2016-04-01 09:50:43 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Upgrade from 1.14 to 1.14.1:
|
|
|
|
* Remove expired patches:
|
|
|
|
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
|
|
|
|
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
|
|
|
|
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
|
|
|
|
krbdev.mit.edu-8301.patch
|
|
|
|
* Replace source archives:
|
|
|
|
krb5-1.14.tar.gz ->
|
|
|
|
krb5-1.14.1.tar.gz
|
|
|
|
krb5-1.14.tar.gz.asc ->
|
|
|
|
krb5-1.14.1.tar.gz.asc
|
|
|
|
* Adjust line numbers in:
|
|
|
|
krb5-fix_interposer.patch
|
|
|
|
|
2016-03-23 14:16:38 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Introduce patch
|
|
|
|
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
|
|
|
|
to fix CVE-2016-3119 (bsc#971942)
|
|
|
|
|
2016-02-18 12:50:30 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Remove krb5-mini pieces from spec file.
|
|
|
|
Hence remove pre_checkin.sh
|
|
|
|
- Remove expired macros and other minor clean-ups in spec file.
|
|
|
|
|
2016-02-02 09:54:49 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 2 08:41:13 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
|
|
|
|
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
|
|
|
|
(bsc#963968)
|
|
|
|
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request
|
|
|
|
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
|
|
|
|
(bsc#963975)
|
|
|
|
- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
|
|
|
|
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
|
|
|
|
(bsc#963964)
|
|
|
|
|
2016-01-11 13:39:08 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
|
|
|
|
|
|
|
|
- Add two patches from Fedora, fixing two crashes:
|
|
|
|
* krb5-fix_interposer.patch
|
|
|
|
* krb5-mechglue_inqure_attrs.patch
|
|
|
|
|
2016-01-10 17:41:42 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- Update to 1.14
|
|
|
|
- dropped krb5-kvno-230379.patch
|
|
|
|
- added krbdev.mit.edu-8301.patch fixing wrong function call
|
|
|
|
|
|
|
|
Major changes in 1.14 (2015-11-20)
|
|
|
|
==================================
|
|
|
|
|
|
|
|
Administrator experience:
|
|
|
|
|
|
|
|
* Add a new kdb5_util tabdump command to provide reporting-friendly
|
|
|
|
tabular dump formats (tab-separated or CSV) for the KDC database.
|
|
|
|
Unlike the normal dump format, each output table has a fixed number
|
|
|
|
of fields. Some tables include human-readable forms of data that
|
|
|
|
are opaque in ordinary dump files. This format is also suitable for
|
|
|
|
importing into relational databases for complex queries.
|
|
|
|
* Add support to kadmin and kadmin.local for specifying a single
|
|
|
|
command line following any global options, where the command
|
|
|
|
arguments are split by the shell--for example, "kadmin getprinc
|
|
|
|
principalname". Commands issued this way do not prompt for
|
|
|
|
confirmation or display warning messages, and exit with non-zero
|
|
|
|
status if the operation fails.
|
|
|
|
* Accept the same principal flag names in kadmin as we do for the
|
|
|
|
default_principal_flags kdc.conf variable, and vice versa. Also
|
|
|
|
accept flag specifiers in the form that kadmin prints, as well as
|
|
|
|
hexadecimal numbers.
|
|
|
|
* Remove the triple-DES and RC4 encryption types from the default
|
|
|
|
value of supported_enctypes, which determines the default key and
|
|
|
|
salt types for new password-derived keys. By default, keys will
|
|
|
|
only created only for AES128 and AES256. This mitigates some types
|
|
|
|
of password guessing attacks.
|
|
|
|
* Add support for directory names in the KRB5_CONFIG and
|
|
|
|
KRB5_KDC_PROFILE environment variables.
|
|
|
|
* Add support for authentication indicators, which are ticket
|
|
|
|
annotations to indicate the strength of the initial authentication.
|
|
|
|
Add support for the "require_auth" string attribute, which can be
|
|
|
|
set on server principal entries to require an indicator when
|
|
|
|
authenticating to the server.
|
|
|
|
* Add support for key version numbers larger than 255 in keytab files,
|
|
|
|
and for version numbers up to 65535 in KDC databases.
|
|
|
|
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
|
|
|
|
during pre-authentication, corresponding to the client's most
|
|
|
|
preferred encryption type.
|
|
|
|
* Add support for server name identification (SNI) when proxying KDC
|
|
|
|
requests over HTTPS.
|
|
|
|
* Add support for the err_fmt profile parameter, which can be used to
|
|
|
|
generate custom-formatted error messages.
|
|
|
|
|
|
|
|
Code quality:
|
|
|
|
|
|
|
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
|
|
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
|
|
|
[CVE-2015-2698]
|
|
|
|
* Fix build_principal memory bug that could cause a KDC
|
|
|
|
crash. [CVE-2015-2697]
|
|
|
|
|
|
|
|
Developer experience:
|
|
|
|
|
|
|
|
* Change gss_acquire_cred_with_password() to acquire credentials into
|
|
|
|
a private memory credential cache. Applications can use
|
|
|
|
gss_store_cred() to make the resulting credentials visible to other
|
|
|
|
processes.
|
|
|
|
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
|
|
|
|
IAKERB or for non-standard variants of the krb5 mechanism OID unless
|
|
|
|
explicitly requested. (SPNEGO will still accept the Microsoft
|
|
|
|
variant of the krb5 mechanism OID during negotiation.)
|
|
|
|
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
|
|
|
|
for non-standard variants of the krb5 mechanism OID unless an
|
|
|
|
acceptor credential is acquired for those mechanisms.
|
|
|
|
* Change gss_acquire_cred() to immediately resolve credentials if the
|
|
|
|
time_rec parameter is not NULL, so that a correct expiration time
|
|
|
|
can be returned. Normally credential resolution is delayed until
|
|
|
|
the target name is known.
|
|
|
|
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
|
|
|
|
which can be used by plugin modules or applications to add prefixes
|
|
|
|
to existing detailed error messages.
|
|
|
|
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
|
|
|
|
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
|
|
|
|
* Add support for pre-authentication mechanisms which use multiple
|
|
|
|
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
|
|
|
|
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
|
|
|
|
interface; these callbacks can be used to save marshalled state
|
|
|
|
information in an encrypted cookie for the next request.
|
|
|
|
* Add a client_key() callback to the kdcpreauth interface to retrieve
|
|
|
|
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
|
|
|
|
by the KDC.
|
|
|
|
* Add an add_auth_indicator() callback to the kdcpreauth interface,
|
|
|
|
allowing pre-authentication modules to assert authentication
|
|
|
|
indicators.
|
|
|
|
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
|
|
|
|
suppress sending the confidentiality and integrity flags in GSS
|
|
|
|
initiator tokens unless they are requested by the caller. These
|
|
|
|
flags control the negotiated SASL security layer for the Microsoft
|
|
|
|
GSS-SPNEGO SASL mechanism.
|
|
|
|
* Make the FILE credential cache implementation less prone to
|
|
|
|
corruption issues in multi-threaded programs, especially on
|
|
|
|
platforms with support for open file description locks.
