Commit Graph

124 Commits

Author SHA256 Message Date
cba0a3d8f7 Accepting request 915042 from home:scabrero:branches:network
- Fix KDC null pointer dereference via a FAST inner body that
  lacks a server field; (CVE-2021-37750); (bsc#1189929);
- Added patches:
  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

OBS-URL: https://build.opensuse.org/request/show/915042
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=253
2021-09-09 09:25:27 +00:00
d342aedfcc Accepting request 909709 from home:scabrero:branches:network
- Update to 1.19.2
  * Fix a denial of service attack against the KDC encrypted challenge
    code; (CVE-2021-36222);
  * Fix a memory leak when gss_inquire_cred() is called without a
    credential handle.

OBS-URL: https://build.opensuse.org/request/show/909709
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=252
2021-08-09 08:50:11 +00:00
01edb4e3d8 Accepting request 887827 from home:scabrero:branches:network
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);

OBS-URL: https://build.opensuse.org/request/show/887827
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=248
2021-04-24 09:17:08 +00:00
Michael Ströder
ceafe406ff Accepting request 873760 from home:scabrero:krb5_1_19_test
- Update to 1.19.1
  * Fix a linking issue with Samba.
  * Better support multiple pkinit_identities values by checking whether
    certificates can be loaded for each value.

- Update to 1.19
  Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
  Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
  Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.

OBS-URL: https://build.opensuse.org/request/show/873760
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
2021-02-19 12:56:34 +00:00
964a1412da Accepting request 850135 from home:scabrero:branches:network
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

OBS-URL: https://build.opensuse.org/request/show/850135
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=241
2020-12-05 17:18:57 +00:00
97a10d8037 Accepting request 819446 from home:Andreas_Schwab:Factory
- Don't fail if %{_lto_cflags} is empty

OBS-URL: https://build.opensuse.org/request/show/819446
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=239
2020-08-05 12:32:17 +00:00
3bbe5c3fdb Accepting request 814123 from home:dimstar:Factory
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
  no reasonable justification to step out of the defaults.

I'm aware this will take a few more packages to be changed to properly find krb5-config now, as some (not all) explicictly look for /usr/lib/mit/bin (most have this encoded as %{_libexecdir}/mit/bin - which is wrong anyway; libexecdir is changing to /usr/libexec - so krb5 does not follow that already anyway.

So instead of just trying some half-baked fixup, I decided to clean it up completely.

I also updated the files in vendor-files.tar.bz to have the correct path definitions and dropped the .csh and .sh profiles (which only added the extra added paths to $PATH - so we can just as well install to /usr/ anyway)

If there is anything substantial I missed that makes this change a bad idea, I'm open for discussions

OBS-URL: https://build.opensuse.org/request/show/814123
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=237
2020-06-15 09:07:04 +00:00
32e64938c1 Accepting request 810166 from home:scabrero:branches:network
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)

OBS-URL: https://build.opensuse.org/request/show/810166
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=235
2020-06-06 06:52:29 +00:00
2564aa071d Accepting request 809058 from home:cgiboudeaux:branches:network
- Don't add the lto flags to the public link options. (boo#1172038)

- Don't add the lto flags to the public link options. (boo#1172038)

OBS-URL: https://build.opensuse.org/request/show/809058
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=234
2020-05-28 14:56:34 +00:00
4598210276 Accepting request 800735 from home:scabrero:branches:network
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/800735
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=232
2020-05-15 07:08:53 +00:00
8ccc2d47d3 Accepting request 798828 from home:dimstar:Factory
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

OBS-URL: https://build.opensuse.org/request/show/798828
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=230
2020-04-29 09:47:44 +00:00
Tomáš Chvátal
f2bf4325ae Accepting request 789691 from home:scabrero:branches:network
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
  * 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/789691
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=228
2020-03-30 10:04:03 +00:00
7a27c19df2 Accepting request 778977 from home:scarabeus_iv:branches:network
- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

OBS-URL: https://build.opensuse.org/request/show/778977
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=226
2020-02-26 08:25:58 +00:00
Tomáš Chvátal
70aa357ac9 Accepting request 777881 from home:scabrero:branches:network
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch

OBS-URL: https://build.opensuse.org/request/show/777881
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
2020-02-25 07:55:08 +00:00
Tomáš Chvátal
30ac12137f Accepting request 756027 from home:scabrero:branches:network
- Upgrade to 1.17.1
  * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
  * Fix a bug preventing time skew correction from working when a KCM
    credential cache is used.

