diff --git a/bug-425861_pam_krb5-2.3.1-ccacheperms.patch b/bug-425861_pam_krb5-2.3.1-ccacheperms.patch deleted file mode 100644 index b65733b..0000000 --- a/bug-425861_pam_krb5-2.3.1-ccacheperms.patch +++ /dev/null @@ -1,253 +0,0 @@ -Index: pam_krb5-2.3.1-1/src/Makefile.am -=================================================================== ---- pam_krb5-2.3.1-1.orig/src/Makefile.am -+++ pam_krb5-2.3.1-1/src/Makefile.am -@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \ - kuserok.c \ - kuserok.h \ - minikafs.h \ -+ perms.c \ -+ perms.h \ - prompter.c \ - prompter.h \ - shmem.c \ -@@ -112,6 +114,7 @@ harness_LDADD = \ - map.lo \ - initopts.lo \ - options.lo \ -+ perms.lo \ - userinfo.lo \ - sly.lo \ - v4.lo \ -@@ -125,6 +128,7 @@ harness_newpag_LDADD = \ - pam_newpag.lo \ - logstdio.lo \ - options.lo \ -+ perms.lo \ - v4.lo \ - v5.lo - harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ -Index: pam_krb5-2.3.1-1/src/perms.c -=================================================================== ---- /dev/null -+++ pam_krb5-2.3.1-1/src/perms.c -@@ -0,0 +1,89 @@ -+/* -+ * Copyright 2008 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of the -+ * GNU Lesser General Public License, in which case the provisions of the -+ * LGPL are required INSTEAD OF the above restrictions. -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN -+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF -+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "../config.h" -+ -+#include -+#include -+#include -+#include "perms.h" -+ -+struct _pam_krb5_perms { -+ uid_t ruid, euid; -+ gid_t rgid, egid; -+}; -+ -+struct _pam_krb5_perms * -+_pam_krb5_switch_perms(void) -+{ -+ struct _pam_krb5_perms *ret; -+ ret = malloc(sizeof(*ret)); -+ if (ret != NULL) { -+ ret->ruid = getuid(); -+ ret->euid = geteuid(); -+ ret->rgid = getgid(); -+ ret->egid = getegid(); -+ if (ret->ruid == ret->euid) { -+ ret->ruid = -1; -+ ret->euid = -1; -+ } -+ if (ret->rgid == ret->egid) { -+ ret->rgid = -1; -+ ret->egid = -1; -+ } -+ if (setregid(ret->egid, ret->rgid) == -1) { -+ free(ret); -+ ret = NULL; -+ } else { -+ if (setreuid(ret->euid, ret->ruid) == -1) { -+ setregid(ret->rgid, ret->egid); -+ free(ret); -+ ret = NULL; -+ } -+ } -+ } -+ return ret; -+} -+ -+int -+_pam_krb5_restore_perms(struct _pam_krb5_perms *saved) -+{ -+ int ret = -1; -+ if (saved != NULL) { -+ if ((setreuid(saved->ruid, saved->euid) == 0) && -+ (setregid(saved->rgid, saved->egid) == 0)) { -+ ret = 0; -+ } -+ free(saved); -+ } -+ return ret; -+} -Index: pam_krb5-2.3.1-1/src/perms.h -=================================================================== ---- /dev/null -+++ pam_krb5-2.3.1-1/src/perms.h -@@ -0,0 +1,40 @@ -+/* -+ * Copyright 2008 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of the -+ * GNU Lesser General Public License, in which case the provisions of the -+ * LGPL are required INSTEAD OF the above restrictions. -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN -+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF -+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef pam_krb5_perms_h -+#define pam_krb5_perms_h -+ -+struct _pam_krb5_perms; -+struct _pam_krb5_perms *_pam_krb5_switch_perms(void); -+int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); -+ -+#endif -Index: pam_krb5-2.3.1-1/src/v5.c -=================================================================== ---- pam_krb5-2.3.1-1.orig/src/v5.c -+++ pam_krb5-2.3.1-1/src/v5.