|
|
|
|
|
|
|
|
Performance:
|
|
|
|
|
|
|
|
* On slave KDCs, poll the master KDC immediately after processing a
|
|
|
|
full resync, and do not require two full resyncs after the master
|
|
|
|
KDC's log file is reset.
|
|
|
|
|
|
|
|
User experience:
|
|
|
|
|
|
|
|
* Make gss_accept_sec_context() accept tickets near their expiration
|
|
|
|
but within clock skew tolerances, rather than rejecting them
|
|
|
|
immediately after the server's view of the ticket expiration time.
|
|
|
|
|
2015-12-07 13:50:29 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
|
|
|
|
2016-01-10 17:41:42 +01:00
|
|
|
- Update to 1.13.3
|
2015-12-07 13:50:29 +01:00
|
|
|
- removed patches for security fixes now in upstream source:
|
|
|
|
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
|
|
|
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
|
|
|
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
|
|
|
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
|
|
|
|
|
|
|
Major changes in 1.13.3 (2015-12-04)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release. The krb5-1.13 release series is in
|
|
|
|
maintenance, and for new deployments, installers should prefer the
|
|
|
|
krb5-1.14 release series or later.
|
|
|
|
|
|
|
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
|
|
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
|
|
|
[CVE-2015-2698]
|
|
|
|
* Fix build_principal memory bug that could cause a KDC
|
|
|
|
crash. [CVE-2015-2697]
|
|
|
|
* Allow an iprop slave to receive full resyncs from KDCs running
|
|
|
|
krb5-1.10 or earlier.
|
|
|
|
|
2015-10-29 19:14:03 +01:00
|
|
|
-------------------------------------------------------------------
|
2015-11-10 17:57:00 +01:00
|
|
|
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
|
|
|
to fix a memory corruption regression introduced by resolution of
|
|
|
|
CVE-2015-2698. bsc#954204
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2015-10-29 19:14:03 +01:00
|
|
|
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
|
|
|
|
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
|
|
|
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
|
|
|
|
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
|
|
|
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
|
|
|
|
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
|
|
|
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
|
|
|
|
|
2015-06-01 11:44:23 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Let server depend on libev (module of libverto). This was the
|
|
|
|
preferred implementation before the seperation of libverto from krb.
|
|
|
|
|
2015-05-28 10:59:56 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
- Drop libverto and libverto-libev Requires from the -server
|
|
|
|
package: those package names don't exist and the shared libs
|
|
|
|
are pulled in automatically.
|
|
|
|
|
2015-05-27 18:09:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
- Unconditionally buildrequire libverto-devel: krb5-mini also
|
|
|
|
depends on it.
|
|
|
|
|
2015-05-22 11:30:16 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com
|
|
|
|
|
|
|
|
- pre_checkin.sh aligned changes between krb5/krb5-mini
|
|
|
|
- added krb5.keyring
|
|
|
|
|
2015-05-13 21:25:01 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- update to krb5 1.13.2
|
|
|
|
|
|
|
|
- DES transition
|
|
|
|
==============
|
|
|
|
|
|
|
|
The Data Encryption Standard (DES) is widely recognized as weak. The
|
|
|
|
krb5-1.7 release contains measures to encourage sites to migrate away
|
|
|
|
- From using single-DES cryptosystems. Among these is a configuration
|
|
|
|
variable that enables "weak" enctypes, which defaults to "false"
|
|
|
|
beginning with krb5-1.8.
|
|
|
|
|
|
|
|
|
|
|
|
Major changes in 1.13.2 (2015-05-08)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release.
|
|
|
|
|
|
|
|
* Fix a minor vulnerability in krb5_read_message, which is primarily
|
|
|
|
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
|
|
|
|
|
|
|
|
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
|
|
|
|
[CVE-2015-2694]
|
|
|
|
|
|
|
|
* Fix some issues with the LDAP KDC database back end.
|
|
|
|
|
|
|
|
* Fix an iteration-related memory leak in the DB2 KDC database back
|
|
|
|
end.
|
|
|
|
|
|
|
|
* Fix issues with some less-used kadm5.acl functionality.
|
|
|
|
|
|
|
|
* Improve documentation.
|
|
|
|
|
2015-05-11 13:41:14 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
- Use externally built libverto
|
|
|
|
|
2015-02-18 18:22:56 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
- update to krb5 1.13.1
|
|
|
|
|
|
|
|
Major changes in 1.13.1 (2015-02-11)
|
|
|
|
====================================
|
|
|
|
|
|
|
|
This is a bug fix release.
|
|
|
|
|
|
|
|
* Fix multiple vulnerabilities in the LDAP KDC back end.
|
|
|
|
[CVE-2014-5354] [CVE-2014-5353]
|
|
|
|
|
|
|
|
* Fix multiple kadmind vulnerabilities, some of which are based in the
|
|
|
|
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
|
|
|
|
CVE-2014-9422 CVE-2014-9423]
|
|
|
|
|
2015-01-06 11:58:20 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com
|
|
|
|
|
|
|
|
- Update to krb5 1.13
|
|
|
|
* Add support for accessing KDCs via an HTTPS proxy server using the
|
|
|
|
MS-KKDCP protocol.
|
|
|
|
* Add support for hierarchical incremental propagation, where slaves
|
|
|
|
can act as intermediates between an upstream master and other downstream
|
|
|
|
slaves.
|
|
|
|
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
|
|
|
|
files in addition to /etc/gss/mech.
|
|
|
|
* Add support to the LDAP KDB module for binding to the LDAP server using
|
|
|
|
SASL.
|
|
|
|
* The KDC listens for TCP connections by default.
|
|
|
|
* Fix a minor key disclosure vulnerability where using the "keepold" option
|
|
|
|
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
|
|
|
|
* Add client support for the Kerberos Cache Manager protocol. If the host
|
|
|
|
is running a Heimdal kcm daemon, caches served by the daemon can be
|
|
|
|
accessed with the KCM: cache type.
|
|
|
|
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
|
|
|
|
unless overridden by command-line options or krb5-config values.
|
|
|
|
* Add support for doing unlocked database dumps for the DB2 KDC back end,
|
|
|
|
which would allow the KDC and kadmind to continue accessing the database
|
|
|
|
during lengthy database dumps.
|
|
|
|
- Removed patches, useless or upstreamed
|
|
|
|
* krb5-1.9-kprop-mktemp.patch
|
|
|
|
* krb5-1.10-ksu-access.patch
|
|
|
|
* krb5-1.12-doxygen.patch
|
|
|
|
* bnc#897874-CVE-2014-5351.diff
|
|
|
|
* krb5-1.13-work-around-replay-cache-creation-race.patch
|
|
|
|
* krb5-1.10-kpasswd_tcp.patch
|
|
|
|
- Refreshed patches
|
|
|
|
* krb5-1.12-pam.patch
|
|
|
|
* krb5-1.12-selinux-label.patch
|
|
|
|
* krb5-1.7-doublelog.patch
|
|
|
|
|
2014-09-01 17:41:18 +02:00
|
|
|
-------------------------------------------------------------------
|
2014-10-01 09:19:37 +02:00
|
|
|
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com
|
|
|
|
|
|
|
|
- Work around replay cache creation race; (bnc#898439).
