OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=33

krb5-doc.spec

@@ -14,7 +14,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.6.3
-Release:        63
+Release:        77
 %define srcRoot krb5-1.6.3
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        X11/MIT

krb5-plugins.spec

@@ -14,7 +14,7 @@
 
 Name:           krb5-plugins
 Version:        1.6.3
-Release:        7
+Release:        8
 BuildRequires:  bison krb5-devel ncurses-devel openldap2-devel
 %define srcRoot krb5-1.6.3
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
@@ -55,6 +55,8 @@ Patch37:        krb5-1.6-fix-CVE-2007-5971.dif
 Patch38:        krb5-1.6-fix-CVE-2007-5972.dif
 Patch39:        krb5-1.6-MITKRB5-SA-2008-001.dif
 Patch40:        krb5-1.6-MITKRB5-SA-2008-002.dif
+Patch41:        krb5-trunk-kpasswd_tcp.patch
+Patch42:        krb5-trunk-seqnum.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -148,6 +150,8 @@ fi
 %patch38
 %patch39 -p1
 %patch40
+%patch41
+%patch42
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 # Rename the man pages so that they'll get generated correctly.
 pushd src

krb5-trunk-kpasswd_tcp.patch

@@ -0,0 +1,35 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have
+to wait for UDP to fail, so this might not be ideal.  RT #5868.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20199)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -251,11 +251,22 @@
+ 				   NULL,
+ 				   NULL
+ 		 ))) {
+-
+-	    /*
+-	     * Here we may want to switch to TCP on some errors.
+-	     * right?
+-	     */
++	    /* if we're not using a stream socket, and it's an error which
++	     * might reasonably be specific to a datagram "connection", try
++	     * again with a stream socket */
++	    if (!useTcp) {
++		switch (code) {
++		case KRB5_KDC_UNREACH:
++		case KRB5_REALM_CANT_RESOLVE:
++		case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++		/* should we do this for more result codes than these? */
++		    krb5int_free_addrlist (&al);
++		    useTcp = 1;
++		    continue;
++		default:
++		    break;
++		}
++	    }
+ 	    break;
+ 	}
+ 

krb5-trunk-seqnum.patch

@@ -0,0 +1,49 @@
+Every KRB-PRIV message we generate to include as part of a password change
+request we create (after the first one) will include sequence numbers which
+look "wrong" to the recipient, because previously generating other KRB-PRIV
+messages will mess with the counters in the auth_context.  Because the
+current code attempts to reuse auth_context structures (and changing that
+would be more invasive), we'll just save the sequence number values as they
+are after we build the AP-REQ, and restore them before generating requests.
+RT#5867.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20195)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -34,6 +34,7 @@
+ #include "k5-int.h"
+ #include "os-proto.h"
+ #include "cm.h"
++#include "../krb/auth_con.h"
+ 
+ #include <stdio.h>
+ #include <errno.h>
+@@ -48,6 +49,7 @@
+     krb5_principal 	set_password_for;
+     char 		*newpw;
+     krb5_data 		ap_req;
++    krb5_ui_4		remote_seq_num, local_seq_num;
+ };
+ 
+ 
+@@ -159,6 +161,9 @@
+ 				       &local_kaddr, NULL))) 
+ 	goto cleanup;
+ 
++    ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
++    ctx->auth_context->local_seq_number = ctx->local_seq_num;
++
+     if (ctx->set_password_for)
+ 	code = krb5int_mk_setpw_req(ctx->context, 
+ 				    ctx->auth_context, 
+@@ -225,6 +230,9 @@
+ 				     &callback_ctx.ap_req)))
+ 	goto cleanup;
+ 
++    callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
++    callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
++
+     do {
+ 	if ((code = krb5_locate_kpasswd(callback_ctx.context,
+ 					krb5_princ_realm(callback_ctx.context,

krb5.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed May 14 17:44:59 CEST 2008 - mc@suse.de
+
+- Fall back to TCP on kdc-unresolvable/unreachable errors.
+- restore valid sequence number before generating requests
+  (fix changing passwords in mixed ipv4/ipv6 enviroments) 
+
 -------------------------------------------------------------------
 Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
 

krb5.spec

@@ -13,7 +13,7 @@
 
 Name:           krb5
 Version:        1.6.3
-Release:        40
+Release:        47
 BuildRequires:  bison libcom_err-devel ncurses-devel
 %if %{suse_version} > 1010
 BuildRequires:  keyutils keyutils-devel
@@ -59,6 +59,8 @@ Patch37:        krb5-1.6-fix-CVE-2007-5971.dif
 Patch38:        krb5-1.6-fix-CVE-2007-5972.dif
 Patch39:        krb5-1.6-MITKRB5-SA-2008-001.dif
 Patch40:        krb5-1.6-MITKRB5-SA-2008-002.dif
+Patch41:        krb5-trunk-kpasswd_tcp.patch
+Patch42:        krb5-trunk-seqnum.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils 
 
@@ -224,6 +226,8 @@ fi
 %patch38
 %patch39 -p1
 %patch40
+%patch41 
+%patch42
 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
 # Rename the man pages so that they'll get generated correctly.
 pushd src
@@ -542,6 +546,10 @@ rm -rf %{buildroot}
 %{_mandir}/man1/krb5-config.1*
 
 %changelog
+* Wed May 14 2008 mc@suse.de
+- Fall back to TCP on kdc-unresolvable/unreachable errors.
+- restore valid sequence number before generating requests
+  (fix changing passwords in mixed ipv4/ipv6 enviroments)
 * Thu Apr 10 2008 ro@suse.de
 - added baselibs.conf file to build xxbit packages
   for multilib support