diff --git a/baselibs.conf b/baselibs.conf index 5c6d57e..f5a71e2 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,2 +1,3 @@ pam_krb5 +/lib(64)?/security/pam_krb5/pam_krb5_storetmp + supplements "packageand(pam_krb5:pam-)" diff --git a/pam_krb5.changes b/pam_krb5.changes index c93a188..da7cceb 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jun 24 19:29:55 CEST 2009 - sbrabec@suse.cz + +- Supplement pam-32bit/pam-64bit in baselibs.conf (bnc#354164). + ------------------------------------------------------------------- Mon Jun 15 15:32:11 CEST 2009 - mc@suse.de diff --git a/pam_krb5.spec b/pam_krb5.spec index 200e176..d96b12b 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -21,7 +21,7 @@ Name: pam_krb5 BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel %define PAM_RELEASE 1 -License: BSD 3-Clause; LGPL v2.0 or later +License: BSD 3-clause (or similar) ; LGPL v2.0 or later Group: Productivity/Networking/Security Provides: pam_krb AutoReqProv: on @@ -31,7 +31,7 @@ Obsoletes: pam_krb5-64bit %endif # Version: 2.3.5 -Release: 2 +Release: 3 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 @@ -96,274 +96,3 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) /usr/bin/afs5log %changelog -* Mon Jun 15 2009 mc@suse.de -- compile fixes for krb5 1.7 -* Mon Jun 08 2009 mc@suse.de -- update to version 2.3.5 - * make prompting behavior for non-existent accounts and users who - just press enter match up with those who aren't/don't (#502602, - CVE-2009-1384) -* Wed May 20 2009 mc@suse.de -- update to version 2.3.4 - * don't request password-changing credentials using the same options - we use for ticket-granting tickets - * close a couple of open pipes to defunct processes, fix a couple - of debug messages - * fix ccache permissions bypass when the "existing_ticket" option is - used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1) -- obsolete a lot of patches. -* Thu Feb 05 2009 mc@suse.de -- update translations -* Mon Feb 02 2009 mc@suse.de -- pam_sm_setcred should assume PAM_ESTABLISH_CRED - if no flag are passed (bnc#470414) -* Tue Jan 13 2009 olh@suse.de -- obsolete old -XXbit packages (bnc#437293) -* Fri Nov 21 2008 mc@suse.de -- update translations -* Wed Nov 05 2008 mc@suse.de -- update translations -* Wed Oct 29 2008 mc@suse.de -- use the upstream fix for - pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif -* Tue Oct 28 2008 mc@suse.de -- simplify switch permissions of refresh credentials - (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif - add pam_krb5-2.3.1-switch-perms-on-refresh.dif) -* Fri Oct 24 2008 mc@suse.de -- write new ticket into shmem after password change if requested. - (bnc#438181) -- update translations -* Mon Oct 06 2008 mc@suse.de -- fixing pam_krb5 existing_ticket permission flaw (CVE-2008-3825) - (bnc#425861) -* Thu Sep 04 2008 mc@suse.de -- if the realm name given to us is NULL, don't bother consulting - the appdefaults -- check for the "debug" flag earlier -* Mon Sep 01 2008 mc@suse.de -- validate new fetched credentials -* Fri Jun 20 2008 mc@suse.de -- version 2.3.1 - * translations for messages! - * added the ability to set up tokens in the rxk5 format - * added the "token_strategy" option to control which methods we'll - try to use for setting tokens - * merge "null_afs" functionality from Jan Iven - * when we're changing passwords, force at least one attempt to - authenticate using the KDC, even in the pathological case where - there's no previously- entered password and we were told not to ask - for one (brc#400611) -* Fri Jun 06 2008 mc@suse.de -- update i18n files -* Fri May 09 2008 mc@suse.de -- update i18n files -* Mon Apr 14 2008 mc@suse.de -- update i18n files -* Thu Apr 10 2008 ro@suse.de -- added baselibs.conf file to build xxbit packages - for multilib support -* Thu Mar 13 2008 mc@suse.de -- add i18n support -* Mon Feb 11 2008 mc@suse.de -- version 2.2.22 - * moved .k5login checks to a subprocess to avoid screwing with the - parent process's tokens and PAG (fallout from #371761) - * all options which took true/false before ("debug", "tokens", and - so on) can now take service names -* Wed Nov 21 2007 mc@suse.de -- some bugfixes from upstream -* Fri Nov 09 2007 mc@suse.de -- version 2.2.21 - * fix permissions problems on keyring ccaches, so that users can write - to them after we've set them up, and we can still do the cleanup -- remove pam_krb5-2.2.20-1-copy-cache-priv-fix.dif; fix is upstream -* Mon Nov 05 2007 mc@suse.de -- pam_krb5-2.2.20-1-copy-cache-priv-fix.dif - fix permissions on the ccache im not file case -- pam_krb5-2.2.20-1-debug-log-choice.dif - improve debug log -* Mon Oct 29 2007 mc@suse.de -- version 2.2.20 - * fixes for credential refreshing -- remove obsolete patch pam_krb5-2.2.19-fix-format-error.dif - (fix is upstream) -* Fri Oct 26 2007 mc@suse.de -- version 2.2.19: - * the "keytab" option can now be used to specify a custom location - for a given service from within krb5.conf - * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH - if LOG_AUTHPRIV is not defined) instead of the application's default - or LOG_USER - * added the "pkinit_identity" option to provide a way to specify - where the user's public-key credentials are, and "pkinit_flags" to - specify arbitrary flags for libkrb5 (Heimdal only) - * added the "preauth_options" option to provide a way to specify - arbitrary preauthentication options to libkrb5 (MIT only) - * added the "ccname_template" option to provide a way to specify - where the user's credentials should be stored, so that KEYRING: - credential caches can be deployed at will. -* Tue Aug 07 2007 mc@suse.de -- version 2.2.17: - * corrected a typo in the pam_krb5(8) man page - * clarified that the "tokens" flag should only be needed for - applications which are not using PAM correctly - * don't bother using a helper for creating v4 ticket files when we're - just getting tokens - * clean up the debug message which we emit when we do v5->v4 - principal name conversion - * compilation fixes - * let default "external" and "use_shmem" settings be specified at - compile-time - * correctly return a "unknown user" error when attempting to change - a password for a user who has no corresponding principal (#235020) - * don't bother using a helper for creating ccache files, which we're - just going to delete, when we need to get tokens -* Mon Jul 16 2007 mc@suse.de -- version 2.2.14 - * treat a "client revoked" error as an "unknown principal" error - * some small bugfixes -* Fri Jul 13 2007 mc@suse.de -- version 2.2.13 - * make it possible to have more than one ccache (and tktfile) at - a time to work around apps which open a session, set the - environment, and initialize creds (when we previously created - a ccache, removing the one which was named in the environment) -* Mon Jul 02 2007 mc@suse.de -- version 2.2.12 - * add a "pwhelp" option. - * Display the KDC error to users. - * lots of bugfixes -* Thu Mar 15 2007 mc@suse.de -- drop privileges in _pam_krb5_sly_maybe_refresh when - running in set uid and restore them on exit of this - function. This enables us to refresh the ticket - after screen un-lock. - [#124611] -* Mon Sep 25 2006 mc@suse.de -- version 2.2.11 -- remove two patches with are upstream now - - pam_krb5-2.2.10-0-oldauthtok.dif - - pam_krb5-2.2.10-0-testfix.dif -- make use of --with-os-distribution -* Thu Sep 14 2006 mc@suse.de -- fix pam_set_item call for AUTHTOK and OLDAUTHTOK -- fix testcase -- if the server returns an error message during password-changing, - let the user see it -- add the "debug_sensitive" option, which actually logs passwords -- add the "no_subsequent_prompt" option, to force the module to - always answer a libkrb5 prompt with the PAM_AUTHTOK value -* Tue Sep 12 2006 mc@suse.de -- version 2.2.10 - * log text for server-supplied error code along with the - failure information. - * rework the prompting bits so that it makes more correct use of - the initial_prompt/use_first_pass flags and correctly disables - use of the callback for arbitrary