From 36feefeaf61f2b97544b2f3a795985e320847313d987090244c00367d0b72d5b Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 15 Jul 2023 18:25:31 +0000 Subject: [PATCH] - update to 1.121.1 (CVE-2023-36054): * Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054]. * Added a credential cache type providing compatibility with the macOS 11 native credential cache. * libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. * Added an interface to retrieve the ticket session key from a GSS context. * The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. * Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. * The PKINIT client will advertise a more modern set of supported CMS algorithms. * Removed unused code in libkrb5, libkrb5support, and the PKINIT module. * Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. * Improved the test framework's detection of memory errors in daemon processes when used with asan. OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=274 --- krb5-1.20.1.tar.gz | 3 --- krb5-1.20.1.tar.gz.asc | 16 ---------------- krb5-1.21.1.tar.gz | 3 +++ krb5-1.21.1.tar.gz.asc | 16 ++++++++++++++++ krb5-mini.spec | 6 +++--- krb5.changes | 31 +++++++++++++++++++++++++++++++ krb5.spec | 6 +++--- 7 files changed, 56 insertions(+), 25 deletions(-) delete mode 100644 krb5-1.20.1.tar.gz delete mode 100644 krb5-1.20.1.tar.gz.asc create mode 100644 krb5-1.21.1.tar.gz create mode 100644 krb5-1.21.1.tar.gz.asc diff --git a/krb5-1.20.1.tar.gz b/krb5-1.20.1.tar.gz deleted file mode 100644 index aad5861..0000000 --- a/krb5-1.20.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:704aed49b19eb5a7178b34b2873620ec299db08752d6a8574f95d41879ab8851 -size 8661660 diff --git a/krb5-1.20.1.tar.gz.asc b/krb5-1.20.1.tar.gz.asc deleted file mode 100644 index 8f477a9..0000000 --- a/krb5-1.20.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D -ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc -UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg -jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn -6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK -0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ -YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL -SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR -jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R -Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH -CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m -twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= -=1WIq ------END PGP SIGNATURE----- diff --git a/krb5-1.21.1.tar.gz b/krb5-1.21.1.tar.gz new file mode 100644 index 0000000..5db6424 --- /dev/null +++ b/krb5-1.21.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7881c3aaaa1b329bd27dbc6bf2bf1c85c5d0b6c7358aff2b35d513ec2d50fa1f +size 8623049 diff --git a/krb5-1.21.1.tar.gz.asc b/krb5-1.21.1.tar.gz.asc new file mode 100644 index 0000000..85b6d8c --- /dev/null +++ b/krb5-1.21.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmSsc/kACgkQDLoIV1+D +ct+wPxAArlkJs5WpFIm2JDJXGF82BNw/FEhg+OkWcPHeLMWJF8qO0AxVp8Yq4g1g +qFpTABwY8V2tfr84XQJ6rw7Qq93NjRjFHr1z1tDmCceLisXof6Tu7/RKjHwNmJt8 +M3srmsXPlmx/7cXuaYIljJfftun3D/iuEaydWluGb1DZicaU/OsofGhKE8/YEZrN +H0XdIC45raG4O9t6CGjQRcAIv5Z4afCtXH4aaEmLg6E2+aTUyx+czu7nBASCaTyv +s4df8fhbVpdBi6iA6BQJC296Rc1gyDnuxnjyCH8Rj2gTuiI4Oa2dxRPGT3mjksz3 +OheYcXK9XGCtUbG22zrxqUuHDA3jF6KKmsVSXnbygB6XSS/c0bqmeDRTQGPksWH6 +RJbmlKG9PQ0BavlXRa7Nupaa7f0jblFiduScYujRsyWxi/8YkckedugYyuww59gV +piUwGGRDWldy+JIAYtvzirsfe6Oum0/SKY5wYXyKv0flM95pbfBEw+TzRxmlCQ5J ++i8L9Frr4gTmT576GHB6WzBlOEPf6mRc8jg0DyyUOoDHXyj4MCyJGEJxvcyVV1WX +tJlu0uH1f8pMZx4IQ279PsNFimO/NsdSTefqiVGXA7FWK1EPLc+l9ZBcrLi9KEmJ +7TfVq9cAg6+m2tql+gjAQrfXHUU1mNdPLFMnShYlqHjTle4cQKE= +=AIvQ +-----END PGP SIGNATURE----- diff --git a/krb5-mini.spec b/krb5-mini.spec index 2de7b26..5351c42 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -24,13 +24,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.20.1 +Version: 1.21.1 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf diff --git a/krb5.changes b/krb5.changes index fe34ff7..2d86a21 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Sat Jul 15 18:19:32 UTC 2023 - Dirk Müller + +- update to 1.121.1 (CVE-2023-36054): + * Fix potential uninitialized pointer free in kadm5 XDR parsing + [CVE-2023-36054]. + * Added a credential cache type providing compatibility with + the macOS 11 native credential cache. + * libkadm5 will use the provided krb5_context object to read + configuration values, instead of creating its own. + * Added an interface to retrieve the ticket session key + from a GSS context. + * The KDC will no longer issue tickets with RC4 or triple-DES + session keys unless explicitly configured with the new + allow_rc4 or allow_des3 variables respectively. + * The KDC will assume that all services can handle aes256-sha1 + session keys unless the service principal has a + session_enctypes string attribute. + * Support for PAC full KDC checksums has been added to + mitigate an S4U2Proxy privilege escalation attack. + * The PKINIT client will advertise a more modern set + of supported CMS algorithms. + * Removed unused code in libkrb5, libkrb5support, + and the PKINIT module. + * Modernized the KDC code for processing TGS requests, + the code for encrypting and decrypting key data, + the PAC handling code, and the GSS library packet + parsing and composition code. + * Improved the test framework's detection of memory + errors in daemon processes when used with asan. + ------------------------------------------------------------------- Thu May 4 13:42:23 UTC 2023 - Frederic Crozat diff --git a/krb5.spec b/krb5.spec index 3ead02a..0bb8cdd 100644 --- a/krb5.spec +++ b/krb5.spec @@ -21,13 +21,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.20.1 +Version: 1.21.1 Release: 0 Summary: MIT Kerberos5 implementation License: MIT URL: https://kerberos.org/dist/ -Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz -Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source0: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf