From 1decc015c4b424fbbffb2a694d665fc856f6cbf6ba0c2b7edfdaa2898161dd79 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 23 Jan 2008 21:04:40 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=29 --- krb5-1.6-fix-CVE-2007-5894.dif | 13 +++ krb5-1.6-fix-CVE-2007-5902.dif | 13 +++ krb5-1.6-fix-CVE-2007-5971.dif | 25 +++++ krb5-1.6-fix-CVE-2007-5972.dif | 14 +++ krb5-doc.spec | 46 ++++----- krb5-plugins.spec | 54 +++++----- krb5.changes | 10 ++ krb5.spec | 181 ++++++++++++++++++--------------- 8 files changed, 227 insertions(+), 129 deletions(-) create mode 100644 krb5-1.6-fix-CVE-2007-5894.dif create mode 100644 krb5-1.6-fix-CVE-2007-5902.dif create mode 100644 krb5-1.6-fix-CVE-2007-5971.dif create mode 100644 krb5-1.6-fix-CVE-2007-5972.dif diff --git a/krb5-1.6-fix-CVE-2007-5894.dif b/krb5-1.6-fix-CVE-2007-5894.dif new file mode 100644 index 0000000..c35e3c0 --- /dev/null +++ b/krb5-1.6-fix-CVE-2007-5894.dif @@ -0,0 +1,13 @@ +Index: src/appl/gssftp/ftpd/ftpd.c +=================================================================== +--- src/appl/gssftp/ftpd/ftpd.c.orig ++++ src/appl/gssftp/ftpd/ftpd.c +@@ -1823,7 +1823,7 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5) + * radix_encode, gss_seal, plus slop. + */ + char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2]; +- int length, kerror; ++ int length = 0, kerror; + if (n) sprintf(in, "%d%c", n, cont_char); + else in[0] = '\0'; + strncat(in, buf, sizeof (in) - strlen(in) - 1); diff --git a/krb5-1.6-fix-CVE-2007-5902.dif b/krb5-1.6-fix-CVE-2007-5902.dif new file mode 100644 index 0000000..2766cdd --- /dev/null +++ b/krb5-1.6-fix-CVE-2007-5902.dif @@ -0,0 +1,13 @@ +Index: src/lib/rpc/svc_auth_gss.c +=================================================================== +--- src/lib/rpc/svc_auth_gss.c.orig ++++ src/lib/rpc/svc_auth_gss.c +@@ -671,7 +671,7 @@ svcauth_gss_get_principal(SVCAUTH *auth) + + gd = SVCAUTH_PRIVATE(auth); + +- if (gd->cname.length == 0) ++ if (gd->cname.length == 0 || gd->cname.length >= SIZE_MAX) + return (NULL); + + if ((pname = malloc(gd->cname.length + 1)) == NULL) diff --git a/krb5-1.6-fix-CVE-2007-5971.dif b/krb5-1.6-fix-CVE-2007-5971.dif new file mode 100644 index 0000000..10b3370 --- /dev/null +++ b/krb5-1.6-fix-CVE-2007-5971.dif @@ -0,0 +1,25 @@ +Index: src/lib/gssapi/krb5/k5sealv3.c +=================================================================== +--- src/lib/gssapi/krb5/k5sealv3.c.orig ++++ src/lib/gssapi/krb5/k5sealv3.c +@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con + plain.data = 0; + if (err) { + zap(outbuf,bufsize); +- free(outbuf); + goto error; + } + if (sum.length != ctx->cksum_size) +Index: src/lib/gssapi/mechglue/g_initialize.c +=================================================================== +--- src/lib/gssapi/mechglue/g_initialize.c.orig ++++ src/lib/gssapi/mechglue/g_initialize.c +@@ -208,7 +208,7 @@ gss_OID_set *mechSet; + free((*mechSet)->elements[j].elements); + } + free((*mechSet)->elements); +- free(mechSet); ++ free(*mechSet); + *mechSet = NULL; + return (GSS_S_FAILURE); + } diff --git a/krb5-1.6-fix-CVE-2007-5972.dif b/krb5-1.6-fix-CVE-2007-5972.dif new file mode 100644 index 0000000..3eb8a44 --- /dev/null +++ b/krb5-1.6-fix-CVE-2007-5972.dif @@ -0,0 +1,14 @@ +Index: src/lib/kdb/kdb_default.c +=================================================================== +--- src/lib/kdb/kdb_default.c.orig ++++ src/lib/kdb/kdb_default.c +@@ -185,8 +185,7 @@ krb5_def_store_mkey(context, keyfile, mn + kf) != key->length)) { + retval = errno; + (void) fclose(kf); +- } +- if (fclose(kf) == EOF) ++ } else if (fclose(kf) == EOF) + retval = errno; + #if HAVE_UMASK + (void) umask(oumask); diff --git a/krb5-doc.spec b/krb5-doc.spec index 49b5f5c..e6e58e9 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-doc (Version 1.6.3) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.3 -Release: 16 +Release: 30 %define srcRoot krb5-1.6.3 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT @@ -90,41 +90,41 @@ rm -rf %{buildroot} %doc doc/html %changelog -* Tue Oct 23 2007 - mc@suse.de +* Tue Oct 23 2007 mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles -* Thu Jul 12 2007 - mc@suse.de +* Thu Jul 12 2007 mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release -* Wed Jun 13 2007 - sschober@suse.de +* Wed Jun 13 2007 sschober@suse.de - removed executable permission from doc file -* Mon Apr 23 2007 - mc@suse.de +* Mon Apr 23 2007 mc@suse.de - update to final 1.6.1 version - replace te_ams with texlive in BuildRequires -* Wed Apr 18 2007 - mc@suse.de +* Wed Apr 18 2007 mc@suse.de - build implementor.ps -* Mon Apr 16 2007 - mc@suse.de +* Mon Apr 16 2007 mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) -* Mon Feb 19 2007 - mc@suse.de +* Mon Feb 19 2007 mc@suse.de - add krb5-1.6-post.dif -* Mon Jan 22 2007 - mc@suse.de +* Mon Jan 22 2007 mc@suse.de - update to version 1.6 * Major changes in 1.6 include * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. -* Thu Aug 24 2006 - mc@suse.de +* Thu Aug 24 2006 mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif * trunk-fix-uninitialized-vars.dif -* Mon Jul 03 2006 - mc@suse.de +* Mon Jul 03 2006 mc@suse.de - update to version 1.5 * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be @@ -134,34 +134,34 @@ rm -rf %{buildroot} * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems - remove obsolete patches and add some new -* Mon Mar 13 2006 - mc@suse.de +* Mon Mar 13 2006 mc@suse.de - set BuildArchitectures to noarch - set norootforbuild -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Fri Nov 18 2005 - mc@suse.de +* Fri Nov 18 2005 mc@suse.de - update to version 1.4.3 - fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif) -* Wed Oct 12 2005 - mc@suse.de +* Wed Oct 12 2005 mc@suse.de - build kadm5 documentation - build documentation also as html - include the text only documentation -* Tue Oct 11 2005 - mc@suse.de +* Tue Oct 11 2005 mc@suse.de - update to version 1.4.2 - remove some obsolet patches -* Mon Jun 27 2005 - mc@suse.de +* Mon Jun 27 2005 mc@suse.de - update to version 1.4.1 - remove obsolet patches - krb5-1.4-VUL-0-telnet.dif -* Thu Feb 10 2005 - ro@suse.de +* Thu Feb 10 2005 ro@suse.de - added libpng to neededforbuild (for tetex) -* Fri Feb 04 2005 - mc@suse.de +* Fri Feb 04 2005 mc@suse.de - remove spx.c from tarball because of legal risk - add README.Source which tell the user about this action. -* Fri Jan 28 2005 - mc@suse.de +* Fri Jan 28 2005 mc@suse.de - update to version 1.4 -* Mon Jan 10 2005 - mc@suse.de +* Mon Jan 10 2005 mc@suse.de - update to version 1.3.6 -* Tue Dec 14 2004 - mc@suse.de +* Tue Dec 14 2004 mc@suse.de - initial release diff --git a/krb5-plugins.spec b/krb5-plugins.spec index 6f5665e..33c6bd8 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-plugins (Version 1.6.3) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -13,7 +13,7 @@ Name: krb5-plugins Version: 1.6.3 -Release: 3 +Release: 4 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -48,6 +48,10 @@ Patch31: krb5-1.6-ldap-man.dif Patch32: krb5-1.4.3-enospc.dif Patch33: krb5-1.3.3-rcp-markus.dif Patch34: gssapi_improve_errormessages.dif +Patch35: krb5-1.6-fix-CVE-2007-5894.dif +Patch36: krb5-1.6-fix-CVE-2007-5902.dif +Patch37: krb5-1.6-fix-CVE-2007-5971.dif +Patch38: krb5-1.6-fix-CVE-2007-5972.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -134,6 +138,10 @@ fi %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 +%patch36 +%patch37 +%patch38 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -248,35 +256,35 @@ rm -rf %{buildroot} %{_libdir}/krb5/plugins/preauth/pkinit.so %changelog -* Tue Dec 04 2007 - mc@suse.de +* Tue Dec 04 2007 mc@suse.de - improve GSSAPI error messages -* Tue Oct 23 2007 - mc@suse.de +* Tue Oct 23 2007 mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles -* Fri Sep 14 2007 - mc@suse.de +* Fri Sep 14 2007 mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that that the client library will not failover to the next KDC. [#310540] -* Tue Sep 11 2007 - mc@suse.de +* Tue Sep 11 2007 mc@suse.de - update krb5-1.6.2-post.dif * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. * patch for referrals loop -* Thu Sep 06 2007 - mc@suse.de +* Thu Sep 06 2007 mc@suse.de - fix a problem with the originally published patch for MITKRB5-SA-2007-006 - CVE-2007-3999 [#302377] -* Wed Sep 05 2007 - mc@suse.de +* Wed Sep 05 2007 mc@suse.de - fix execute arbitrary code (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) [#302377] -* Tue Aug 07 2007 - mc@suse.de +* Tue Aug 07 2007 mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the session key enctype of a returned credential for the final @@ -286,10 +294,10 @@ rm -rf %{buildroot} the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. -* Thu Jul 12 2007 - mc@suse.de +* Thu Jul 12 2007 mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release -* Mon Jul 02 2007 - mc@suse.de +* Mon Jul 02 2007 mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree * rd_req_decoded needs to deal with referral realms @@ -299,22 +307,22 @@ rm -rf %{buildroot} * fix kadmind code execution bug (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) [#271191] -* Wed May 09 2007 - mc@suse.de +* Wed May 09 2007 mc@suse.de - fix uninitialized salt length - add extra check for keytab file -* Thu May 03 2007 - mc@suse.de +* Thu May 03 2007 mc@suse.de - adding krb5-1.6.1-post.dif * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes -* Mon Apr 23 2007 - mc@suse.de +* Mon Apr 23 2007 mc@suse.de - update to final 1.6.1 version -* Mon Apr 16 2007 - mc@suse.de +* Mon Apr 16 2007 mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch -* Wed Apr 11 2007 - mc@suse.de +* Wed Apr 11 2007 mc@suse.de - update krb5-1.6-post.dif * fix kadmind stack overflow in krb5_klog_syslog (MITKRB5-SA-2007-002 - CVE-2007-0957) @@ -325,24 +333,24 @@ rm -rf %{buildroot} * fix krb5 telnetd login injection (MIT-SA-2007-001 - CVE-2007-0956) [#247765] -* Thu Mar 29 2007 - mc@suse.de +* Thu Mar 29 2007 mc@suse.de - add ncurses-devel and bison to BuildRequires - rework some patches -* Mon Feb 19 2007 - mc@suse.de +* Mon Feb 19 2007 mc@suse.de - update krb5-1.6-post.dif -* Fri Feb 09 2007 - mc@suse.de +* Fri Feb 09 2007 mc@suse.de - update krb5-1.6-post.dif -* Mon Jan 29 2007 - ro@suse.de +* Mon Jan 29 2007 ro@suse.de - no main package, no debuginfo -* Mon Jan 29 2007 - mc@suse.de +* Mon Jan 29 2007 mc@suse.de - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif are now upstream. Remove patches. - fix leak in krb5_kt_resolve and krb5_kt_wresolve -* Tue Jan 23 2007 - mc@suse.de +* Tue Jan 23 2007 mc@suse.de - fix "local variable used before set" in ftp.c [#237684] - use less BuildRequires -* Mon Jan 22 2007 - mc@suse.de +* Mon Jan 22 2007 mc@suse.de - initial release (version 1.6) * Major changes in 1.6 include * Partial client implementation to handle server name referrals. diff --git a/krb5.changes b/krb5.changes index f17867e..1918697 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Dec 14 10:48:52 CET 2007 - mc@suse.de + +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] + ------------------------------------------------------------------- Tue Dec 4 16:36:07 CET 2007 - mc@suse.de diff --git a/krb5.spec b/krb5.spec index a1ec3c8..595de15 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 (Version 1.6.3) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -12,7 +12,7 @@ Name: krb5 Version: 1.6.3 -Release: 11 +Release: 20 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -52,6 +52,10 @@ Patch31: krb5-1.6-ldap-man.dif Patch32: krb5-1.4.3-enospc.dif Patch33: krb5-1.3.3-rcp-markus.dif Patch34: gssapi_improve_errormessages.dif +Patch35: krb5-1.6-fix-CVE-2007-5894.dif +Patch36: krb5-1.6-fix-CVE-2007-5902.dif +Patch37: krb5-1.6-fix-CVE-2007-5971.dif +Patch38: krb5-1.6-fix-CVE-2007-5972.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -206,6 +210,10 @@ fi %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 +%patch36 +%patch37 +%patch38 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -522,37 +530,44 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog -* Tue Dec 04 2007 - mc@suse.de +* Fri Dec 14 2007 mc@suse.de +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] +* Tue Dec 04 2007 mc@suse.de - improve GSSAPI error messages -* Tue Nov 06 2007 - mc@suse.de +* Tue Nov 06 2007 mc@suse.de - add coreutils to PreReq -* Tue Oct 23 2007 - mc@suse.de +* Tue Oct 23 2007 mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles -* Fri Sep 14 2007 - mc@suse.de +* Fri Sep 14 2007 mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that that the client library will not failover to the next KDC. [#310540] -* Tue Sep 11 2007 - mc@suse.de +* Tue Sep 11 2007 mc@suse.de - update krb5-1.6.2-post.dif * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. * patch for referrals loop -* Thu Sep 06 2007 - mc@suse.de +* Thu Sep 06 2007 mc@suse.de - fix a problem with the originally published patch for MITKRB5-SA-2007-006 - CVE-2007-3999 [#302377] -* Wed Sep 05 2007 - mc@suse.de +* Wed Sep 05 2007 mc@suse.de - fix execute arbitrary code (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) [#302377] -* Tue Aug 07 2007 - mc@suse.de +* Tue Aug 07 2007 mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the session key enctype of a returned credential for the final @@ -562,12 +577,12 @@ rm -rf %{buildroot} the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. -* Thu Jul 12 2007 - mc@suse.de +* Thu Jul 12 2007 mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release -* Thu Jul 05 2007 - mc@suse.de +* Thu Jul 05 2007 mc@suse.de - change requires to libcom_err-devel -* Mon Jul 02 2007 - mc@suse.de +* Mon Jul 02 2007 mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree * rd_req_decoded needs to deal with referral realms @@ -577,9 +592,9 @@ rm -rf %{buildroot} * fix kadmind code execution bug (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) [#271191] -* Thu Jun 14 2007 - mc@suse.de +* Thu Jun 14 2007 mc@suse.de - fix unstripped-binary-or-object rpmlint warning -* Mon Jun 11 2007 - sschober@suse.de +* Mon Jun 11 2007 sschober@suse.de - fixing rpmlint warnings and errors: * merged logrotate scripts kadmin and krb5kdc into a single file krb5-server. @@ -591,24 +606,24 @@ rm -rf %{buildroot} (see [#147912]). * set default runlevel of init scripts in chkconfig line to 3 and 5 -* Wed May 09 2007 - mc@suse.de +* Wed May 09 2007 mc@suse.de - fix uninitialized salt length - add extra check for keytab file -* Thu May 03 2007 - mc@suse.de +* Thu May 03 2007 mc@suse.de - adding krb5-1.6.1-post.dif * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes -* Mon Apr 23 2007 - mc@suse.de +* Mon Apr 23 2007 mc@suse.de - update to final 1.6.1 version -* Wed Apr 18 2007 - mc@suse.de +* Wed Apr 18 2007 mc@suse.de - add plugin directories to main package -* Mon Apr 16 2007 - mc@suse.de +* Mon Apr 16 2007 mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch -* Wed Apr 11 2007 - mc@suse.de +* Wed Apr 11 2007 mc@suse.de - update krb5-1.6-post.dif * fix kadmind stack overflow in krb5_klog_syslog (MITKRB5-SA-2007-002 - CVE-2007-0957) @@ -619,36 +634,36 @@ rm -rf %{buildroot} * fix krb5 telnetd login injection (MIT-SA-2007-001 - CVE-2007-0956) [#247765] -* Thu Mar 29 2007 - mc@suse.de +* Thu Mar 29 2007 mc@suse.de - add ncurses-devel and bison to BuildRequires - rework some patches -* Mon Mar 05 2007 - mc@suse.de +* Mon Mar 05 2007 mc@suse.de - move SuSEFirewall service definitions to /etc/sysconfig/SuSEfirewall2.d/services -* Thu Feb 22 2007 - mc@suse.de +* Thu Feb 22 2007 mc@suse.de - add firewall definition to krb5-server, FATE #300687 -* Mon Feb 19 2007 - mc@suse.de +* Mon Feb 19 2007 mc@suse.de - update krb5-1.6-post.dif - move some applications into the right package -* Fri Feb 09 2007 - mc@suse.de +* Fri Feb 09 2007 mc@suse.de - update krb5-1.6-post.dif -* Mon Jan 29 2007 - mc@suse.de +* Mon Jan 29 2007 mc@suse.de - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif are now upstream. Remove patches. - fix leak in krb5_kt_resolve and krb5_kt_wresolve -* Tue Jan 23 2007 - mc@suse.de +* Tue Jan 23 2007 mc@suse.de - fix "local variable used before set" in ftp.c [#237684] -* Mon Jan 22 2007 - mc@suse.de +* Mon Jan 22 2007 mc@suse.de - krb5-devel should require keyutils-devel -* Mon Jan 22 2007 - mc@suse.de +* Mon Jan 22 2007 mc@suse.de - update to version 1.6 * Major changes in 1.6 include * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. - remove obsolete patches -* Wed Jan 10 2007 - mc@suse.de +* Wed Jan 10 2007 mc@suse.de - fix for kadmind (via RPC library) calls uninitialized function pointer (CVE-2006-6143)(Bug #225990) @@ -657,32 +672,32 @@ rm -rf %{buildroot} kadmind (via GSS-API mechglue) frees uninitialized pointers (CVE-2006-6144)(Bug #225992) krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif -* Tue Jan 02 2007 - mc@suse.de +* Tue Jan 02 2007 mc@suse.de - Fix Requires in krb5-devel [Bug #231008] -* Mon Nov 06 2006 - mc@suse.de +* Mon Nov 06 2006 mc@suse.de - fix "local variable used before set" [#217692] - fix strncat warning -* Fri Oct 27 2006 - mc@suse.de +* Fri Oct 27 2006 mc@suse.de - add a default kadm5.dict file - require $network on daemon start -* Wed Sep 13 2006 - mc@suse.de +* Wed Sep 13 2006 mc@suse.de - fix function call with too few arguments [#203837] -* Thu Aug 24 2006 - mc@suse.de +* Thu Aug 24 2006 mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif * trunk-fix-uninitialized-vars.dif -* Fri Aug 11 2006 - mc@suse.de +* Fri Aug 11 2006 mc@suse.de - krb5 setuid return check fixes krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif [#182351] -* Mon Aug 07 2006 - mc@suse.de +* Mon Aug 07 2006 mc@suse.de - remove update-messages -* Mon Jul 24 2006 - mc@suse.de +* Mon Jul 24 2006 mc@suse.de - add check for krb5_prop in services to kpropd init script. [#192446] -* Mon Jul 03 2006 - mc@suse.de +* Mon Jul 03 2006 mc@suse.de - update to version 1.5 * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be @@ -692,104 +707,104 @@ rm -rf %{buildroot} * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems - remove obsolete patches and add some new -* Fri May 26 2006 - ro@suse.de +* Fri May 26 2006 ro@suse.de - libcom is not in e2fsck-devel but in its own package now, change Requires accordingly. -* Mon Mar 27 2006 - mc@suse.de +* Mon Mar 27 2006 mc@suse.de - add all daemons to %%stop_on_removal and %%restart_on_update - add reload to kpropd init script - add force-reload to all init scripts -* Mon Mar 13 2006 - mc@suse.de +* Mon Mar 13 2006 mc@suse.de - add libgssapi_krb5.so link to main package [#147912] -* Fri Feb 03 2006 - mc@suse.de +* Fri Feb 03 2006 mc@suse.de - fix logging section for kadmind in convert script -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Fri Jan 13 2006 - mc@suse.de +* Fri Jan 13 2006 mc@suse.de - change the logging defaults -* Wed Jan 11 2006 - mc@suse.de +* Wed Jan 11 2006 mc@suse.de - add tools and README for heimdal => MIT update -* Mon Jan 09 2006 - mc@suse.de +* Mon Jan 09 2006 mc@suse.de - fix build problems, define _GNU_SOURCE (krb5-1.4.3-set_gnu_source.dif ) -* Tue Jan 03 2006 - mc@suse.de +* Tue Jan 03 2006 mc@suse.de - added "make %%{?jobs:-j%%jobs}" -* Fri Nov 18 2005 - mc@suse.de +* Fri Nov 18 2005 mc@suse.de - update to version 1.4.3 * some memmory leaks fixed * fix for "AS_REP padata has wrong enctype" * fix for "AS_REP padata missing PA-ETYPE-INFO" * ... and more -* Wed Nov 02 2005 - dmueller@suse.de +* Wed Nov 02 2005 dmueller@suse.de - don't build as root -* Tue Oct 11 2005 - mc@suse.de +* Tue Oct 11 2005 mc@suse.de - update to version 1.4.2 - remove some obsolet patches -* Mon Aug 08 2005 - mc@suse.de +* Mon Aug 08 2005 mc@suse.de - build with --disable-static -* Thu Aug 04 2005 - ro@suse.de +* Thu Aug 04 2005 ro@suse.de - remove devel-static subpackage -* Thu Jun 30 2005 - mc@suse.de +* Thu Jun 30 2005 mc@suse.de - better patch for princ_comp problem -* Mon Jun 27 2005 - mc@suse.de +* Mon Jun 27 2005 mc@suse.de - update to version 1.4.1 - remove obsolet patches - krb5-1.4-gcc4.dif - krb5-1.4-reduce-namespace-polution.dif - krb5-1.4-VUL-0-telnet.dif -* Thu Jun 23 2005 - mc@suse.de +* Thu Jun 23 2005 mc@suse.de - fixed krb5 KDC heap corruption by random free [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] - fixed krb5 double free() [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] - fix krb5 NULL pointer reference while comparing principals [#91600] -* Fri Jun 17 2005 - mc@suse.de +* Fri Jun 17 2005 mc@suse.de - fix uninitialized variables - compile with -fPIE/ link with -pie -* Wed Apr 20 2005 - mc@suse.de +* Wed Apr 20 2005 mc@suse.de - fixed wrong xinetd files [#77149] -* Fri Apr 08 2005 - mt@suse.de +* Fri Apr 08 2005 mt@suse.de - removed krb5-1.4-fix-error_tables.dif patch obsoleted by libcom_err locking patches -* Thu Apr 