Accepting request 353069 from network

- Add two patches from Fedora, fixing two crashes:
  * krb5-fix_interposer.patch
  * krb5-mechglue_inqure_attrs.patch

- Update to 1.14
- dropped krb5-kvno-230379.patch
- added krbdev.mit.edu-8301.patch fixing wrong function call
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
  tabular dump formats (tab-separated or CSV) for the KDC database.
  Unlike the normal dump format, each output table has a fixed number
  of fields.  Some tables include human-readable forms of data that
  are opaque in ordinary dump files.  This format is also suitable for
  importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
  command line following any global options, where the command
  arguments are split by the shell--for example, "kadmin getprinc
  principalname".  Commands issued this way do not prompt for
  confirmation or display warning messages, and exit with non-zero
  status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
  default_principal_flags kdc.conf variable, and vice versa.  Also
  accept flag specifiers in the form that kadmin prints, as well as
  hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
  value of supported_enctypes, which determines the default key and
  salt types for new password-derived keys.  By default, keys will
  only created only for AES128 and AES256.  This mitigates some types

OBS-URL: https://build.opensuse.org/request/show/353069
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=114

krb5-1.13.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
-size 12133347

krb5-1.13.3.tar.gz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr
-4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr
-yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ
-ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8
-cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB
-LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4
-AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S
-zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm
-VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA==
-=UvFL
------END PGP SIGNATURE-----

krb5-1.14.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9
+size 12255176

krb5-1.14.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L
+rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX
+IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm
+Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN
+GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP
+cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF
+X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl
+6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02
+P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA==
+=xlir
+-----END PGP SIGNATURE-----

