From 7383de009bec0faac728b193ca00b3a6127c8ee082e1210abca19e7a8d761852 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.com>
Date: Tue, 31 May 2022 11:34:39 +0000
Subject: [PATCH 1/2] Accepting request 979732 from home:dirkmueller:Factory

- update to 1.20.0:
  * Added a "disable_pac" realm relation to suppress adding PAC authdata
    to tickets, for realms which do not need to support S4U requests.
  * Most credential cache types will use atomic replacement when a cache
    is reinitialized using kinit or refreshed from the client keytab.
  * kprop can now propagate databases with a dump size larger than 4GB,
    if both the client and server are upgraded.
  * kprop can now work over NATs that change the destination IP address,
    if the client is upgraded.
  * Updated the KDB interface.  The sign_authdata() method is replaced
    with the issue_pac() method, allowing KDB modules to add logon info
    and other buffers to the PAC issued by the KDC.
  * Host-based initiator names are better supported in the GSS krb5
    mechanism.
  * Replaced AD-SIGNEDPATH authdata with minimal PACs.
  * To avoid spurious replay errors, password change requests will not
    be attempted over UDP until the attempt over TCP fails.
  * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
  * Updated all code using OpenSSL to be compatible with OpenSSL 3.
  * Reorganized the libk5crypto build system to allow the OpenSSL
    back-end to pull in material from the builtin back-end depending on
    the OpenSSL version.
  * Simplified the PRNG logic to always use the platform PRNG.
  * Converted the remaining Tcl tests to Python.

OBS-URL: https://build.opensuse.org/request/show/979732
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=259
---
 krb5-1.19.3.tar.gz     |  3 ---
 krb5-1.19.3.tar.gz.asc | 16 ----------------
 krb5-1.20.tar.gz       |  3 +++
 krb5-1.20.tar.gz.asc   | 16 ++++++++++++++++
 krb5-mini.spec         |  6 +++---
 krb5.changes           | 28 ++++++++++++++++++++++++++++
 krb5.spec              |  6 +++---
 7 files changed, 53 insertions(+), 25 deletions(-)
 delete mode 100644 krb5-1.19.3.tar.gz
 delete mode 100644 krb5-1.19.3.tar.gz.asc
 create mode 100644 krb5-1.20.tar.gz
 create mode 100644 krb5-1.20.tar.gz.asc