OBS-URL: https://build.opensuse.org/request/show/756027
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=222
2019-12-12 11:10:52 +00:00
Tomáš Chvátal
c313f4544f Accepting request 721095 from home:scabrero:branches:network
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
  (bsc#1144047);

OBS-URL: https://build.opensuse.org/request/show/721095
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=220
2019-08-05 18:08:17 +00:00
462ccca80d Accepting request 718507 from home:mgerstner:branches:network
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

OBS-URL: https://build.opensuse.org/request/show/718507
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=218
2019-07-25 11:56:17 +00:00
Tomáš Chvátal
05a3f5da3c Accepting request 674684 from home:jengelh:branches:network
- Replace old $RPM_* shell vars

OBS-URL: https://build.opensuse.org/request/show/674684
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=214
2019-02-14 08:52:23 +00:00
d42ae2c82a Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch

OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 17:01:33 +00:00
Ismail Dönmez
b76b76ea62 Accepting request 640882 from home:jmcdough:branches:network
Update to krb5-1.16.1

OBS-URL: https://build.opensuse.org/request/show/640882
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=210
2018-10-15 15:08:42 +00:00
Michael Ströder
5dab1b263d Accepting request 603974 from home:stroeder:branches:network
Security fixes in release 1.15.3

OBS-URL: https://build.opensuse.org/request/show/603974
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=206
2018-05-04 11:22:34 +00:00
OBS User mrdocs
9cf7cfa8e9 Accepting request 601071 from home:luizluca:branches:network
- Added support for /etc/krb5.conf.d/ for configuration snippets

/etc/krb5.conf.d/ existance is now mandatory

OBS-URL: https://build.opensuse.org/request/show/601071
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=204
2018-05-01 03:19:15 +00:00
Michael Ströder
9ec64c1b6a Accepting request 544664 from home:RBrownSUSE:branches:network
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544664
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=202
2017-11-23 14:51:34 +00:00
Michael Ströder
c09363cbd0 Accepting request 530605 from home:jengelh:branches:network
- Update package descriptions.

OBS-URL: https://build.opensuse.org/request/show/530605
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=198
2017-10-02 23:37:48 +00:00
Michael Ströder
f7aad59b95 Accepting request 528703 from home:stroeder:branches:network
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation

OBS-URL: https://build.opensuse.org/request/show/528703
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=196
2017-09-27 08:29:01 +00:00
Howard Guo
45350c1e0c - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
  names. (bsc#1054028)

- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=194
2017-08-18 08:38:17 +00:00
Howard Guo
1d1e68ea09 - There is no change made about the package itself, this is only
copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
  krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
  CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
  krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1
  CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
- bug#928978 owned by varkoly@suse.com: VUL-0
  CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
  to requires_preauth bypass
- bug#910457 owned by varkoly@suse.com: VUL-1
  CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
  name as a password policy name
- bug#991088 owned by hguo@suse.com: VUL-1
  CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
- [fate#320326](https://fate.suse.com/320326)
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
  from \cite

- There is no change made about the package itself, this is only
  copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
  krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
  CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
  krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=191
2017-06-06 13:39:13 +00:00
7566d42d93 Accepting request 486033 from home:kukuk:branches:network
- Remove wrong PreRequires

- Remove wrong PreRequires from krb5

OBS-URL: https://build.opensuse.org/request/show/486033
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=189
2017-04-07 06:22:42 +00:00
Howard Guo
4205fb7129 Accepting request 478048 from home:stroeder:branches:network
use HTTPS project and source URLs

OBS-URL: https://build.opensuse.org/request/show/478048
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=187
2017-03-13 08:48:12 +00:00
353b1c8ae7 - use source urls.
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=186
2017-03-09 18:22:08 +00:00
Howard Guo
68cd296a9a Accepting request 476962 from home:stroeder:branches:network
update to upstream release 1.15.1

OBS-URL: https://build.opensuse.org/request/show/476962
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=183
2017-03-06 08:55:39 +00:00
Michael Ströder
0cd0c46b3a Accepting request 451650 from home:gladiac:branches:network
Introduce patch
krb5-1.15-fix_kdb_free_principal_e_data.patch
to fix freeing of e_data in the kdb principal

OBS-URL: https://build.opensuse.org/request/show/451650
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=179
2017-01-20 14:28:35 +00:00
Michael Ströder
6fe08c82e5 Accepting request 443689 from home:stroeder:branches:network
Update to upstream release 1.15.
Successfully tested KDC with LDAP backend with one kinit on Tumbleweed x86_64 (but without selinux).
Please carefully review the updated C code patches!

OBS-URL: https://build.opensuse.org/request/show/443689
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=177
2016-12-05 17:34:31 +00:00
Ismail Dönmez
06399cb6eb Accepting request 412758 from home:stroeder:branches:network
update to 1.14.3

OBS-URL: https://build.opensuse.org/request/show/412758
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=172
2016-07-22 10:37:56 +00:00
Howard Guo
f423fdf030 ------------------------------------------------------------------
- Remove source file ccapi/common/win/OldCC/autolock.hxx
  that is not needed and does not carry an acceptable license.
  (bsc#968111)
------------------------------------------------------------------
- Remove source file ccapi/common/win/OldCC/autolock.hxx
  that is not needed and does not carry an acceptable license.
  (bsc#968111)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=168
2016-06-13 12:41:05 +00:00
Ismail Dönmez
f73cb2534d Accepting request 392049 from home:stroeder:branches:network
Update to 1.14.2. Please review carefully.

Especially from glancing over the upstream source krb5-mechglue_inqure_attrs.patch seems obsolete even though the solution in upstream code looks slightly different.