krb5-fix_interposer.patch

@@ -0,0 +1,222 @@
+From b3901af6970fb7bde88eb16d51c8d05db6f37746 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 13 Nov 2015 14:54:11 -0500
+Subject: [PATCH] Fix impersonate_name to work with interposers
+
+This follows the same modifications applied to
+gss_acquire_cred_with_password() when interposer plugins were
+introduced.
+
+[ghudson@mit.edu: minor whitespace changes; initialize out_mcred in
+spnego_gss_acquire_cred_impersonate_name() since it is released in the
+cleanup handler]
+
+ticket: 8280 (new)
+---
+ src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c | 58 +++++++++++++++--------
+ src/lib/gssapi/spnego/spnego_mech.c               | 35 +++++++-------
+ 2 files changed, 54 insertions(+), 39 deletions(-)
+
+diff --git a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+index 0dd4f87..9eab25e 100644
+--- a/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
++++ b/src/lib/gssapi/mechglue/g_acquire_cred_imp_name.c
+@@ -334,6 +334,8 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+     gss_cred_id_t	cred = NULL;
+     gss_OID		new_mechs_array = NULL;
+     gss_cred_id_t *	new_cred_array = NULL;
++    gss_OID_set		target_mechs = GSS_C_NO_OID_SET;
++    gss_OID		selected_mech = GSS_C_NO_OID;
+ 
+     status = val_add_cred_impersonate_name_args(minor_status,
+ 						input_cred_handle,
+@@ -350,7 +352,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+     if (status != GSS_S_COMPLETE)
+ 	return (status);
+ 
+-    mech = gssint_get_mechanism(desired_mech);
++    status = gssint_select_mech_type(minor_status, desired_mech,
++				     &selected_mech);
++    if (status != GSS_S_COMPLETE)
++	return status;
++
++    mech = gssint_get_mechanism(selected_mech);
+     if (!mech)
+ 	return GSS_S_BAD_MECH;
+     else if (!mech->gss_acquire_cred)
+@@ -367,27 +374,26 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+ 	internal_name = GSS_C_NO_NAME;
+     } else {
+ 	union_cred = (gss_union_cred_t)input_cred_handle;
+-	if (gssint_get_mechanism_cred(union_cred, desired_mech) !=
++	if (gssint_get_mechanism_cred(union_cred, selected_mech) !=
+ 	    GSS_C_NO_CREDENTIAL)
+ 	    return (GSS_S_DUPLICATE_ELEMENT);
+     }
+ 
+     mech_impersonator_cred =
+ 	gssint_get_mechanism_cred((gss_union_cred_t)impersonator_cred_handle,
+-				  desired_mech);
++				  selected_mech);
+     if (mech_impersonator_cred == GSS_C_NO_CREDENTIAL)
+ 	return (GSS_S_NO_CRED);
+ 
+     /* may need to create a mechanism specific name */
+     union_name = (gss_union_name_t)desired_name;
+     if (union_name->mech_type &&
+-	g_OID_equal(union_name->mech_type,
+-		    &mech->mech_type))
++	g_OID_equal(union_name->mech_type, selected_mech))
+ 	internal_name = union_name->mech_name;
+     else {
+ 	if (gssint_import_internal_name(minor_status,
+-				        &mech->mech_type, union_name,
+-				        &allocated_name) != GSS_S_COMPLETE)
++					selected_mech, union_name,
++					&allocated_name) != GSS_S_COMPLETE)
+ 	    return (GSS_S_BAD_NAME);
+ 	internal_name = allocated_name;
+     }
+@@ -402,11 +408,21 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+     else
+ 	time_req = 0;
+ 
++    status = gss_create_empty_oid_set(minor_status, &target_mechs);
++    if (status != GSS_S_COMPLETE)
++	goto errout;
++
++    status = gss_add_oid_set_member(minor_status,
++				    gssint_get_public_oid(selected_mech),
++				    &target_mechs);
++    if (status != GSS_S_COMPLETE)
++	goto errout;
++
+     status = mech->gss_acquire_cred_impersonate_name(minor_status,
+ 						     mech_impersonator_cred,
+ 						     internal_name,
+ 						     time_req,
+-						     GSS_C_NULL_OID_SET,
++						     target_mechs,
+ 						     cred_usage,
+ 						     &cred,
+ 						     NULL,
+@@ -445,19 +461,15 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+ 
+     new_cred_array[union_cred->count] = cred;
+     if ((new_mechs_array[union_cred->count].elements =
+-	 malloc(mech->mech_type.length)) == NULL)
++	 malloc(selected_mech->length)) == NULL)
+ 	goto errout;
+ 
+-    g_OID_copy(&new_mechs_array[union_cred->count],
+-	       &mech->mech_type);
++    g_OID_copy(&new_mechs_array[union_cred->count], selected_mech);
+ 
+     if (actual_mechs != NULL) {
+-	gss_OID_set_desc oids;
+-
+-	oids.count = union_cred->count + 1;
+-	oids.elements = new_mechs_array;
+-
+-	status = generic_gss_copy_oid_set(minor_status, &oids, actual_mechs);
++	status = gssint_make_public_oid_set(minor_status, new_mechs_array,
++					    union_cred->count + 1,
++					    actual_mechs);
+ 	if (GSS_ERROR(status)) {
+ 	    free(new_mechs_array[union_cred->count].elements);
+ 	    goto errout;
+@@ -486,10 +498,12 @@ gss_add_cred_impersonate_name(OM_uint32 *minor_status,
+     /* We're done with the internal name. Free it if we allocated it. */
+ 
+     if (allocated_name)
+-	(void) gssint_release_internal_name(&temp_minor_status,
+-					   &mech->mech_type,
++	(void) gssint_release_internal_name(&temp_minor_status, selected_mech,
+ 					   &allocated_name);
+ 
++    if (target_mechs)
++	(void) gss_release_oid_set(&temp_minor_status, &target_mechs);
++
+     return (GSS_S_COMPLETE);
+ 
+ errout:
+@@ -503,8 +517,10 @@ errout:
+ 
+     if (allocated_name)
+ 	(void) gssint_release_internal_name(&temp_minor_status,
+-					   &mech->mech_type,
+-					   &allocated_name);
++					    selected_mech, &allocated_name);
++
++    if (target_mechs)
++	(void) gss_release_oid_set(&temp_minor_status, &target_mechs);
+ 
+     if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred)
+ 	free(union_cred);
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index e6703eb..28fb9b1 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -2619,10 +2619,10 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+ 					 gss_OID_set *actual_mechs,
+ 					 OM_uint32 *time_rec)
+ {
+-	OM_uint32 status;
++	OM_uint32 status, tmpmin;
+ 	gss_OID_set amechs = GSS_C_NULL_OID_SET;
+ 	spnego_gss_cred_id_t imp_spcred = NULL, out_spcred = NULL;
+-	gss_cred_id_t imp_mcred, out_mcred;
++	gss_cred_id_t imp_mcred, out_mcred = GSS_C_NO_CREDENTIAL;
+ 
+ 	dsyslog("Entering spnego_gss_acquire_cred_impersonate_name\n");
+ 
+@@ -2634,31 +2634,30 @@ spnego_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
+ 
+ 	imp_spcred = (spnego_gss_cred_id_t)impersonator_cred_handle;
+ 	imp_mcred = imp_spcred ? imp_spcred->mcred : GSS_C_NO_CREDENTIAL;
+-	if (desired_mechs == GSS_C_NO_OID_SET) {
+-		status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
+-					  NULL, &amechs);
+-		if (status != GSS_S_COMPLETE)
+-			return status;
+-
+-		desired_mechs = amechs;
+-	}
++	status = gss_inquire_cred(minor_status, imp_mcred, NULL, NULL,
++				  NULL, &amechs);
++	if (status != GSS_S_COMPLETE)
++		return status;
+ 
+ 	status = gss_acquire_cred_impersonate_name(minor_status, imp_mcred,
+ 						   desired_name, time_req,
+-						   desired_mechs, cred_usage,
++						   amechs, cred_usage,
+ 						   &out_mcred, actual_mechs,
+ 						   time_rec);
+-
+-	if (amechs != GSS_C_NULL_OID_SET)
+-		(void) gss_release_oid_set(minor_status, &amechs);
++	if (status != GSS_S_COMPLETE)
++		goto cleanup;
+ 
+ 	status = create_spnego_cred(minor_status, out_mcred, &out_spcred);
+-	if (status != GSS_S_COMPLETE) {
+-		gss_release_cred(minor_status, &out_mcred);
+-		return (status);
+-	}
++	if (status != GSS_S_COMPLETE)
++		goto cleanup;
++
++	out_mcred = GSS_C_NO_CREDENTIAL;
+ 	*output_cred_handle = (gss_cred_id_t)out_spcred;
+ 
++cleanup:
++	(void) gss_release_oid_set(&tmpmin, &amechs);
++	(void) gss_release_cred(&tmpmin, &out_mcred);
++
+ 	dsyslog("Leaving spnego_gss_acquire_cred_impersonate_name\n");
+ 	return (status);
+ }
+-- 
+2.6.2
+