diff --git a/krb5-1.19.3.tar.gz b/krb5-1.19.3.tar.gz
deleted file mode 100644
index fc23db2..0000000
--- a/krb5-1.19.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:56d04863cfddc9d9eb7af17556e043e3537d41c6e545610778676cf551b9dcd0
-size 8741343
diff --git a/krb5-1.19.3.tar.gz.asc b/krb5-1.19.3.tar.gz.asc
deleted file mode 100644
index b40bfcb..0000000
--- a/krb5-1.19.3.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmIrr24ACgkQDLoIV1+D
-ct+h+A//W9AfniKl4SAZ5OWmn+B/1ge7U7KWxVdn8yJtUTfKzBujPe6LLCMpsn/F
-+ddq2Powml+lEQHhAJBgGogPJ6Fs+/Y7jmhskz/d2dU1lTWEAoTGxz6fGZnx4kei
-yciPWYnQrvPLdgh2I3rQyt5VDe6pEo5xvFhzEDpQPkXXQGAXVVokcSz5tvoRI8xF
-V/oKIXJ7iSpc/prcrirdC+vKe04E3PmX1Cjd5dAH97gzYGJMsouB3/8/PxzLBb3y
-be4XeLLJA9FwjBeEx68nBal2o3p1Xkq24v3XMI62xqBZDrWtwJ5NkR1GZje2X00H
-SAd1xI6ye+f+6mxje/hen7cqfN53/7l2j3fayoT+35F6OzmiXSf9TKO6P1HElA0t
-qXOm5oMi9GK1mVRwek15pxCcLEFWrUGNGnILFrep4exxIAOPjgyVN1DolK6c3V3t
-yCsRGwhZaN6rNuaHEibVpL4JG+3fEy8Ovb02pqqPP6LXc9/1b+EIAufWTpJtbQSy
-3JvSmzFYHVJjaS+n0vsbMJtDsf+uuYy77liIh0LblId1xpU5pdLd7jy8qZ6jEt/J
-8PX3C5oc4iKq8Z7epd8T3itD3ECPG5g+A7GU8kApAfgpY/GP1rvg1RSaalWRQP+x
-dKY7eMHSHHhBjuC7EdzNIJWo8v311KWogcHkVfzmbx+6HT/iAgM=
-=D86e
------END PGP SIGNATURE-----
diff --git a/krb5-1.20.tar.gz b/krb5-1.20.tar.gz
new file mode 100644
index 0000000..ba94426
--- /dev/null
+++ b/krb5-1.20.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7e022bdd3c851830173f9faaa006a230a0e0fdad4c953e85bff4bf0da036e12f
+size 8660756
diff --git a/krb5-1.20.tar.gz.asc b/krb5-1.20.tar.gz.asc
new file mode 100644
index 0000000..3c411f0
--- /dev/null
+++ b/krb5-1.20.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmKO3iYACgkQDLoIV1+D
+ct/OCxAAvGE7Qi/GMlft3t56wK4FwIwENHJ7cnDJw1tkah94zO3hytphYqvCMSu/
+9OnLOynuI/XEU518avHdk5eqWI0oe2XRLbAfXuXH0Uccyun2kP/H5Smvw2JVxiOO
+O5DhhMXvjB/ifpfK3u12RFSBHEZsxV79eeVAgQV3LPyokceHH3uOeAlMPYAgzmnp
+0drDTYIErmlxhUxGUWvVvckz5wOR8TXt4nKJ2+zixBeOYQu1WZ+WJLlc4nVG4e/I
+3otns5aYPPbPMSDq3BZeaUCYqjxMJ0LgqFRZMJGAAeE9HR3tmxhfUMpAQnQgc/MZ
+6Nf3rrCj5AETZ2CtiTcKoICEa6MDG4CYhGMIW9R+5eQke1Oq+V9NVu3RdaD0R4rq
+snMYk69zF/QhiSOK3ulRm+t8RHAquDimpFlpMinl0DbK5h+A/kgfC7fyfxEHe1dj
+H2vCj946LNS2OgqJ5WbV867Fk7+unP0AZ1cy3+hedODRjqNfcu1MuLhxs/e0eLy5
+MmBDSZtJc27IVEs1IUntBy14WuJt3csjGb0jzMnWrbDcjvWAGC5yV4b5HfvZvOt8
+E2HCVWMycTuNFZHgtITqvmb2tYOc9bSOYUCRp7clCn9vvFtAKKzZiGzUsnyshLqq
+N6a1sTudU9otnIR52+K5v1rLlChS2UlIek0Nj6ejlTcTk9Go6aw=
+=z5Ek
+-----END PGP SIGNATURE-----
diff --git a/krb5-mini.spec b/krb5-mini.spec
index 409c8c8..f5b922c 100644
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@@ -24,13 +24,13 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5-mini
-Version:        1.19.3
+Version:        1.20
 Release:        0
 Summary:        MIT Kerberos5 implementation and libraries with minimal dependencies
 License:        MIT
 URL:            https://kerberos.org/dist/
-Source0:        https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz
-Source1:        https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz.asc
+Source0:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
+Source1:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
 Source2:        krb5.keyring
 Source3:        vendor-files.tar.bz2
 Source4:        baselibs.conf
diff --git a/krb5.changes b/krb5.changes
index 6e56f61..c53303e 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Sun May 29 19:14:02 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.20.0:
+  * Added a "disable_pac" realm relation to suppress adding PAC authdata
+    to tickets, for realms which do not need to support S4U requests.
+  * Most credential cache types will use atomic replacement when a cache
+    is reinitialized using kinit or refreshed from the client keytab.
+  * kprop can now propagate databases with a dump size larger than 4GB,
+    if both the client and server are upgraded.
+  * kprop can now work over NATs that change the destination IP address,
+    if the client is upgraded.
+  * Updated the KDB interface.  The sign_authdata() method is replaced
+    with the issue_pac() method, allowing KDB modules to add logon info
+    and other buffers to the PAC issued by the KDC.
+  * Host-based initiator names are better supported in the GSS krb5
+    mechanism.
+  * Replaced AD-SIGNEDPATH authdata with minimal PACs.
+  * To avoid spurious replay errors, password change requests will not
+    be attempted over UDP until the attempt over TCP fails.
+  * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
+  * Updated all code using OpenSSL to be compatible with OpenSSL 3.
+  * Reorganized the libk5crypto build system to allow the OpenSSL
+    back-end to pull in material from the builtin back-end depending on
+    the OpenSSL version.
+  * Simplified the PRNG logic to always use the platform PRNG.
+  * Converted the remaining Tcl tests to Python. 
+
 -------------------------------------------------------------------
 Sat Apr  9 11:31:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
diff --git a/krb5.spec b/krb5.spec
index ad2c75d..4035ca4 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -21,13 +21,13 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5
-Version:        1.19.3
+Version:        1.20
 Release:        0
 Summary:        MIT Kerberos5 implementation
 License:        MIT
 URL:            https://kerberos.org/dist/
-Source0:        https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz
-Source1:        https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz.asc
+Source0:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
+Source1:        https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
 Source2:        krb5.keyring
 Source3:        vendor-files.tar.bz2
 Source4:        baselibs.conf