|
|
|
|
krb5-1.13-work-around-replay-cache-creation-race.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2014-09-25 10:28:07 +02:00
|
|
|
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com
|
|
|
|
|
|
|
|
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
|
|
|
|
- added patches:
|
|
|
|
* bnc#897874-CVE-2014-5351.diff
|
|
|
|
-------------------------------------------------------------------
|
2014-09-01 17:41:18 +02:00
|
|
|
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
|
|
|
|
|
|
|
|
- krb5 5.12.2:
|
|
|
|
* Work around a gcc optimizer bug that could cause DB2 KDC
|
|
|
|
database operations to spin in an infinite loop
|
|
|
|
* Fix a backward compatibility problem with the LDAP KDB schema
|
|
|
|
that could prevent krb5-1.11 and later from decoding entries
|
|
|
|
created by krb5-1.6.
|
|
|
|
* Avoid an infinite loop under some circumstances when the GSS
|
|
|
|
mechglue loads a dynamic mechanism.
|
|
|
|
* Fix krb5kdc argument parsing so "-w" and "-r" options work
|
|
|
|
togetherreliably.
|
|
|
|
- Vulnerability fixes previously fixed in package via patches:
|
|
|
|
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
|
|
|
|
invalid memory reference vulnerabilities. [CVE-2014-4341
|
|
|
|
CVE-2014-4342]
|
|
|
|
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
|
|
|
|
[CVE-2014-4343 CVE-2014-4344]
|
|
|
|
* Fix buffer overflow vulnerability in LDAP KDB back end.
|
|
|
|
[CVE-2014-4345]
|
|
|
|
- updated patches:
|
|
|
|
* krb5-1.7-doublelog.patch for context change
|
|
|
|
* krb5-1.6.3-ktutil-manpage.dif, same
|
|
|
|
- removed patches, in upstream:
|
|
|
|
* krb5-master-keyring-kdcsync.patch
|
|
|
|
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
|
|
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
|
|
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
|
|
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
|
|
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
|
|
|
|
from upstream
|
|
|
|
|
2014-07-28 11:58:41 +02:00
|
|
|
-------------------------------------------------------------------
|
2014-08-11 13:01:01 +02:00
|
|
|
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- buffer overrun in kadmind with LDAP backend
|
|
|
|
CVE-2014-4345 (bnc#891082)
|
|
|
|
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2014-07-28 11:58:41 +02:00
|
|
|
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
|
|
|
|
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
|
|
|
|
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
|
|
|
|
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
|
|
|
|
|
2014-07-21 14:42:45 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
|
|
|
|
|
|
|
|
- Do not depend of insserv if systemd is used
|
|
|
|
|
2014-02-18 18:40:34 +01:00
|
|
|
-------------------------------------------------------------------
|
2014-07-15 10:18:37 +02:00
|
|
|
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
|
|
|
|
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
|
|
|
|
- start krb5kdc after slapd (bnc#886102)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
|
|
|
|
similar functionality is provided by krb5-plugin-preauth-pkinit
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2014-02-18 18:40:34 +01:00
|
|
|
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- don't deliver SysV init files to systemd distributions
|
|
|
|
|
2014-01-15 15:14:20 +01:00
|
|
|
-------------------------------------------------------------------
|
2014-01-21 16:06:23 +01:00
|
|
|
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.12.1
|
|
|
|
* Make KDC log service principal names more consistently during
|
|
|
|
some error conditions, instead of "<unknown server>"
|
|
|
|
* Fix several bugs related to building AES-NI support on less
|
|
|
|
common configurations
|
|
|
|
* Fix several bugs related to keyring credential caches
|
|
|
|
- upstream obsoletes:
|
|
|
|
krb5-1.12-copy_context.patch
|
|
|
|
krb5-1.12-enable-NX.patch
|
|
|
|
krb5-1.12-pic-aes-ni.patch
|
|
|
|
krb5-master-no-malloc0.patch
|
|
|
|
krb5-master-ignore-empty-unnecessary-final-token.patch
|
|
|
|
krb5-master-gss_oid_leak.patch
|
|
|
|
krb5-master-keytab_close.patch
|
|
|
|
krb5-master-spnego_error_messages.patch
|
|
|
|
- Fix Get time offsets for all keyring ccaches
|
|
|
|
krb5-master-keyring-kdcsync.patch (RT#7820)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2014-01-15 15:14:20 +01:00
|
|
|
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.12
|
|
|
|
* Add GSSAPI extensions for constructing MIC tokens using IOV lists
|
|
|
|
* Add a FAST OTP preauthentication module for the KDC which uses
|
|
|
|
RADIUS to validate OTP token values.
|
|
|
|
* The AES-based encryption types will use AES-NI instructions
|
|
|
|
when possible for improved performance.
|
|
|
|
- revert dependency on libcom_err-mini-devel since it's not yet
|
|
|
|
available
|
|
|
|
- update and rebase patches
|
2014-01-16 14:19:42 +01:00
|
|
|
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
|
|
|
|
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch
|
|
|
|
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
|
|
|
|
* krb5-1.8-api.patch -> krb5-1.12-api.patch
|
|
|
|
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
|
|
|
|
* krb5-1.9-debuginfo.patch
|
|
|
|
* krb5-1.9-kprop-mktemp.patch
|
|
|
|
* krb5-kvno-230379.patch
|
|
|
|
- added upstream patches
|
|
|
|
- Fix krb5_copy_context
|
|
|
|
* krb5-1.12-copy_context.patch
|
|
|
|
- Mark AESNI files as not needing executable stacks
|
|
|
|
* krb5-1.12-enable-NX.patch
|
|
|
|
* krb5-1.12-pic-aes-ni.patch
|
|
|
|
- Fix memory leak in SPNEGO initiator
|
|
|
|
* krb5-master-gss_oid_leak.patch
|
|
|
|
- Fix SPNEGO one-hop interop against old IIS
|
|
|
|
* krb5-master-ignore-empty-unnecessary-final-token.patch
|
|
|
|
- Fix GSS krb5 acceptor acquire_cred error handling
|
|
|
|
* krb5-master-keytab_close.patch
|
|
|
|
- Avoid malloc(0) in SPNEGO get_input_token
|
|
|
|
* krb5-master-no-malloc0.patch
|
|
|
|
- Test SPNEGO error message in t_s4u.py
|
|
|
|
* krb5-master-spnego_error_messages.patch
|
2014-01-15 15:14:20 +01:00
|
|
|
|
2013-12-10 10:48:22 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com
|
|
|
|
|
|
|
|
- Reduce build dependencies for krb5-mini by removing
|
|
|
|
doxygen and changing libcom_err-devel to
|
|
|
|
libcom_err-mini-devel
|
|
|
|
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.
|
|
|
|
|
2013-11-20 13:36:50 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com
|
|
|
|
|
|
|
|
- update to version 1.11.4
|
|
|
|
- Fix a KDC null pointer dereference [CVE-2013-1417] that could
|
|
|
|
affect realms with an uncommon configuration.
|
|
|
|
- Fix a KDC null pointer dereference [CVE-2013-1418] that could
|
|
|
|
affect KDCs that serve multiple realms.