krb5-kvno-230379.patch

@@ -1,53 +0,0 @@
-From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
-at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
-as needed to apply to 1.10.  FIXME: I'd like to better handle cases where we
-have a new key with the right version stored later in the keytab file.
-Currently, we're setting up to overlook that possibility.
-
-Note that this only affects the path taken when krb5_rd_rep() is passed a
-server principal name, as without a server principal name it already tries
-all of the keys it finds in the keytab, regardless of version numbers.
-
-Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
-===================================================================
---- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
-+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
-@@ -155,7 +155,7 @@ void ktutil_add_entry(argc, argv)
-     char *princ = NULL;
-     char *enctype = NULL;
-     krb5_kvno kvno = 0;
--    int use_pass = 0, use_key = 0, i;
-+    int use_pass = 0, use_key = 0, use_kvno = 0, i;
- 
-     for (i = 1; i < argc; i++) {
-         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
-@@ -164,6 +164,7 @@ void ktutil_add_entry(argc, argv)
-         }
-         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
-             kvno = (krb5_kvno) atoi(argv[++i]);
-+            use_kvno++;
-             continue;
-         }
-         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
-@@ -180,7 +181,7 @@ void ktutil_add_entry(argc, argv)
-         }
-     }
- 
--    if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
-+    if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
-         fprintf(stderr, _("usage: %s (-key | -password) -p principal "
-                           "-k kvno -e enctype\n"), argv[0]);
-         return;
-Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
-===================================================================
---- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
-+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
-@@ -349,7 +349,7 @@ krb5_ktfile_get_entry(krb5_context conte
-                higher than that.  Short-term workaround: only compare
-                the low 8 bits.  */
- 
--            if (new_entry.vno == (kvno & 0xff)) {
-+            if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
-                 krb5_kt_free_entry(context, &cur_entry);
-                 cur_entry = new_entry;
-                 break;

