aclocal +install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ +# install sample config files +# I'll probably do something about this later on +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d +mkdir -p %{buildroot}%{_localstatedir}/log/krb5 +# create plugin directories +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls +install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + +# all libs must have permissions 0755 +for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` +do + chmod 0755 ${lib} +done +# and binaries too +chmod 0755 %{buildroot}%{_bindir}/ksu +# install systemd files +%if 0%{?suse_version} >= 1210 +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir} +%else +# install init scripts +mkdir -p %{buildroot}%{_sysconfdir}/init.d +install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind +install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc +install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +%endif +# install sysconfig templates +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ +# install logrotate files +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server +find . -type f -name '*.ps' -exec gzip -9 {} + +# create rc* links +mkdir -p %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_sbindir}/ +ln -s service %{buildroot}%{_sbindir}/rckadmind +ln -s service %{buildroot}%{_sbindir}/rckrb5kdc +ln -s service %{buildroot}%{_sbindir}/rckpropd +# install doc +install -d -m 755 %{buildroot}/%{krb5docdir} +install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README +install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif +# link pam-config for su to ksu +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/ksu +%else +mkdir -p %{buildroot}%{_sysconfdir}/pam.d/ +install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu +%endif + +# cleanup +rm -f %{buildroot}%{_mandir}/man1/tmac.doc* +rm -f %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle +rm -rf %{buildroot}%{_datadir}/examples +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so + +%if "%{_lto_cflags}" != "" +# Don't add the lto flags to the public link flags. +sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config +%endif + +%find_lang mit-krb5 + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%preun server +%service_del_preun krb5kdc.service kadmind.service kpropd.service + +%postun server +%service_del_postun krb5kdc.service kadmind.service kpropd.service + +%post server +%service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf +%{fillup_only -n kadmind} +%{fillup_only -n krb5kdc} +%{fillup_only -n kpropd} + +%pre server +%service_add_pre krb5kdc.service kadmind.service kpropd.service + +%post plugin-kdb-ldap -p /sbin/ldconfig +%postun plugin-kdb-ldap -p /sbin/ldconfig + +%if 0%{?suse_version} > 1500 +%pre client +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in pam.d/ksu ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%posttrans client +# Migration to /usr/etc, restore just created .rpmsave +for i in pam.d/ksu ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%files devel +%dir %{_datadir}/aclocal +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc +%{_includedir}/* +%{_bindir}/krb5-config +%{_sbindir}/krb5-send-pr +%{_mandir}/man1/krb5-config.1%{?ext_man} +%{_datadir}/aclocal/ac_check_krb5.m4 + +%files -f mit-krb5.lang +%dir %{krb5docdir} +# add plugin directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +%dir %{_libdir}/krb5/plugins/tls +# add log directory +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%dir %{_sysconfdir}/krb5.conf.d +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/libkrad.so.* +%{_libdir}/krb5/plugins/tls/*.so + +%files server +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%{_unitdir}/kadmind.service +%{_unitdir}/krb5kdc.service +%{_unitdir}/kpropd.service +%{_tmpfilesdir}/krb5.conf +%dir %{krb5docdir} +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/tls +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict +%{_fillupdir}/sysconfig.* +%{_sbindir}/rc* +%{_sbindir}/kadmin.local +%{_sbindir}/kadmind +%{_sbindir}/kpropd +%{_sbindir}/kproplog +%{_sbindir}/kprop +%{_sbindir}/kdb5_util +%{_sbindir}/krb5kdc +%{_sbindir}/gss-server +%{_sbindir}/sim_server +%{_sbindir}/sserver +%{_sbindir}/uuserver +%{_libdir}/krb5/plugins/kdb/db2.so +%{_mandir}/man5/kdc.conf.5%{?ext_man} +%{_mandir}/man5/kadm5.acl.5%{?ext_man} +%{_mandir}/man8/kadmind.8%{?ext_man} +%{_mandir}/man8/kadmin.local.8%{?ext_man} +%{_mandir}/man8/kpropd.8%{?ext_man} +%{_mandir}/man8/kprop.8%{?ext_man} +%{_mandir}/man8/kproplog.8%{?ext_man} +%{_mandir}/man8/kdb5_util.8%{?ext_man} +%{_mandir}/man8/krb5kdc.8%{?ext_man} +%{_mandir}/man8/sserver.8%{?ext_man} + +%files client +%if 0%{?suse_version} > 1500 +%attr(0644,root,root) %{_pam_vendordir}/ksu +%else +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu +%endif +%{_bindir}/kvno +%{_bindir}/kinit +%{_bindir}/kdestroy +%{_bindir}/kpasswd +%{_bindir}/klist +%{_bindir}/kadmin +%{_bindir}/ktutil +%{_bindir}/k5srvutil +%{_bindir}/gss-client +%{_bindir}/ksu +%{_bindir}/sclient +%{_bindir}/sim_client +%{_bindir}/uuclient +%{_bindir}/kswitch +%{_bindir}/kinit +%{_bindir}/klist +%{_mandir}/man1/kvno.1%{?ext_man} +%{_mandir}/man1/kinit.1%{?ext_man} +%{_mandir}/man1/kdestroy.1%{?ext_man} +%{_mandir}/man1/kpasswd.1%{?ext_man} +%{_mandir}/man1/klist.1%{?ext_man} +%{_mandir}/man1/kadmin.1%{?ext_man} +%{_mandir}/man1/ktutil.1%{?ext_man} +%{_mandir}/man1/k5srvutil.1%{?ext_man} +%{_mandir}/man1/kswitch.1%{?ext_man} +%{_mandir}/man5/krb5.conf.5%{?ext_man} +%{_mandir}/man5/.k5login.5%{?ext_man} +%{_mandir}/man5/.k5identity.5%{?ext_man} +%{_mandir}/man5/k5identity.5%{?ext_man} +%{_mandir}/man5/k5login.5%{?ext_man} +%{_mandir}/man1/ksu.1%{?ext_man} +%{_mandir}/man1/sclient.1%{?ext_man} +%{_mandir}/man7/kerberos.7%{?ext_man} + +%files plugin-kdb-ldap +%{_sbindir}/kdb5_ldap_util +%dir %{_datadir}/kerberos +%dir %{_datadir}/kerberos/ldap +%config %{_datadir}/kerberos/ldap/kerberos.schema +%config %{_datadir}/kerberos/ldap/kerberos.ldif +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%{_libdir}/krb5/plugins/kdb/kldap.so +%{_libdir}/libkdb_ldap* +%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man} + +%files plugin-preauth-pkinit +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so + +%files plugin-preauth-otp +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + +%files plugin-preauth-spake +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/spake.so + +%changelog diff --git a/krb5.tmpfiles b/krb5.tmpfiles new file mode 100644 index 0000000..e5777ec --- /dev/null +++ b/krb5.tmpfiles @@ -0,0 +1,7 @@ +d /var/lib/kerberos 0755 root root - +d /var/lib/kerberos/krb5 0755 root root - +d /var/lib/kerberos/krb5/user 0755 root root - +d /var/lib/kerberos/krb5kdc 0755 root root - +C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf +C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl +C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict diff --git a/ksu-pam.d b/ksu-pam.d new file mode 100644 index 0000000..d4e4241 --- /dev/null +++ b/ksu-pam.d @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth include common-auth +account sufficient pam_rootok.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session optional pam_xauth.so diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 new file mode 100644 index 0000000..c9dcba2 --- /dev/null +++ b/vendor-files.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3353e03f3789a78e8fcc3f9e6b85c5f343330c385516eb2e32736fa8e7a51013 +size 182614