|
|
|
|
- Fix a number of bugs related to KDC master key rollover.
|
|
|
|
|
2013-06-24 18:22:21 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- install and enable systemd service files also in -mini package
|
|
|
|
|
2013-06-21 14:43:11 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
- remove fstack-protector-all from CFLAGS, just use the
|
|
|
|
lighter/fast version already present in %optflags
|
|
|
|
|
|
|
|
- Use LFS_CFLAGS to build in 32 bit archs.
|
|
|
|
|
2013-05-28 19:08:58 +02:00
|
|
|
-------------------------------------------------------------------
|
2013-06-09 16:19:29 +02:00
|
|
|
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- update to version 1.11.3
|
|
|
|
- Fix a UDP ping-pong vulnerability in the kpasswd
|
|
|
|
(password changing) service. [CVE-2002-2443]
|
|
|
|
- Improve interoperability with some Windows native PKINIT clients.
|
|
|
|
- install translation files
|
|
|
|
- remove outdated configure options
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2013-05-28 19:08:58 +02:00
|
|
|
Tue May 28 17:08:01 UTC 2013 - mc@suse.com
|
|
|
|
|
|
|
|
- cleanup systemd files (remove syslog.target)
|
|
|
|
|
2013-05-03 09:44:44 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 3 09:43:47 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- let krb5-mini conflict with all main packages
|
|
|
|
|
2013-05-02 16:44:19 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 2 16:43:16 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- add conflicts between krb5-mini and krb5-server
|
|
|
|
|
2013-04-04 15:10:58 +02:00
|
|
|
-------------------------------------------------------------------
|
2013-04-28 17:20:13 +02:00
|
|
|
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.11.2
|
|
|
|
* Incremental propagation could erroneously act as if a slave's
|
|
|
|
database were current after the slave received a full dump
|
|
|
|
that failed to load.
|
|
|
|
* gss_import_sec_context incorrectly set internal state that
|
|
|
|
identifies whether an imported context is from an interposer
|
|
|
|
mechanism or from the underlying mechanism.
|
|
|
|
- upstream fix obsolete krb5-lookup_etypes-leak.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2013-04-04 15:10:58 +02:00
|
|
|
Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- add conflicts between krb5-mini-devel and krb5-devel
|
|
|
|
|
2013-04-02 17:33:04 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- add conflicts between krb5-mini and krb5 and krb5-client
|
|
|
|
|
2013-03-27 11:45:21 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 27 11:36:00 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- enable selinux and set openssl as crypto implementation
|
|
|
|
|
2013-03-22 10:35:21 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 22 10:34:55 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- fix path to executables in service files
|
|
|
|
(bnc#810926)
|
|
|
|
|
2013-03-15 11:21:16 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.11.1
|
|
|
|
* Improve ASN.1 support code, making it table-driven for
|
|
|
|
decoding as well as encoding
|
|
|
|
* Refactor parts of KDC
|
|
|
|
* Documentation consolidation
|
|
|
|
* build docs in the main package
|
|
|
|
* bugfixing
|
2013-04-02 11:44:14 +02:00
|
|
|
- changes of patches:
|
|
|
|
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:
|
|
|
|
upstream
|
|
|
|
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:
|
|
|
|
upstream
|
|
|
|
* krb5-1.10-gcc47.patch: upstream
|
|
|
|
* krb5-1.10-selinux-label.patch replaced by
|
|
|
|
krb5-1.11-selinux-label.patch
|
|
|
|
* krb5-1.10-spin-loop.patch: upstream
|
|
|
|
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream
|
|
|
|
* krb5-1.8-pam.patch replaced by
|
|
|
|
krb5-1.11-pam.patch
|
2013-03-15 11:21:16 +01:00
|
|
|
|
2013-03-06 12:03:13 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
|
|
|
|
CVE-2012-1016 (bnc#807556)
|
|
|
|
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
|
|
|
|
2013-03-04 11:24:33 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- fix PKINIT null pointer deref
|
|
|
|
CVE-2013-1415 (bnc#806715)
|
2013-03-06 12:03:13 +01:00
|
|
|
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
2013-03-04 11:24:33 +01:00
|
|
|
|
2013-01-25 15:30:07 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de
|
|
|
|
|
|
|
|
- package missing file (bnc#794784)
|
|
|
|
|
2013-01-13 17:54:32 +01:00
|
|
|
-------------------------------------------------------------------
|
2013-01-25 15:25:26 +01:00
|
|
|
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com
|
|
|
|
|
|
|
|
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
|
|
|
|
(bnc#793336)
|
2013-01-13 17:54:32 +01:00
|
|
|
|
2012-10-17 09:48:12 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
- revert the -p usage in %postun to fix SLE build
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
- buildrequire systemd by pkgconfig provide to get systemd-mini
|
|
|
|
|
2012-10-15 15:04:28 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
- do not require systemd in krb5-mini
|
|
|
|
|
2012-06-13 11:15:26 +02:00
|
|
|
-------------------------------------------------------------------
|
2012-10-05 16:25:10 +02:00
|
|
|
Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de
|
|
|
|
|
|
|
|
- add systemd service files for kadmind, krb5kdc and kpropd
|
|
|
|
- add sysconfig templates for kadmind and krb5kdc
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2012-06-13 11:15:26 +02:00
|
|
|
Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
- fix %files section for krb5-mini
|
|
|
|
|
2012-06-07 13:40:00 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de
|
|
|
|
|
|
|
|
- fix gcc47 issues
|
|
|
|
|
2012-06-06 16:55:51 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.10.2
|
|
|
|
obsolte patches:
|
|
|
|
* krb5-1.7-nodeplibs.patch
|
|
|
|
* krb5-1.9.1-ai_addrconfig.patch
|
|
|
|
* krb5-1.9.1-ai_addrconfig2.patch
|
|
|
|
* krb5-1.9.1-sendto_poll.patch
|
|
|
|
* krb5-1.9-canonicalize-fallback.patch
|
|
|
|
* krb5-1.9-paren.patch
|
|
|
|
* krb5-klist_s.patch
|
|
|
|
* krb5-pkinit-cms2.patch
|
|
|
|
* krb5-trunk-chpw-err.patch
|
|
|
|
* krb5-trunk-gss_delete_sec.patch
|
|
|
|
* krb5-trunk-kadmin-oldproto.patch
|
|
|
|
* krb5-1.9-MITKRB5-SA-2011-006.dif
|
|
|
|
* krb5-1.9-gss_display_status-iakerb.patch
|
|
|
|
* krb5-1.9.1-sendto_poll2.patch
|
|
|
|
* krb5-1.9.1-sendto_poll3.patch
|
|
|
|
* krb5-1.9-MITKRB5-SA-2011-007.dif
|
|
|
|
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
|
|
|
|
Controllers.
|
|
|
|
- Update a workaround for a glibc bug that would cause DNS PTR queries
|
|
|
|
to occur even when rdns = false.