krb5-mechglue_inqure_attrs.patch

@@ -0,0 +1,56 @@
+From 26f94f6e8fd99ee0dfc2f71afb38c74a12482601 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 16 Dec 2015 19:31:22 -0500
+Subject: [PATCH] Fix mechglue on gss_inquire_attrs_for_mech()
+
+This includes proper mechanism selection in gss_inquire_attrs_for_mech()
+itself as well as passing the correct mech down from gss_accept_sec_context()
+through allow_mech_by_default().
+
+Also-authored-by: Simo Sorce <simo@redhat.com>
+---
+ src/lib/gssapi/mechglue/g_accept_sec_context.c | 2 +-
+ src/lib/gssapi/mechglue/g_mechattr.c           | 7 ++++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
+index 6c72d1f..4a86024 100644
+--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
++++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
+@@ -245,7 +245,7 @@ gss_cred_id_t *		d_cred;
+ 	    status = GSS_S_NO_CRED;
+ 	    goto error_out;
+ 	}
+-    } else if (!allow_mech_by_default(selected_mech)) {
++    } else if (!allow_mech_by_default(gssint_get_public_oid(selected_mech))) {
+ 	status = GSS_S_NO_CRED;
+ 	goto error_out;
+     }
+diff --git a/src/lib/gssapi/mechglue/g_mechattr.c b/src/lib/gssapi/mechglue/g_mechattr.c
+index e9299f4..4bd44b5 100644
+--- a/src/lib/gssapi/mechglue/g_mechattr.c
++++ b/src/lib/gssapi/mechglue/g_mechattr.c
+@@ -161,6 +161,7 @@ gss_inquire_attrs_for_mech(
+ {
+     OM_uint32       status, tmpMinor;
+     gss_mechanism   mech;
++    gss_OID         selected_mech;
+ 
+     if (minor == NULL)
+         return GSS_S_CALL_INACCESSIBLE_WRITE;
+@@ -173,7 +174,11 @@ gss_inquire_attrs_for_mech(
+     if (known_mech_attrs != NULL)
+         *known_mech_attrs = GSS_C_NO_OID_SET;
+ 
+-    mech = gssint_get_mechanism((gss_OID)mech_oid);
++    status = gssint_select_mech_type(minor, mech_oid, &selected_mech);
++    if (status != GSS_S_COMPLETE)
++        return (status);
++
++    mech = gssint_get_mechanism(selected_mech);
+     if (mech != NULL && mech->gss_inquire_attrs_for_mech != NULL) {
+         status = mech->gss_inquire_attrs_for_mech(minor,
+                                                   mech_oid,
+-- 
+2.6.4
+