07 2005 - mc@suse.de +* Thu Apr 07 2005 mc@suse.de - fixed missing descriptions in init files [#76164, #76165, #76166, #76169] -* Wed Mar 30 2005 - mc@suse.de +* Wed Mar 30 2005 mc@suse.de - enhance $PATH via /etc/profile.d/ [#74018] - remove the "links to important programs" -* Fri Mar 18 2005 - mc@suse.de +* Fri Mar 18 2005 mc@suse.de - fixed not running converter script [#72854] -* Thu Mar 17 2005 - mc@suse.de +* Thu Mar 17 2005 mc@suse.de - Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer Overflow - Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer Overflow [#73618] -* Wed Mar 16 2005 - mc@suse.de +* Wed Mar 16 2005 mc@suse.de - fixed wrong PreReqs [#73020] -* Tue Mar 15 2005 - mc@suse.de +* Tue Mar 15 2005 mc@suse.de - add a simple krb5.conf converter [#72854] -* Mon Mar 14 2005 - mc@suse.de +* Mon Mar 14 2005 mc@suse.de - fixed: rckrb5kdc restart gives wrong status with non-running service [#72446] -* Thu Mar 10 2005 - mc@suse.de +* Thu Mar 10 2005 mc@suse.de - add requires: e2fsprogs-devel to krb5-devel package [#71732] -* Fri Feb 25 2005 - mc@suse.de +* Fri Feb 25 2005 mc@suse.de - fix double free [#66534] krb5-1.4-fix-error_tables.dif -* Fri Feb 11 2005 - mc@suse.de +* Fri Feb 11 2005 mc@suse.de - change mode for shared libraries to 755 -* Fri Feb 04 2005 - mc@suse.de +* Fri Feb 04 2005 mc@suse.de - remove spx.c from tarball because of legal risk - add README.Source which tell the user about this action. - add a check for spx.c in the spec-file - use rich-text for update-messages [#50250] -* Tue Feb 01 2005 - mc@suse.de +* Tue Feb 01 2005 mc@suse.de - add krb5-1.4-reduce-namespace-polution.dif reduce namespace polution in gssapi.h [#50356] -* Fri Jan 28 2005 - mc@suse.de +* Fri Jan 28 2005 mc@suse.de - update to version 1.4 - Add implementation of the RPCSEC_GSS authentication flavor to the RPC library. @@ -803,37 +818,37 @@ rm -rf %{buildroot} - Incorporate gss_krb5_set_allowable_enctypes() and gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. - remove obsolet patches -* Mon Jan 17 2005 - mc@suse.de +* Mon Jan 17 2005 mc@suse.de - add proofreaded update-messages -* Fri Jan 14 2005 - mc@suse.de +* Fri Jan 14 2005 mc@suse.de - remove Conflicts: and add Provides: - add some insserv stuff -* Thu Jan 13 2005 - mc@suse.de +* Thu Jan 13 2005 mc@suse.de - move vendor files to vendor-files.tar.bz2 - add obsoletes: heimdal - add %%pre and %%post sections to detect update from heimdal and backup invalid configuration files - add update-messages for heimdal update -* Mon Jan 10 2005 - mc@suse.de +* Mon Jan 10 2005 mc@suse.de - update to version 1.3.6 - fix for: heap buffer overflow in libkadm5srv [CAN-2004-1189 / MITKRB5-SA-2004-004] -* Tue Dec 14 2004 - mc@suse.de +* Tue Dec 14 2004 mc@suse.de - build doc subpackage in an own specfile - removed unnecessary neededforbuild requirements -* Wed Nov 24 2004 - coolo@suse.de +* Wed Nov 24 2004 coolo@suse.de - fix build with gcc 4 -* Mon Nov 15 2004 - mc@suse.de +* Mon Nov 15 2004 mc@suse.de - added Conflicts with heimdal* - rename some manpages to avoid conflicts -* Thu Nov 04 2004 - mc@suse.de +* Thu Nov 04 2004 mc@suse.de - new init scripts - fix logrotate scripts - add some 64Bit fixes - add default krb5.conf, kdc.conf and kadm5.acl -* Wed Nov 03 2004 - mc@suse.de +* Wed Nov 03 2004 mc@suse.de - add e2fsprogs to NFB - use system-et and system-ss - fix includes of com_err.h -* Thu Oct 28 2004 - mc@suse.de +* Thu Oct 28 2004 mc@suse.de - Initital checkin