|
|
|
|
- Fix a kadmind denial of service issue (null pointer dereference),
|
|
|
|
which could only be triggered by an administrator with the "create"
|
|
|
|
privilege. [CVE-2012-1013]
|
|
|
|
- Fix access controls for KDB string attributes [CVE-2012-1012]
|
|
|
|
- Make the ASN.1 encoding of key version numbers interoperate with
|
|
|
|
Windows Read-Only Domain Controllers
|
|
|
|
- Avoid generating spurious password expiry warnings in cases where
|
|
|
|
the KDC sends an account expiry time without a password expiry time
|
|
|
|
- Make PKINIT work with FAST in the client library.
|
|
|
|
- Add the DIR credential cache type, which can hold a collection of
|
|
|
|
credential caches.
|
|
|
|
- Enhance kinit, klist, and kdestroy to support credential cache
|
|
|
|
collections if the cache type supports it.
|
|
|
|
- Add the kswitch command, which changes the selected default cache
|
|
|
|
within a collection.
|
|
|
|
- Add heuristic support for choosing client credentials based on
|
|
|
|
the service realm.
|
|
|
|
- Add support for $HOME/.k5identity, which allows credential
|
|
|
|
choice based on configured rules.
|
|
|
|
|
2012-02-28 10:04:15 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
|
|
|
|
|
|
|
|
- add autoconf macro to devel subpackage
|
|
|
|
|
2012-02-08 09:11:14 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de
|
|
|
|
|
|
|
|
- fix license in krb5-mini
|
|
|
|
|
2011-12-25 22:43:39 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com
|
|
|
|
|
|
|
|
- add autoconf as buildrequire to avoid implicit dependency
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com
|
|
|
|
|
|
|
|
- remove call to suse_update_config, very old work around
|
|
|
|
|
2011-12-07 09:41:31 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- fix KDC null pointer dereference in TGS handling
|
|
|
|
(MITKRB5-SA-2011-007, bnc#730393)
|
|
|
|
CVE-2011-1530
|
|
|
|
|
2011-11-21 11:17:08 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- fix KDC HA feature introduced with implementing KDC poll
|
2011-12-07 09:41:31 +01:00
|
|
|
(RT#6951, bnc#731648)
|
2011-11-21 11:17:08 +01:00
|
|
|
|
2011-11-21 10:54:25 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
- fix minor error messages for the IAKERB GSSAPI mechanism
|
|
|
|
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
|
|
|
|
|
2011-10-19 09:48:04 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- fix kdc remote denial of service
|
|
|
|
(MITKRB5-SA-2011-006, bnc#719393)
|
|
|
|
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
|
|
|
|
|
2011-08-23 13:52:42 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- use --without-pam to build krb5-mini
|
|
|
|
|
2011-04-14 11:34:57 +02:00
|
|
|
-------------------------------------------------------------------
|
2011-08-21 11:43:02 +02:00
|
|
|
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
|
|
|
|
|
|
|
|
- add patches from Fedora and upstream
|
2011-08-22 10:19:13 +02:00
|
|
|
- fix init scripts (bnc#689006)
|
2011-08-21 11:43:02 +02:00
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com
|
|
|
|
|
|
|
|
- update to version 1.9.1
|
|
|
|
* obsolete patches:
|
|
|
|
MITKRB5-SA-2010-007-1.8.dif
|
|
|
|
krb5-1.8-MITKRB5-SA-2010-006.dif
|
|
|
|
krb5-1.8-MITKRB5-SA-2011-001.dif
|
|
|
|
krb5-1.8-MITKRB5-SA-2011-002.dif
|
|
|
|
krb5-1.8-MITKRB5-SA-2011-003.dif
|
|
|
|
krb5-1.8-MITKRB5-SA-2011-004.dif
|
|
|
|
krb5-1.4.3-enospc.dif
|
|
|
|
* replace krb5-1.6.1-compile_pie.dif
|
|
|
|
-------------------------------------------------------------------
|
2011-04-14 11:34:57 +02:00
|
|
|
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- fix kadmind invalid pointer free()
|
|
|
|
(MITKRB5-SA-2011-004, bnc#687469)
|
|
|
|
CVE-2011-0285
|
|
|
|
|
2011-03-16 08:59:53 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 1 12:43:22 CET 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- Fix vulnerability to a double-free condition in KDC daemon
|
|
|
|
(MITKRB5-SA-2011-003, bnc#671717)
|
|
|
|
CVE-2011-0284
|
|
|
|
|
2011-02-09 10:12:27 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
|
|
|
|
|
|
|
|
- Fix kpropd denial of service
|
|
|
|
(MITKRB5-SA-2011-001, bnc#662665)
|
|
|
|
CVE-2010-4022
|
|
|
|
- Fix KDC denial of service attacks with LDAP back end
|
|
|
|
(MITKRB5-SA-2011-002, bnc#663619)
|
|
|
|
CVE-2011-0281, CVE-2011-0282
|
|
|
|
|
2010-12-01 11:45:18 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- Fix multiple checksum handling vulnerabilities
|
|
|
|
(MITKRB5-SA-2010-007, bnc#650650)
|
|
|
|
CVE-2010-1324
|
|
|
|
* krb5 GSS-API applications may accept unkeyed checksums
|
|
|
|
* krb5 application services may accept unkeyed PAC checksums
|
|
|
|
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
|
|
|
|
CVE-2010-1323
|
|
|
|
* krb5 clients may accept unkeyed SAM-2 challenge checksums
|
|
|
|
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys
|
|
|
|
CVE-2010-4020
|
|
|
|
* krb5 may accept authdata checksums with low-entropy derived keys
|
|
|
|
CVE-2010-4021
|
|
|
|
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
|
|
|
|
|
2010-10-28 12:53:57 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- fix csh profile (bnc#649856)
|
|
|
|
|
2010-10-22 11:17:36 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- update to krb5-1.8.3
|
|
|
|
* remove patches which are now upstrem
|
|
|
|
- krb5-1.7-MITKRB5-SA-2010-004.dif
|
|
|
|
- krb5-1.8.1-gssapi-error-table.dif
|
|
|
|
- krb5-MITKRB5-SA-2010-005.dif
|
|
|
|
|
2010-10-22 10:51:14 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- change environment variable PATH directly for csh
|
|
|
|
(bnc#642080)
|
|
|
|
|
2010-10-11 11:50:03 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- fix a dereference of an uninitialized pointer while processing
|
|
|
|
authorization data.
|
|
|
|
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
|
|
|
|
|
2010-06-22 09:49:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com
|
|
|
|
|
|
|
|
- add correct error table when initializing gss-krb5 (bnc#606584,
|
|
|
|
bnc#608295)
|
|
|
|
|
2010-05-25 10:35:36 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 19 14:27:19 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- fix GSS-API library null pointer dereference
|
|
|
|
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
|
|
|
|
|
2010-04-23 19:17:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- fix a double free vulnerability in the KDC
|
|
|
|
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
|
|
|
|
|
2010-04-14 15:16:17 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.8.1
|
|
|
|
* include krb5-1.8-POST.dif
|
|
|
|
* include MITKRB5-SA-2010-002
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.8-POST.dif
|
|
|
|
|
2010-03-26 00:13:31 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- fix a bug where an unauthenticated remote attacker could cause
|
|
|
|
a GSS-API application including the Kerberos administration
|
|
|
|
daemon (kadmind) to crash.