krb5-mini.changes

@@ -1,7 +1,131 @@
+-------------------------------------------------------------------
+Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
+
+- Add two patches from Fedora, fixing two crashes:
+  * krb5-fix_interposer.patch
+  * krb5-mechglue_inqure_attrs.patch
+
+-------------------------------------------------------------------
+Tue Dec  8 20:40:26 UTC 2015 - michael@stroeder.com
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+
+Major changes in 1.14 (2015-11-20)
+==================================
+
+Administrator experience:
+
+* Add a new kdb5_util tabdump command to provide reporting-friendly
+  tabular dump formats (tab-separated or CSV) for the KDC database.
+  Unlike the normal dump format, each output table has a fixed number
+  of fields.  Some tables include human-readable forms of data that
+  are opaque in ordinary dump files.  This format is also suitable for
+  importing into relational databases for complex queries.
+* Add support to kadmin and kadmin.local for specifying a single
+  command line following any global options, where the command
+  arguments are split by the shell--for example, "kadmin getprinc
+  principalname".  Commands issued this way do not prompt for
+  confirmation or display warning messages, and exit with non-zero
+  status if the operation fails.
+* Accept the same principal flag names in kadmin as we do for the
+  default_principal_flags kdc.conf variable, and vice versa.  Also
+  accept flag specifiers in the form that kadmin prints, as well as
+  hexadecimal numbers.
+* Remove the triple-DES and RC4 encryption types from the default
+  value of supported_enctypes, which determines the default key and
+  salt types for new password-derived keys.  By default, keys will
+  only created only for AES128 and AES256.  This mitigates some types
+  of password guessing attacks.
+* Add support for directory names in the KRB5_CONFIG and
+  KRB5_KDC_PROFILE environment variables.
+* Add support for authentication indicators, which are ticket
+  annotations to indicate the strength of the initial authentication.
+  Add support for the "require_auth" string attribute, which can be
+  set on server principal entries to require an indicator when
+  authenticating to the server.
+* Add support for key version numbers larger than 255 in keytab files,
+  and for version numbers up to 65535 in KDC databases.
+* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+  during pre-authentication, corresponding to the client's most
+  preferred encryption type.
+* Add support for server name identification (SNI) when proxying KDC
+  requests over HTTPS.
+* Add support for the err_fmt profile parameter, which can be used to
+  generate custom-formatted error messages.
+
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+  [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+  crash. [CVE-2015-2697]
+
+Developer experience:
+
+* Change gss_acquire_cred_with_password() to acquire credentials into
+  a private memory credential cache.  Applications can use
+  gss_store_cred() to make the resulting credentials visible to other
+  processes.
+* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+  IAKERB or for non-standard variants of the krb5 mechanism OID unless
+  explicitly requested.  (SPNEGO will still accept the Microsoft
+  variant of the krb5 mechanism OID during negotiation.)
+* Change gss_accept_sec_context() not to accept tokens for IAKERB or
+  for non-standard variants of the krb5 mechanism OID unless an
+  acceptor credential is acquired for those mechanisms.
+* Change gss_acquire_cred() to immediately resolve credentials if the
+  time_rec parameter is not NULL, so that a correct expiration time
+  can be returned.  Normally credential resolution is delayed until
+  the target name is known.
+* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+  which can be used by plugin modules or applications to add prefixes
+  to existing detailed error messages.
+* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+  implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+* Add support for pre-authentication mechanisms which use multiple
+  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+  interface; these callbacks can be used to save marshalled state
+  information in an encrypted cookie for the next request.
+* Add a client_key() callback to the kdcpreauth interface to retrieve
+  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+  by the KDC.
+* Add an add_auth_indicator() callback to the kdcpreauth interface,
+  allowing pre-authentication modules to assert authentication
+  indicators.
+* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+  suppress sending the confidentiality and integrity flags in GSS
+  initiator tokens unless they are requested by the caller.  These
+  flags control the negotiated SASL security layer for the Microsoft
+  GSS-SPNEGO SASL mechanism.
+* Make the FILE credential cache implementation less prone to
+  corruption issues in multi-threaded programs, especially on
+  platforms with support for open file description locks.
+
+Performance:
+
+* On slave KDCs, poll the master KDC immediately after processing a
+  full resync, and do not require two full resyncs after the master
+  KDC's log file is reset.
+
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+  but within clock skew tolerances, rather than rejecting them
+  immediately after the server's view of the ticket expiration time.
+
 -------------------------------------------------------------------
 Mon Dec  7 08:04:45 UTC 2015 - michael@stroeder.com
 
-- Udapte to 1.13.3
+- Update to 1.13.3
+- removed patches for security fixes now in upstream source:
+  0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+  0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+  0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+  0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
 
 Major changes in 1.13.3 (2015-12-04)
 ====================================
@@ -19,10 +143,28 @@ krb5-1.14 release series or later.
   krb5-1.10 or earlier.
 