OBS-URL: https://build.opensuse.org/request/show/392049
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=166
2016-04-29 08:00:03 +00:00
Howard Guo
9f56699b06 - Upgrade from 1.14 to 1.14.1:
* Remove expired patches:
    0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
    0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
    0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
    krbdev.mit.edu-8301.patch
  * Replace source archives:
    krb5-1.14.tar.gz ->
    krb5-1.14.1.tar.gz
    krb5-1.14.tar.gz.asc ->
    krb5-1.14.1.tar.gz.asc
  * Adjust line numbers in:
    krb5-fix_interposer.patch

- Upgrade from 1.14 to 1.14.1:
  * Remove expired patches:
    0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
    0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
    0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
    krbdev.mit.edu-8301.patch
  * Replace source archives:
    krb5-1.14.tar.gz ->
    krb5-1.14.1.tar.gz
    krb5-1.14.tar.gz.asc ->
    krb5-1.14.1.tar.gz.asc
  * Adjust line numbers in:
    krb5-fix_interposer.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=165
2016-04-01 07:50:43 +00:00
f8868d141a Accepting request 359629 from home:guohouzuo:branches:network
- Remove krb5 pieces from spec file.
  Hence remove pre_checkin.sh
- Remove expired macros and other minor clena-ups in spec file.
- Change package description to explain what "mini" means.

- Remove krb5-mini pieces from spec file.
  Hence remove pre_checkin.sh
- Remove expired macros and other minor clean-ups in spec file.

OBS-URL: https://build.opensuse.org/request/show/359629
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=160
2016-02-18 11:50:30 +00:00
Ismail Dönmez
b9ca4cd2ca - Add two patches from Fedora, fixing two crashes:
* krb5-fix_interposer.patch
  * krb5-mechglue_inqure_attrs.patch

- Add two patches from Fedora, fixing two crashes:
  * krb5-fix_interposer.patch
  * krb5-mechglue_inqure_attrs.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=156
2016-01-11 12:39:08 +00:00
Ismail Dönmez
e9af2abc6d Accepting request 352796 from home:stroeder:branches:network
update to 1.14, successfully tested on Tumbleweed x86_64 
1. purely as client for MS AD and
2. as KDC with LDAP backend

OBS-URL: https://build.opensuse.org/request/show/352796
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=154
2016-01-10 16:41:42 +00:00
Ismail Dönmez
ee705d6c1a Accepting request 347770 from home:stroeder:branches:network
update to 1.13.3

OBS-URL: https://build.opensuse.org/request/show/347770
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=152
2015-12-07 12:50:29 +00:00
Ismail Dönmez
172a23219f Accepting request 309550 from home:guohouzuo:freeipa
Let server depend on libev (module of libverto). This was the
 embedded implementation before the separation of libverto from krb.

OBS-URL: https://build.opensuse.org/request/show/309550
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=146
2015-06-01 09:44:23 +00:00
Ismail Dönmez
f1babf4554 Accepting request 309029 from home:dimstar:Factory
- Drop libverto and libverto-libev Requires from the -server
  package: those package names don't exist and the shared libs
  are pulled in automatically.

- Drop libverto and libverto-libev Requires from the -server
  package: those package names don't exist and the shared libs
  are pulled in automatically.

OBS-URL: https://build.opensuse.org/request/show/309029
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=144
2015-05-28 08:59:56 +00:00
Ismail Dönmez
d9be576ce1 Accepting request 308898 from home:dimstar:Factory
Also build dep libverto for the -mini variant... so it can actually be built

OBS-URL: https://build.opensuse.org/request/show/308898
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=143
2015-05-27 16:09:38 +00:00
7991a93622 - pre_checkin.sh aligned changes between krb5/krb5-mini
- added krb5.keyring

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=142
2015-05-22 09:30:16 +00:00
8103840325 * Add client support for the Kerberos Cache Manager protocol. If the host
* Add support for doing unlocked database dumps for the DB2 KDC back end,
  * krb5-1.7-doublelog.patch

- Work around replay cache creation race; (bnc#898439).
  krb5-1.13-work-around-replay-cache-creation-race.patch

-  bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 
- added patches:
  * bnc#897874-CVE-2014-5351.diff

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=141
2015-05-22 09:22:57 +00:00
Andrey Karepin
71a09ab035 Accepting request 306592 from home:stroeder:branches:network
update to 1.13.2

OBS-URL: https://build.opensuse.org/request/show/306592
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=139
2015-05-13 19:25:01 +00:00
cefda77aa1 Accepting request 286613 from home:stroeder:branches:network
security update 1.13.1

OBS-URL: https://build.opensuse.org/request/show/286613
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=136
2015-02-18 17:22:56 +00:00
42eb1db8e7 Accepting request 280024 from home:mlin7442:branches:network
update to 1.13, also fixed build with bison3

OBS-URL: https://build.opensuse.org/request/show/280024
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=134
2015-01-06 10:58:20 +00:00
1e26a2fb1a Accepting request 246966 from home:AndreasStieger:branches:network
krb5 5.12.2

- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
  from upstream
  See https://build.opensuse.org/request/show/246780

OBS-URL: https://build.opensuse.org/request/show/246966
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=128
2014-09-01 15:41:18 +00:00