|
|
|
|
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- add post 1.8 fixes
|
|
|
|
* Add IPv6 support to changepw.c
|
|
|
|
* fix two problems in kadm5_get_principal mask handling
|
|
|
|
* Ignore improperly encoded signedpath AD elements
|
|
|
|
* handle NT_SRV_INST in service principal referrals
|
|
|
|
* dereference options while checking
|
|
|
|
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
|
|
|
|
* Fix the kpasswd fallback from the ccache principal name
|
|
|
|
* Document the ticket_lifetime libdefaults setting
|
|
|
|
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
|
|
|
|
|
2010-03-23 12:40:55 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.8
|
|
|
|
* Increase code quality
|
|
|
|
* Move toward improved KDB interface
|
|
|
|
* Investigate and remedy repeatedly-reported performance
|
|
|
|
bottlenecks.
|
|
|
|
* Reduce DNS dependence by implementing an interface that allows
|
|
|
|
client library to track whether a KDC supports service
|
|
|
|
principal referrals.
|
|
|
|
* Disable DES by default
|
|
|
|
* Account lockout for repeated login failures
|
|
|
|
* Bridge layer to allow Heimdal HDB modules to act as KDB
|
|
|
|
backend modules
|
|
|
|
* FAST enhancements
|
|
|
|
* Microsoft Services for User (S4U) compatibility
|
|
|
|
* Anonymous PKINIT
|
|
|
|
- fix KDC denial of service
|
|
|
|
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
|
2010-01-14 15:34:47 +01:00
|
|
|
- fix KDC denial of service in cross-realm referral processing
|
|
|
|
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
|
|
|
|
- fix integer underflow in AES and RC4 decryption
|
2010-03-23 12:40:55 +01:00
|
|
|
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
|
|
|
|
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
|
|
|
|
|
2010-03-05 02:10:03 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
|
|
|
|
|
|
|
|
- add baselibs.conf as a source
|
|
|
|
|
2009-11-16 16:21:45 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Nov 13 16:51:37 CET 2009 - mc@suse.de
|
|
|
|
|
|
|
|
- enhance '$PATH' only if the directories are available
|
|
|
|
and not empty (bnc#544949)
|
|
|
|
|
2009-07-08 19:41:43 +02:00
|
|
|
-------------------------------------------------------------------
|
2009-07-17 16:31:27 +02:00
|
|
|
Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com
|
|
|
|
|
|
|
|
- readd lost baselibs.conf
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2009-07-08 19:41:43 +02:00
|
|
|
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
|
|
|
|
|
|
|
|
- update to final 1.7 release
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 13 11:30:42 CEST 2009 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.7 Beta2
|
|
|
|
* Incremental propagation support for the KDC database.
|
|
|
|
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
|
|
|
|
framework that can protect the AS exchange from dictionary attack.
|
|
|
|
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
|
|
|
|
allows a GSS application to request credential delegation only if
|
|
|
|
permitted by KDC policy.
|
|
|
|
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
|
|
|
|
various vulnerabilities in SPNEGO and ASN.1 code.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
|
|
|
|
|
|
|
|
- update to pre 1.7 version
|
|
|
|
* Remove support for version 4 of the Kerberos protocol (krb4).
|
|
|
|
* New libdefaults configuration variable "allow_weak_crypto".
|
|
|
|
* Client library now follows client principal referrals, for
|
|
|
|
compatibility with Windows.
|
|
|
|
* KDC can issue realm referrals for service principals based on domain
|
|
|
|
names.
|
|
|
|
* Encryption algorithm negotiation (RFC 4537).
|
|
|
|
* In the replay cache, use a hash over the complete ciphertext to
|
|
|
|
avoid false-positive replay indications.
|
|
|
|
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
|
|
|
|
similar to the equivalent SSPI functionality.
|
|
|
|
* DCE RPC, including three-leg GSS context setup and unencapsulated
|
|
|
|
GSS tokens.
|
|
|
|
* NTLM recognition support in GSS-API, to facilitate dropping in an
|
|
|
|
NTLM implementation.
|
|
|
|
* KDC support for principal aliases, if the back end supports them.
|
|
|
|
* Microsoft set/change password (RFC 3244) protocol in kadmind.
|
|
|
|
* Master key rollover support.
|
|
|
|
|
2008-12-15 14:48:05 +01:00
|
|
|
-------------------------------------------------------------------
|
2009-01-14 17:54:24 +01:00
|
|
|
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de
|
|
|
|
|
|
|
|
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2008-12-15 14:48:05 +01:00
|
|
|
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- do not query IPv6 addresses if no IPv6 address exists on this host
|
|
|
|
[bnc#449143]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
|
|
|
|
|
|
|
|
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
|
|
|
|
(bnc#437293)
|
|
|
|
|
2008-11-02 15:42:40 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
|
|
|
|
|
|
|
|
- obsolete old -XXbit packages (bnc#437293)
|
|
|
|
|
2008-10-06 19:00:36 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- in case we use ldap as database backend, ldap should be
|
|
|
|
started before krb5kdc
|
|
|
|
|
2008-08-02 01:11:46 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- add new fixes to post 1.6.3 patch
|
|
|
|
* fix mem leak in krb5_gss_accept_sec_context()
|
|
|
|
* keep minor_status
|
|
|
|
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
|
|
|
|
"to be ignored"
|
|
|
|
* Reject socket fds > FD_SETSIZE
|
|
|
|
|
2008-07-25 16:52:35 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- add patches from SVN post 1.6.3
|
|
|
|
* krb5_string_to_keysalts: Fix an infinite loop
|
|
|
|
* fix some mutex issues
|
|
|
|
* better recovery from corrupt rcache files
|
|
|
|
* some more small fixes
|
|
|
|
|
2008-06-23 04:16:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- add case-insensitive.dif (FATE#300771)
|
|
|
|
- minor fixes for ktutil man page
|
|
|
|
- reduce rpmlint warnings
|
|
|
|
|
2008-05-17 02:39:26 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 14 17:44:59 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- Fall back to TCP on kdc-unresolvable/unreachable errors.
|
|
|
|
- restore valid sequence number before generating requests
|
|
|
|
(fix changing passwords in mixed ipv4/ipv6 enviroments)
|
|
|
|
|
2008-04-09 21:26:24 +02:00
|
|
|
-------------------------------------------------------------------
|
2008-04-10 14:21:08 +02:00
|
|
|
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
|
|
|
|
|
|
|
|
- added baselibs.conf file to build xxbit packages
|
|
|
|
for multilib support
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2008-04-09 21:26:24 +02:00
|
|
|
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- modify krb5-config to not output rpath and cflags in --libs
|
|
|
|
(bnc#378270)
|
|
|
|
|
2008-03-21 01:47:13 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de
|
|
|
|
|
|
|
|
- fix two security bugs:
|
|
|
|
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
|
|
|
|
fix double free [bnc#361373]
|
|
|
|
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
|
|
|
|
Memory corruption while too many open file descriptors
|
|
|
|
[bnc#363151]
|
|
|
|
- change default config file. Comment out the examples.