 -------------------------------------------------------------------
-Mon Jun  1 07:38:15 UTC 2015 - hguo@suse.com
+Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+  to fix a memory corruption regression introduced by resolution of
+  CVE-2015-2698. bsc#954204
+
+-------------------------------------------------------------------
+Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
+
+- Make kadmin.local man page available without having to install krb5-client. bsc#948011
+- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+  to fix build_principal memory bug [CVE-2015-2697] bsc#952190
+- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+  to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
+- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+  to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
+
+-------------------------------------------------------------------
+Mon Jun  1 07:31:52 UTC 2015 - hguo@suse.com
 
 - Let server depend on libev (module of libverto). This was the
-  embedded implementation before the seperation of libverto from krb.
+  preferred implementation before the seperation of libverto from krb.
 
 -------------------------------------------------------------------
 Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org

krb5-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 1
-%define srcRoot krb5-1.13.3
+%define srcRoot krb5-1.14
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -30,7 +30,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.13.3
+Version:        1.14
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -82,7 +82,10 @@ Patch8:         krb5-1.12-api.patch
 Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
-Patch14:        krb5-kvno-230379.patch
+# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
+Patch14:        krbdev.mit.edu-8301.patch
+Patch15:        krb5-fix_interposer.patch
+Patch16:        krb5-mechglue_inqure_attrs.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -201,6 +204,8 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 # needs to be re-generated
@@ -247,6 +252,9 @@ cp -a html_subst ../../html
 cd ..
 %endif
 
+# Copy kadmin manual page into kadmin.local's due to the split between client and server package
+cp man/kadmin.man man/kadmin.local.8
+
 %install
 
 # Where per-user keytabs live by default.
@@ -349,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 # doesn't support disabling it at build time
 rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
 %endif
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
 