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc. -+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -66,6 +66,7 @@ - - #include "conv.h" - #include "log.h" -+#include "perms.h" - #include "prompter.h" - #include "stash.h" - #include "userinfo.h" -@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx, - const char *realm; - struct pam_message message; - struct _pam_krb5_prompter_data prompter_data; -+ struct _pam_krb5_perms *saved_perms; - krb5_principal service_principal; - krb5_creds tmpcreds; - krb5_ccache ccache; -@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx, - "from %s", krb5_cc_default_name(ctx)); - } - memset(&ccache, 0, sizeof(ccache)); -- if (krb5_cc_default(ctx, &ccache) == 0) { -+ /* In case we're setuid/setgid, switch to the caller's -+ * permissions. */ -+ saved_perms = _pam_krb5_switch_perms(); -+ if ((saved_perms != NULL) && -+ (krb5_cc_default(ctx, &ccache) == 0)) { - tmpcreds.client = userinfo->principal_name; - tmpcreds.server = service_principal; - i = krb5_cc_retrieve_cred(ctx, ccache, 0, - &tmpcreds, creds); -+ /* FIXME: check if the creds are expired? -+ * What's the right error code if we check, and -+ * they are? */ - memset(&tmpcreds, 0, sizeof(tmpcreds)); - krb5_cc_close(ctx, ccache); -- switch (v5_validate(ctx, creds, options)) { -- case 0: -- /* we're fine */ -- break; -- default: -- /* something (anything) went wrong -- -- * discard them */ -- krb5_free_cred_contents(ctx, creds); -- i = KRB5KRB_ERR_GENERIC; -- break; -+ /* In case we're setuid/setgid, restore the -+ * previous permissions. */ -+ if (saved_perms != NULL) { -+ if (_pam_krb5_restore_perms(saved_perms) != 0) { -+ krb5_free_cred_contents(ctx, creds); -+ memset(creds, 0, sizeof(*creds)); -+ krb5_free_principal(ctx, service_principal); -+ return PAM_SYSTEM_ERR; -+ } -+ saved_perms = NULL; - } - } else { - warn("error opening default ccache"); - i = KRB5_CC_NOTFOUND; - } -+ /* In case we're setuid/setgid, switch back to the -+ * previous permissions if we didn't already. */ -+ if (saved_perms != NULL) { -+ if (_pam_krb5_restore_perms(saved_perms) != 0) { -+ krb5_free_cred_contents(ctx, creds); -+ memset(creds, 0, sizeof(*creds)); -+ krb5_free_principal(ctx, service_principal); -+ return PAM_SYSTEM_ERR; -+ } -+ saved_perms = NULL; -+ } - krb5_free_principal(ctx, service_principal); - } else { - warn("error parsing TGT principal name (%s) " diff --git a/pam_krb5-2.3.1-1.tar.bz2 b/pam_krb5-2.3.1-1.tar.bz2 deleted file mode 100644 index 25ec9f6..0000000 --- a/pam_krb5-2.3.1-1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:faa8fb8d46f74a56352fc80001c1b1570c4ffb0f6b7a456bca227cffcd2dbb58 -size 413865 diff --git a/pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif b/pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif deleted file mode 100644 index cbc851a..0000000 --- a/pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/src/password.c b/src/password.c -index 85ab240..5ed4cf1 100644 ---- a/src/password.c -+++ b/src/password.c -@@ -442,16 +442,22 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, - _pam_krb5_always_fail_prompter, - &stash->v5result); - stash->v5attempted = 1; -- if ((i == PAM_SUCCESS) && -- ((options->v4 == 1) || (options->v4_for_afs == 1))) { -- v4_get_creds(ctx, pamh, stash, userinfo, -- options, password, &i); -- if (i != 0) { -- if (options->debug) { -- debug("error obtaining initial credentials using newly-set password: %d (%s)", -- i, v5_error_message(i)); -+ if (i == PAM_SUCCESS) { -+ if ((options->v4 == 1) || (options->v4_for_afs == 1)) { -+ v4_get_creds(ctx, pamh, stash, userinfo, -+ options, password, &i); -+ if (i != 0) { -+ if (options->debug) { -+ debug("error obtaining initial credentials using newly-set password: %d (%s)", -+ i, v5_error_message(i)); -+ } - } - } -+ if (options->use_shmem) { -+ _pam_krb5_stash_shm_write(pamh, stash, -+ options, -+ userinfo); -+ } - } - } - diff --git a/pam_krb5-2.3.1-post.dif b/pam_krb5-2.3.1-post.dif deleted file mode 100644 index 293a8d5..0000000 --- a/pam_krb5-2.3.1-post.dif +++ /dev/null @@ -1,128 +0,0 @@ -Index: src/v5.c -=================================================================== ---- src/v5.c.orig -+++ src/v5.