From e9af2abc6d16719e4d778189edae8c0288c38e41b18b491cc66f89c8add7a7bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Sun, 10 Jan 2016 16:41:42 +0000 Subject: [PATCH] Accepting request 352796 from home:stroeder:branches:network update to 1.14, successfully tested on Tumbleweed x86_64 1. purely as client for MS AD and 2. as KDC with LDAP backend OBS-URL: https://build.opensuse.org/request/show/352796 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=154 --- krb5-1.13.3.tar.gz | 3 - krb5-1.13.3.tar.gz.asc | 14 ---- krb5-1.14.tar.gz | 3 + krb5-1.14.tar.gz.asc | 14 ++++ krb5-mini.changes | 141 +++++++++++++++++++++++++++++++++++++- krb5-mini.spec | 16 +++-- krb5.changes | 114 +++++++++++++++++++++++++++++- krb5.spec | 13 ++-- krbdev.mit.edu-8301.patch | 11 +++ 9 files changed, 298 insertions(+), 31 deletions(-) delete mode 100644 krb5-1.13.3.tar.gz delete mode 100644 krb5-1.13.3.tar.gz.asc create mode 100644 krb5-1.14.tar.gz create mode 100644 krb5-1.14.tar.gz.asc create mode 100644 krbdev.mit.edu-8301.patch diff --git a/krb5-1.13.3.tar.gz b/krb5-1.13.3.tar.gz deleted file mode 100644 index b278aa9..0000000 --- a/krb5-1.13.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe -size 12133347 diff --git a/krb5-1.13.3.tar.gz.asc b/krb5-1.13.3.tar.gz.asc deleted file mode 100644 index 1d79d36..0000000 --- a/krb5-1.13.3.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr -4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr -yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ -ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8 -cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB -LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4 -AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S -zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm -VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA== -=UvFL ------END PGP SIGNATURE----- diff --git a/krb5-1.14.tar.gz b/krb5-1.14.tar.gz new file mode 100644 index 0000000..65e86f0 --- /dev/null +++ b/krb5-1.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9 +size 12255176 diff --git a/krb5-1.14.tar.gz.asc b/krb5-1.14.tar.gz.asc new file mode 100644 index 0000000..c05b461 --- /dev/null +++ b/krb5-1.14.tar.gz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L +rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX +IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm +Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN +GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP +cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF +X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl +6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02 +P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA== +=xlir +-----END PGP SIGNATURE----- diff --git a/krb5-mini.changes b/krb5-mini.changes index a91e30f..e6af839 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,7 +1,124 @@ +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + ------------------------------------------------------------------- Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com -- Udapte to 1.13.3 +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch Major changes in 1.13.3 (2015-12-04) ==================================== @@ -19,10 +136,28 @@ krb5-1.14 release series or later. krb5-1.10 or earlier. ------------------------------------------------------------------- -Mon Jun 1 07:38:15 UTC 2015 - hguo@suse.com +Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +------------------------------------------------------------------- +Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +------------------------------------------------------------------- +Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com - Let server depend on libev (module of libverto). This was the - embedded implementation before the seperation of libverto from krb. + preferred implementation before the seperation of libverto from krb. ------------------------------------------------------------------- Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org diff --git a/krb5-mini.spec b/krb5-mini.spec index cabfd91..68e54c4 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,8 @@ Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch15: krbdev.mit.edu-8301.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -200,7 +201,7 @@ Include Files for Development %patch11 -p1 %patch12 -p1 %patch13 -p0 -%patch14 -p1 +%patch15 -p1 %build # needs to be re-generated @@ -247,6 +248,9 @@ cp -a html_subst ../../html cd .. %endif +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + %install # Where per-user keytabs live by default. @@ -349,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 diff --git a/krb5.changes b/krb5.changes index 94ec734..e6af839 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,7 +1,119 @@ +------------------------------------------------------------------- +Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +================================== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. +* Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. +* Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. +* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. +* Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + +Performance: + +* On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + +User experience: + +* Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + ------------------------------------------------------------------- Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com -- Udapte to 1.13.3 +- Update to 1.13.3 - removed patches for security fixes now in upstream source: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch diff --git a/krb5.spec b/krb5.spec index 065286f..e4f234d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.13.3 +%define srcRoot krb5-1.14 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.3 +Version: 1.14 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -82,7 +82,8 @@ Patch8: krb5-1.12-api.patch Patch11: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-selinux-label.patch Patch13: krb5-1.9-debuginfo.patch -Patch14: krb5-kvno-230379.patch +# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301 +Patch15: krbdev.mit.edu-8301.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %fillup_prereq @@ -200,7 +201,7 @@ Include Files for Development %patch11 -p1 %patch12 -p1 %patch13 -p0 -%patch14 -p1 +%patch15 -p1 %build # needs to be re-generated @@ -352,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so %endif +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 diff --git a/krbdev.mit.edu-8301.patch b/krbdev.mit.edu-8301.patch new file mode 100644 index 0000000..fa03b0e --- /dev/null +++ b/krbdev.mit.edu-8301.patch @@ -0,0 +1,11 @@ +--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100 ++++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100 +@@ -684,7 +684,7 @@ + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + int ost = st; + st = EINVAL; +- k5_prependmsg(context, ost, st, _("'%s' not found"), ++ k5_wrapmsg(context, ost, st, _("'%s' not found"), + xargs.containerdn); + } + goto cleanup;