prompts - * give the caller a way to specify which prompter callback we - should use. - * track whether or not we want to let libkrb5 ask for information - via the callbacks. - * and more fixes -* Thu Jul 27 2006 mc@suse.de -- version 2.2.9 - * look for krb5/krb5.h in preference to krb5.h (new in - MIT Kerberos 1.5) - * if the default principal in the ccache doesn't match the - userinfo structure, update the userinfo structure. - * always use the name of the v5 principal when saving - credentials, especially for the "external" case where - it may not be the value we originally guessed - * be more careful about other ways which our prompting - callback can try to break us - * go back to overwriting the template, to avoid uncontrolled - growth in the filename. - * build the new ccache name by appending the mkstemp template - instead of assuming the previous file ended with one - * and more fixes. -- remove pam_krb5-2.2.3-1-prompter-segfault.dif it is upstream now -* Wed Jun 28 2006 mc@suse.de -- update to version 2.2.8 - * fix reporting of the reasons for password change failures - * add "krb4_use_as_req" to completely disallow any attempts to get - v4 credentials - * do 524 conversion for the "external" cases, too -- remove obsolete patches -* Fri Apr 21 2006 mc@suse.de -- fix segfault in prompter [#165972] -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Tue Jan 17 2006 mc@suse.de -- add two patches from upstream - * pam_krb5-upstreamfix-password-handling.dif - * pam_krb5-upstreamfix-testcase.dif -- build with more then one job -* Fri Jan 13 2006 mc@suse.de -- set /usr/bin/afs5log executable -* Wed Jan 11 2006 mc@suse.de -- add -fstack-protector to CFLAGS -* Tue Dec 20 2005 mc@suse.de -- update to version 2.2.3 -- remove pam_krb5-2.2.0-0.5-NULL-fix.dif; patch is now upstream -* Fri Dec 02 2005 mc@suse.de -- update to version 2.2.2 - * don't leak the keytab file descriptor - * actually check for AFS support first, so that the - ioctl-only support case will work properly. -* Mon Nov 14 2005 uli@suse.de -- no afs_syscall on ARM -* Mon Nov 14 2005 mc@suse.de -- update to version 2.2.0-2 -- remove obsolete patch (debug_false is upstream now) -* Mon Oct 10 2005 mc@suse.de -- update to current CVS version -- drop some patches (they are upstream now) -- fix NULL problem -* Wed Aug 17 2005 mc@suse.de -- got official fix for the authtok problem - [#104051] -* Mon Aug 15 2005 mc@suse.de -- fix the behavior of password changing if use_authtok - is not present [#104051] -* Wed Jun 29 2005 mc@suse.de -- fix change password -* Fri Jun 10 2005 mc@suse.de -- set default for debug to false [#87005] -* Thu Apr 07 2005 mc@suse.de -- switch to version 2.2.0-0.5 -* Tue Feb 22 2005 nadvornik@suse.cz -- fixed parsing of time values -* Mon Feb 21 2005 mc@suse.de -- add pam_krb5-use-krb5_afslog.dif [#51047] -* Tue Jan 18 2005 okir@suse.de -- updated to latest pam_krb5 snapshot from sourcforge CVS -* Tue Jan 11 2005 ro@suse.de -- re-added afs module (added krbafs to neededforbuild) -* Mon Nov 22 2004 ro@suse.de -- remove afs for the moment, mit-kerberos does not have support -* Wed Apr 28 2004 ro@suse.de -- added -fno-strict-aliasing -* Fri Jan 16 2004 kukuk@suse.de -- Add pam-devel to neededforbuild -* Sun Jan 11 2004 adrian@suse.de -- build as user -* Wed Jul 16 2003 nadvornik@suse.cz -- replaced by different implementation of pam_krb5 -- afs support -* Fri Jun 20 2003 okir@suse.de -- fix build problem with latest heimdal -- another fix for passwd updates (#20284) -* Wed Jun 18 2003 ro@suse.de -- use kerberos-devel-packages in neededforbuild -* Tue Apr 15 2003 ro@suse.de -- fixed neededforbuild -* Wed Aug 28 2002 okir@suse.de -- Security fix (#18463): unbecome_user did not properly reassert - original privilege, and the caller didn't check the return value. -* Wed Jul 31 2002 okir@suse.de -- suse_update_config now updates the right files -* Wed Jul 24 2002 okir@suse.de -- fixed passwd(1) support; updated README -* Tue Jul 23 2002 okir@suse.de -- initial packaging