 %find_lang mit-krb5
 

krb5.changes

@@ -1,7 +1,126 @@
+-------------------------------------------------------------------
+Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com
+
+- Add two patches from Fedora, fixing two crashes:
+  * krb5-fix_interposer.patch
+  * krb5-mechglue_inqure_attrs.patch
+
+-------------------------------------------------------------------
+Tue Dec  8 20:40:26 UTC 2015 - michael@stroeder.com
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+
+Major changes in 1.14 (2015-11-20)
+==================================
+
+Administrator experience:
+
+* Add a new kdb5_util tabdump command to provide reporting-friendly
+  tabular dump formats (tab-separated or CSV) for the KDC database.
+  Unlike the normal dump format, each output table has a fixed number
+  of fields.  Some tables include human-readable forms of data that
+  are opaque in ordinary dump files.  This format is also suitable for
+  importing into relational databases for complex queries.
+* Add support to kadmin and kadmin.local for specifying a single
+  command line following any global options, where the command
+  arguments are split by the shell--for example, "kadmin getprinc
+  principalname".  Commands issued this way do not prompt for
+  confirmation or display warning messages, and exit with non-zero
+  status if the operation fails.
+* Accept the same principal flag names in kadmin as we do for the
+  default_principal_flags kdc.conf variable, and vice versa.  Also
+  accept flag specifiers in the form that kadmin prints, as well as
+  hexadecimal numbers.
+* Remove the triple-DES and RC4 encryption types from the default
+  value of supported_enctypes, which determines the default key and
+  salt types for new password-derived keys.  By default, keys will
+  only created only for AES128 and AES256.  This mitigates some types
+  of password guessing attacks.
+* Add support for directory names in the KRB5_CONFIG and
+  KRB5_KDC_PROFILE environment variables.
+* Add support for authentication indicators, which are ticket
+  annotations to indicate the strength of the initial authentication.
+  Add support for the "require_auth" string attribute, which can be
+  set on server principal entries to require an indicator when
+  authenticating to the server.
+* Add support for key version numbers larger than 255 in keytab files,
+  and for version numbers up to 65535 in KDC databases.
+* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+  during pre-authentication, corresponding to the client's most
+  preferred encryption type.
+* Add support for server name identification (SNI) when proxying KDC
+  requests over HTTPS.
+* Add support for the err_fmt profile parameter, which can be used to
+  generate custom-formatted error messages.
+
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+  [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+  crash. [CVE-2015-2697]
+
+Developer experience:
+
+* Change gss_acquire_cred_with_password() to acquire credentials into
+  a private memory credential cache.  Applications can use
+  gss_store_cred() to make the resulting credentials visible to other
+  processes.
+* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+  IAKERB or for non-standard variants of the krb5 mechanism OID unless
+  explicitly requested.  (SPNEGO will still accept the Microsoft
+  variant of the krb5 mechanism OID during negotiation.)
+* Change gss_accept_sec_context() not to accept tokens for IAKERB or
+  for non-standard variants of the krb5 mechanism OID unless an
+  acceptor credential is acquired for those mechanisms.
+* Change gss_acquire_cred() to immediately resolve credentials if the
+  time_rec parameter is not NULL, so that a correct expiration time
+  can be returned.  Normally credential resolution is delayed until
+  the target name is known.
+* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+  which can be used by plugin modules or applications to add prefixes
+  to existing detailed error messages.
+* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+  implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+* Add support for pre-authentication mechanisms which use multiple
+  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+  interface; these callbacks can be used to save marshalled state
+  information in an encrypted cookie for the next request.
+* Add a client_key() callback to the kdcpreauth interface to retrieve
+  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+  by the KDC.
+* Add an add_auth_indicator() callback to the kdcpreauth interface,
+  allowing pre-authentication modules to assert authentication
+  indicators.
+* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+  suppress sending the confidentiality and integrity flags in GSS
+  initiator tokens unless they are requested by the caller.  These
+  flags control the negotiated SASL security layer for the Microsoft
+  GSS-SPNEGO SASL mechanism.
+* Make the FILE credential cache implementation less prone to
+  corruption issues in multi-threaded programs, especially on
+  platforms with support for open file description locks.
+
+Performance:
+
+* On slave KDCs, poll the master KDC immediately after processing a
+  full resync, and do not require two full resyncs after the master
+  KDC's log file is reset.
+
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+  but within clock skew tolerances, rather than rejecting them
+  immediately after the server's view of the ticket expiration time.
+
 -------------------------------------------------------------------
 Mon Dec  7 08:04:45 UTC 2015 - michael@stroeder.com
 
-- Udapte to 1.13.3
+- Update to 1.13.3
 - removed patches for security fixes now in upstream source:
   0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
   0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch

krb5.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 0
-%define srcRoot krb5-1.13.3
+%define srcRoot krb5-1.14
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -30,7 +30,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.13.3
+Version:        1.14
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -82,7 +82,10 @@ Patch8:         krb5-1.12-api.patch
 Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
-Patch14:        krb5-kvno-230379.patch
+# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
+Patch14:        krbdev.mit.edu-8301.patch
+Patch15:        krb5-fix_interposer.patch
+Patch16:        krb5-mechglue_inqure_attrs.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -201,6 +204,8 @@ Include Files for Development
 %patch12 -p1
 %patch13 -p0
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 # needs to be re-generated
@@ -352,6 +357,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 # doesn't support disabling it at build time
 rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
 %endif
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
 
 %find_lang mit-krb5
 

krbdev.mit.edu-8301.patch

@@ -0,0 +1,11 @@
+--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2015-11-20 21:28:42.000000000 +0100
++++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2015-12-09 20:17:00.465765527 +0100
+@@ -684,7 +684,7 @@
+                 if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+                     int ost = st;
+                     st = EINVAL;
+-                    k5_prependmsg(context, ost, st, _("'%s' not found"),
++                    k5_wrapmsg(context, ost, st, _("'%s' not found"),
+                                   xargs.containerdn);
+                 }
+                 goto cleanup;