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc. -+ * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -889,11 +889,19 @@ v5_get_creds(krb5_context ctx, - tmpcreds.server = service_principal; - i = krb5_cc_retrieve_cred(ctx, ccache, 0, - &tmpcreds, creds); -- /* FIXME: check if the creds are expired? -- * What's the right error code if we check, and -- * they are? */ - memset(&tmpcreds, 0, sizeof(tmpcreds)); - krb5_cc_close(ctx, ccache); -+ switch (v5_validate(ctx, creds, options)) { -+ case 0: -+ /* we're fine */ -+ break; -+ default: -+ /* something (anything) went wrong -- -+ * discard them */ -+ krb5_free_cred_contents(ctx, creds); -+ i = KRB5KRB_ERR_GENERIC; -+ break; -+ } - } else { - warn("error opening default ccache"); - i = KRB5_CC_NOTFOUND; -Index: configure.ac -=================================================================== ---- configure.ac.orig -+++ configure.ac -@@ -360,6 +360,18 @@ if test x$keyutils != xno ; then - AC_SUBST(KEYUTILS_LIBS) - fi - -+AC_MSG_CHECKING(whether to link directly with libpam) -+AC_ARG_WITH(libpam, -+[AC_HELP_STRING(--without-libpam,[Refrain from linking directly with libpam.])], -+ [with_libpam=$withval], -+ [with_libpam=yes]) -+if test "$with_libpam" != no ; then -+ AC_MSG_RESULT(yes) -+else -+ AC_MSG_RESULT(no) -+fi -+AM_CONDITIONAL(WITH_DIRECT_LIBPAM,test "$with_libpam" != no) -+ - AC_ARG_ENABLE(default-realm,AC_HELP_STRING([--enable-default-realm=REALM],[last-ditch fallback realm (default is EXAMPLE.COM)]),default_realm=$enableval,default_realm=EXAMPLE.COM) - AC_DEFINE_UNQUOTED(DEFAULT_REALM,"$default_realm",[Define to the realm name which will be used if no realm is given as a parameter and none is given in krb5.conf.]) - AC_MSG_RESULT([Using "$default_realm" as the default realm.]) -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am.orig -+++ src/Makefile.am -@@ -21,6 +21,12 @@ man_MANS += afs5log.1 - noinst_PROGRAMS += pagsh - endif - -+if WITH_DIRECT_LIBPAM -+DIRECT_LIBPAM = -lpam -+else -+DIRECT_LIBPAM = -+endif -+ - libpam_krb5_la_SOURCES = \ - conv.c \ - conv.h \ -@@ -47,7 +53,7 @@ libpam_krb5_la_SOURCES = \ - v5.h - - pam_krb5_la_LDFLAGS = -avoid-version -export-dynamic -module -export-symbols-regex 'pam_sm.*' @SYMBOLIC_LINKER_FLAG@ --pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ -+pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ $(DIRECT_LIBPAM) - pam_krb5_la_SOURCES = \ - initopts.c \ - initopts.h \ -Index: src/options.c -=================================================================== ---- src/options.c.orig -+++ src/options.c -@@ -105,7 +105,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST - ret = -1; - - /* configured service yes */ -- if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) { -+ if ((ret == -1) && (realm != NULL) && -+ (service != NULL) && (strlen(service) > 0)) { - list = option_l(argc, argv, ctx, realm, s, ""); - for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { - if (strcmp(list[i], service) == 0) { -@@ -116,7 +117,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST - } - - /* configured service no */ -- if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) { -+ if ((ret == -1) && (realm != NULL) && -+ (service != NULL) && (strlen(service) > 0)) { - for (i = 0; i < (sizeof(prefix) / sizeof(prefix[0])); i++) { - nots = malloc(strlen(prefix[i]) + strlen(s) + 1); - if (nots != NULL) { -@@ -142,7 +144,7 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST - } - - /* configured boolean */ -- if (ret == -1) { -+ if ((ret == -1) && (realm != NULL)) { - v5_appdefault_boolean(ctx, realm, s, -1, &ret); - } - -@@ -331,6 +333,11 @@ _pam_krb5_options_init(pam_handle_t *pam - _pam_krb5_get_item_text(pamh, PAM_SERVICE, &service); - } - -+ /* command-line option */ -+ options->debug = option_b(argc, argv, ctx, NULL, -+ service, NULL, NULL, -+ "debug", 0); -+ - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "realm=", 6) == 0) { - if (options->realm != NULL) { diff --git a/pam_krb5-2.3.4-1.tar.bz2 b/pam_krb5-2.3.4-1.tar.bz2 new file mode 100644 index 0000000..5f88e67 --- /dev/null +++ b/pam_krb5-2.3.4-1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b9cbb260a50085c22107d06c2e73d6f757a1e3901e2eae61406b90bed9e59da +size 426907 diff --git a/pam_krb5-LINGUAS.dif b/pam_krb5-LINGUAS.dif index cd886d5..2f8fe72 100644 --- a/pam_krb5-LINGUAS.dif +++ b/pam_krb5-LINGUAS.dif @@ -1,31 +1,24 @@ --- po/LINGUAS -+++ po/LINGUAS 2008/10/24 12:25:20 -@@ -1 +1,28 @@ ++++ po/LINGUAS 2009/05/20 10:30:47 +@@ -14,3 +14,21 @@ + sr + sr@latin + sv +ar +bg -+cs +da - de -+es +fi +fr +hr -+hu -+it +ja +ka +km +ko +nb -+nl -+pl -+pt_BR +pt +ru -+sv +th +uk +wa +zh_CN +zh_TW -+ diff --git a/pam_krb5-po-Makevars.dif b/pam_krb5-po-Makevars.dif deleted file mode 100644 index 6df362c..0000000 --- a/pam_krb5-po-Makevars.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: pam_krb5-2.3.1-1/po/Makevars -=================================================================== ---- pam_krb5-2.3.1-1.orig/po/Makevars -+++ pam_krb5-2.3.1-1/po/Makevars -@@ -8,7 +8,7 @@ subdir = po - top_builddir = .. - - # These options get passed to xgettext. --XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ -+XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ --keyword=Y_ - - # This is the copyright holder that gets inserted into the header of the - # $(DOMAIN).pot file. Set this to the copyright holder of the surrounding diff --git a/pam_krb5.changes b/pam_krb5.changes index f06c2e5..6ee758b 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed May 20 11:49:22 CEST 2009 - mc@suse.de + +- update to version 2.3.4 + * don't request password-changing credentials using the same options + we use for ticket-granting tickets + * close a couple of open pipes to defunct processes, fix a couple + of debug messages + * fix ccache permissions bypass when the "existing_ticket" option is + used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1) +- obsolete a lot of patches. + ------------------------------------------------------------------- Thu Feb 5 12:31:29 CET 2009 - mc@suse.de diff --git a/pam_krb5.spec b/pam_krb5.spec index 1d48352..24f9a89 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package pam_krb5 (Version 2.3.1) +# spec file for package pam_krb5 (Version 2.3.4) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -30,21 +30,17 @@ AutoReqProv: on Obsoletes: pam_krb5-64bit %endif # -Version: 2.3.1 -Release: 48 +Version: 2.3.4 +Release: 1 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 Source2: pam_krb5-po.tar.gz Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif -Patch3: pam_krb5-2.3.1-log-choise.dif -Patch4: pam_krb5-po-Makevars.dif -Patch5: pam_krb5-LINGUAS.dif -Patch6: pam_krb5-2.3.1-post.dif -Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch -Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif -Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif -Patch10: pam_krb5-2.2.3-1-setcred-assume-establish.dif +Patch2: pam_krb5-2.3.1-log-choise.dif +Patch3: pam_krb5-LINGUAS.dif +Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif +Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -62,14 +58,10 @@ Authors: %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE} %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE} %patch1 -%patch3 -p1 +%patch2 -p1 +%patch3 %patch4 -p1 %patch5 -%patch6 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 %build %{suse_update_config -f} @@ -104,6 +96,15 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) /usr/bin/afs5log %changelog +* Wed May 20 2009 mc@suse.de +- update to version 2.3.4 + * don't request password-changing credentials using the same options + we use for ticket-granting tickets + * close a couple of open pipes to defunct processes, fix a couple + of debug messages + * fix ccache permissions bypass when the "existing_ticket" option is + used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1) +- obsolete a lot of patches. * Thu Feb 05 2009 mc@suse.de - update translations * Mon Feb 02 2009 mc@suse.de