|
|
|
|
|
2008-01-23 22:04:40 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix several security bugs:
|
|
|
|
* CVE-2007-5894 apparent uninit length
|
|
|
|
* CVE-2007-5902 integer overflow
|
|
|
|
* CVE-2007-5971 free of non-heap pointer and double-free
|
|
|
|
* CVE-2007-5972 double fclose()
|
|
|
|
[#346745, #346748, #346746, #346749, #346747]
|
|
|
|
|
2007-12-06 01:01:44 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- improve GSSAPI error messages
|
|
|
|
|
2007-11-06 22:31:09 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- add coreutils to PreReq
|
|
|
|
|
2007-10-25 02:08:58 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update to krb5 version 1.6.3
|
|
|
|
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
|
|
|
|
* fix CVE-2007-4000 modify_policy vulnerability
|
|
|
|
* Add PKINIT support
|
|
|
|
- remove patches which are upstream now
|
|
|
|
- enhance init scripts and xinetd profiles
|
|
|
|
|
2007-09-14 16:20:57 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6.2-post.dif
|
|
|
|
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
|
|
|
|
that the client library will not failover to the next KDC.
|
|
|
|
[#310540]
|
|
|
|
|
2007-09-13 18:47:35 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6.2-post.dif
|
|
|
|
* new -S sname option for kvno
|
|
|
|
* read_entropy_from_device on partial read will not fill buffer
|
|
|
|
* Bail out if encoded "ticket" doesn't decode correctly.
|
|
|
|
* patch for referrals loop
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix a problem with the originally published patch
|
|
|
|
for MITKRB5-SA-2007-006 - CVE-2007-3999
|
|
|
|
[#302377]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix execute arbitrary code
|
|
|
|
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
|
|
|
|
[#302377]
|
|
|
|
|
2007-08-09 20:01:33 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- add krb5-1.6.2-post.dif
|
|
|
|
* during the referrals loop, check to see if the
|
|
|
|
session key enctype of a returned credential for the final
|
|
|
|
service is among the enctypes explicitly selected by the
|
|
|
|
application, and retry with old_use_conf_ktypes if it is not.
|
|
|
|
* If mkstemp() is available, the new ccache file gets created but
|
|
|
|
the subsequent open(O_CREAT|O_EXCL) call fails because the file
|
|
|
|
was already created by mkstemp(). Apply patch from Apple to keep
|
|
|
|
the file descriptor open.
|
|
|
|
|
2007-07-13 17:58:15 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.6.2
|
|
|
|
- remove krb5-1.6.1-post.dif all fixes are included in this release
|
|
|
|
|
2007-07-05 18:29:09 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- change requires to libcom_err-devel
|
|
|
|
|
2007-07-05 01:08:36 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6.1-post.dif
|
|
|
|
* fix leak in krb5_walk_realm_tree
|
|
|
|
* rd_req_decoded needs to deal with referral realms
|
|
|
|
* fix buffer overflow in kadmind
|
|
|
|
(MITKRB5-SA-2007-005 - CVE-2007-2798)
|
|
|
|
[#278689]
|
|
|
|
* fix kadmind code execution bug
|
|
|
|
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
|
|
|
|
[#271191]
|
|
|
|
|
2007-06-15 00:30:00 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix unstripped-binary-or-object rpmlint warning
|
|
|
|
|
2007-06-15 00:26:00 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
|
|
|
|
|
|
|
|
- fixing rpmlint warnings and errors:
|
|
|
|
* merged logrotate scripts kadmin and krb5kdc into a single file
|
|
|
|
krb5-server.
|
|
|
|
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
|
|
|
|
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
|
|
|
|
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
|
|
|
|
* added surpression filter for
|
|
|
|
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"
|
|
|
|
(see [#147912]).
|
|
|
|
* set default runlevel of init scripts in chkconfig line to 3 and
|
|
|
|
5
|
|
|
|
|
2007-05-11 10:36:44 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed May 9 15:30:53 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix uninitialized salt length
|
|
|
|
- add extra check for keytab file
|
|
|
|
|
2007-05-04 00:16:34 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 3 12:11:29 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- adding krb5-1.6.1-post.dif
|
|
|
|
* fix segfault in krb5_get_init_creds_password
|
|
|
|
* remove debug output in ftp client
|
|
|
|
* profile stores empty string values without double quotes
|
|
|
|
|
2007-04-23 23:17:31 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update to final 1.6.1 version
|
|
|
|
|
2007-04-20 01:22:05 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- add plugin directories to main package
|
|
|
|
|
2007-04-17 00:35:48 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.6.1 Beta1
|
|
|
|
- remove obsolete patches
|
|
|
|
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
|
|
|
|
- rework compile_pie patch
|
|
|
|
|
2007-04-12 17:50:56 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6-post.dif
|
|
|
|
* fix kadmind stack overflow in krb5_klog_syslog
|
|
|
|
(MITKRB5-SA-2007-002 - CVE-2007-0957)
|
|
|
|
[#253548]
|
|
|
|
* fix double free attack in the RPC library
|
|
|
|
(MITKRB5-SA-2007-003 - CVE-2007-1216)
|
|
|
|
[#252487]
|
|
|
|
* fix krb5 telnetd login injection
|
|
|
|
(MIT-SA-2007-001 - CVE-2007-0956)
|
|
|
|
#247765
|
|
|
|
|
2007-03-29 14:00:29 +02:00
|
|
|
-------------------------------------------------------------------
|
2007-03-29 17:14:52 +02:00
|
|
|
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de
|
2007-03-29 14:00:29 +02:00
|
|
|
|
2007-03-29 17:14:52 +02:00
|
|
|
- add ncurses-devel and bison to BuildRequires
|
|
|
|
- rework some patches
|
2007-03-29 14:00:29 +02:00
|
|
|
|
2007-03-05 15:26:29 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- move SuSEFirewall service definitions to
|
|
|
|
/etc/sysconfig/SuSEfirewall2.d/services
|
|
|
|
|
2007-02-22 14:45:41 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- add firewall definition to krb5-server, FATE #300687
|
|
|
|
|
2007-02-19 21:42:34 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6-post.dif
|
|
|
|
- move some applications into the right package
|
|
|
|
|
2007-02-02 14:20:45 +01:00
|
|
|
-------------------------------------------------------------------
|
2007-02-09 16:55:04 +01:00
|
|
|
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update krb5-1.6-post.dif
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2007-02-02 14:20:45 +01:00
|
|
|
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
|
|
|
|
are now upstream. Remove patches.
|
|
|
|
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
|
|
|
|
|
2007-01-26 17:41:59 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix "local variable used before set" in ftp.c
|
|
|
|
[#237684]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- krb5-devel should require keyutils-devel
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.6
|
|
|
|
* Major changes in 1.6 include
|
|
|
|
* Partial client implementation to handle server name referrals.
|
|
|
|
* Pre-authentication plug-in framework, donated by Red Hat.
|
|
|
|
* LDAP KDB plug-in, donated by Novell.