From 40f0f666d99718452d31ce74676fb0c75c8564d8cbc8ba4178d36255b03c5b48 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Thu, 2 Jun 2022 08:10:43 +0000
Subject: [PATCH 2/2] Accepting request 980314 from
 home:scabrero:branches:network

Align krb5-mini changelog and remove a couple of trailing white spaces

OBS-URL: https://build.opensuse.org/request/show/980314
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=260
---
 krb5-mini.changes | 36 ++++++++++++++++++++++++++++++++++++
 krb5.changes      |  2 +-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/krb5-mini.changes b/krb5-mini.changes
index 9fd9da3..935783d 100644
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Sun May 29 19:14:02 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.20.0:
+  * Added a "disable_pac" realm relation to suppress adding PAC authdata
+    to tickets, for realms which do not need to support S4U requests.
+  * Most credential cache types will use atomic replacement when a cache
+    is reinitialized using kinit or refreshed from the client keytab.
+  * kprop can now propagate databases with a dump size larger than 4GB,
+    if both the client and server are upgraded.
+  * kprop can now work over NATs that change the destination IP address,
+    if the client is upgraded.
+  * Updated the KDB interface.  The sign_authdata() method is replaced
+    with the issue_pac() method, allowing KDB modules to add logon info
+    and other buffers to the PAC issued by the KDC.
+  * Host-based initiator names are better supported in the GSS krb5
+    mechanism.
+  * Replaced AD-SIGNEDPATH authdata with minimal PACs.
+  * To avoid spurious replay errors, password change requests will not
+    be attempted over UDP until the attempt over TCP fails.
+  * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
+  * Updated all code using OpenSSL to be compatible with OpenSSL 3.
+  * Reorganized the libk5crypto build system to allow the OpenSSL
+    back-end to pull in material from the builtin back-end depending on
+    the OpenSSL version.
+  * Simplified the PRNG logic to always use the platform PRNG.
+  * Converted the remaining Tcl tests to Python.
+
+-------------------------------------------------------------------
+Sat Apr  9 11:31:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
+  * Fix a denial of service attack against the KDC [CVE-2021-37750].
+  * Fix KDC null deref on TGS inner body null server
+  * Fix conformance issue in GSSAPI tests
+
 -------------------------------------------------------------------
 Thu Jan 27 22:21:52 UTC 2022 - David Mulder <dmulder@suse.com>
 
diff --git a/krb5.changes b/krb5.changes
index c53303e..dfd868e 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -24,7 +24,7 @@ Sun May 29 19:14:02 UTC 2022 - Dirk Müller <dmueller@suse.com>
     back-end to pull in material from the builtin back-end depending on
     the OpenSSL version.
   * Simplified the PRNG logic to always use the platform PRNG.
-  * Converted the remaining Tcl tests to Python. 
+  * Converted the remaining Tcl tests to Python.
 
 -------------------------------------------------------------------
 Sat Apr  9 11:31:42 UTC 2022 - Dirk Müller <dmueller@suse.com>