|
|
|
|
- remove obsolete patches
|
|
|
|
|
2007-01-10 17:47:18 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de
|
|
|
|
|
|
|
|
- fix for
|
|
|
|
kadmind (via RPC library) calls uninitialized function pointer
|
|
|
|
(CVE-2006-6143)(Bug #225990)
|
|
|
|
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif
|
|
|
|
- fix for
|
|
|
|
kadmind (via GSS-API mechglue) frees uninitialized pointers
|
|
|
|
(CVE-2006-6144)(Bug #225992)
|
2007-01-26 17:41:59 +01:00
|
|
|
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif
|
2007-01-10 17:47:18 +01:00
|
|
|
|
2007-01-04 01:57:59 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de
|
|
|
|
|
2007-01-26 17:41:59 +01:00
|
|
|
- Fix Requires in krb5-devel
|
2007-01-04 01:57:59 +01:00
|
|
|
[Bug #231008]
|
|
|
|
|
2006-12-19 00:16:52 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- fix "local variable used before set" [#217692]
|
|
|
|
- fix strncat warning
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- add a default kadm5.dict file
|
|
|
|
- require $network on daemon start
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- fix function call with too few arguments [#203837]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.5.1
|
|
|
|
- remove obsolete patches which are now included upstream
|
|
|
|
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
|
|
|
|
* trunk-fix-uninitialized-vars.dif
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- krb5 setuid return check fixes
|
|
|
|
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
|
|
|
|
[#182351]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- remove update-messages
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- add check for krb5_prop in services to kpropd init script.
|
|
|
|
[#192446]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.5
|
|
|
|
* KDB abstraction layer, donated by Novell.
|
|
|
|
* plug-in architecture, allowing for extension modules to be
|
|
|
|
loaded at run-time.
|
|
|
|
* multi-mechanism GSS-API implementation ("mechglue"),
|
|
|
|
donated by Sun Microsystems
|
|
|
|
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
|
|
|
|
implementation, donated by Sun Microsystems
|
|
|
|
- remove obsolete patches and add some new
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 26 14:50:00 CEST 2006 - ro@suse.de
|
|
|
|
|
|
|
|
- libcom is not in e2fsck-devel but in its own package now, change
|
|
|
|
Requires accordingly.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- add all daemons to %stop_on_removal and %restart_on_update
|
|
|
|
- add reload to kpropd init script
|
|
|
|
- add force-reload to all init scripts
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- add libgssapi_krb5.so link to main package [#147912]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- fix logging section for kadmind in convert script
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
|
|
|
|
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- change the logging defaults
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- add tools and README for heimdal => MIT update
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- fix build problems, define _GNU_SOURCE
|
|
|
|
(krb5-1.4.3-set_gnu_source.dif )
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de
|
|
|
|
|
|
|
|
- added "make %{?jobs:-j%jobs}"
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.4.3
|
|
|
|
* some memmory leaks fixed
|
|
|
|
* fix for "AS_REP padata has wrong enctype"
|
|
|
|
* fix for "AS_REP padata missing PA-ETYPE-INFO"
|
|
|
|
* ... and more
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de
|
|
|
|
|
|
|
|
- don't build as root
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.4.2
|
|
|
|
- remove some obsolet patches
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- build with --disable-static
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de
|
|
|
|
|
|
|
|
- remove devel-static subpackage
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- better patch for princ_comp problem
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.4.1
|
|
|
|
- remove obsolet patches
|
|
|
|
- krb5-1.4-gcc4.dif
|
|
|
|
- krb5-1.4-reduce-namespace-polution.dif
|
|
|
|
- krb5-1.4-VUL-0-telnet.dif
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed krb5 KDC heap corruption by random free
|
|
|
|
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]
|
|
|
|
- fixed krb5 double free()
|
|
|
|
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
|
|
|
|
- fix krb5 NULL pointer reference while comparing principals
|
|
|
|
[#91600]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fix uninitialized variables
|
|
|
|
- compile with -fPIE/ link with -pie
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed wrong xinetd files [#77149]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
|
|
|
|
|
|
|
|
- removed krb5-1.4-fix-error_tables.dif patch obsoleted
|
|
|
|
by libcom_err locking patches
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed missing descriptions in init files
|
|
|
|
[#76164, #76165, #76166, #76169]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- enhance $PATH via /etc/profile.d/ [#74018]
|
|
|
|
- remove the "links to important programs"
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed not running converter script [#72854]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
|
|
|
|
Overflow
|
|
|
|
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
|
|
|
|
Overflow
|
|
|
|
[#73618]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed wrong PreReqs [#73020]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- add a simple krb5.conf converter [#72854]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fixed: rckrb5kdc restart gives wrong status with non-running service
|
|
|
|
[#72446]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- fix double free [#66534]
|
|
|
|
krb5-1.4-fix-error_tables.dif
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- change mode for shared libraries to 755
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- remove spx.c from tarball because of legal risk
|
|
|
|
- add README.Source which tell the user about this
|
|
|
|
action.
|
|
|
|
- add a check for spx.c in the spec-file
|
|
|
|
- use rich-text for update-messages [#50250]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- add krb5-1.4-reduce-namespace-polution.dif
|
|
|
|
reduce namespace polution in gssapi.h [#50356]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.4
|
|
|
|
- Add implementation of the RPCSEC_GSS authentication flavor to the
|
|
|
|
RPC library.
|
|
|
|
- Thread safety for krb5 libraries.
|
|
|
|
- Merged Athena telnetd changes for creating a new option for
|
|
|
|
requiring encryption.
|
|
|
|
- The kadmind4 backwards-compatibility admin server and the v5passwdd
|
|
|
|
backwards-compatibility password-changing server have been removed.
|
|
|
|
- Yarrow code now uses AES.
|
|
|
|
- Merged Athena changes to allow ftpd to require encrypted passwords.
|
|
|
|
- Incorporate gss_krb5_set_allowable_enctypes() and
|
|
|
|
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
|
|
|
|
- remove obsolet patches
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- add proofreaded update-messages
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- remove Conflicts: and add Provides:
|
|
|
|
- add some insserv stuff
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- move vendor files to vendor-files.tar.bz2
|
|
|
|
- add obsoletes: heimdal
|
|
|
|
- add %pre and %post sections to detect update
|
|
|
|
from heimdal and backup invalid configuration files
|
|
|
|
- add update-messages for heimdal update
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de
|
|
|
|
|
|
|
|
- update to version 1.3.6
|
|
|
|
- fix for: heap buffer overflow in libkadm5srv
|
|
|
|
[CAN-2004-1189 / MITKRB5-SA-2004-004]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de
|
|
|
|
|
|
|
|
- build doc subpackage in an own specfile
|
|
|
|
- removed unnecessary neededforbuild requirements
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de
|
|
|
|
|
|
|
|
- fix build with gcc 4
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de
|
|
|
|
|
|
|
|
- added Conflicts with heimdal*
|
|
|
|
- rename some manpages to avoid conflicts
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
|
|
|
|
|
|
|
|
- new init scripts
|
|
|
|
- fix logrotate scripts
|
|
|
|
- add some 64Bit fixes
|
|
|
|
- add default krb5.conf, kdc.conf and kadm5.acl
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
|
|
|
|
|
|
|
|
- add e2fsprogs to NFB
|
|
|
|
- use system-et and system-ss
|
|
|
|
- fix includes of com_err.h
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
|
|
|
|
|
|
|
|
- Initital checkin
|
|
|
|
|