From 40f0f666d99718452d31ce74676fb0c75c8564d8cbc8ba4178d36255b03c5b48 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 2 Jun 2022 08:10:43 +0000 Subject: [PATCH] Accepting request 980314 from home:scabrero:branches:network Align krb5-mini changelog and remove a couple of trailing white spaces OBS-URL: https://build.opensuse.org/request/show/980314 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=260 --- krb5-mini.changes | 36 ++++++++++++++++++++++++++++++++++++ krb5.changes | 2 +- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/krb5-mini.changes b/krb5-mini.changes index 9fd9da3..935783d 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Sun May 29 19:14:02 UTC 2022 - Dirk Müller + +- update to 1.20.0: + * Added a "disable_pac" realm relation to suppress adding PAC authdata + to tickets, for realms which do not need to support S4U requests. + * Most credential cache types will use atomic replacement when a cache + is reinitialized using kinit or refreshed from the client keytab. + * kprop can now propagate databases with a dump size larger than 4GB, + if both the client and server are upgraded. + * kprop can now work over NATs that change the destination IP address, + if the client is upgraded. + * Updated the KDB interface. The sign_authdata() method is replaced + with the issue_pac() method, allowing KDB modules to add logon info + and other buffers to the PAC issued by the KDC. + * Host-based initiator names are better supported in the GSS krb5 + mechanism. + * Replaced AD-SIGNEDPATH authdata with minimal PACs. + * To avoid spurious replay errors, password change requests will not + be attempted over UDP until the attempt over TCP fails. + * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. + * Updated all code using OpenSSL to be compatible with OpenSSL 3. + * Reorganized the libk5crypto build system to allow the OpenSSL + back-end to pull in material from the builtin back-end depending on + the OpenSSL version. + * Simplified the PRNG logic to always use the platform PRNG. + * Converted the remaining Tcl tests to Python. + +------------------------------------------------------------------- +Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller + +- update to 1.19.3 (bsc#1189929, CVE-2021-37750): + * Fix a denial of service attack against the KDC [CVE-2021-37750]. + * Fix KDC null deref on TGS inner body null server + * Fix conformance issue in GSSAPI tests + ------------------------------------------------------------------- Thu Jan 27 22:21:52 UTC 2022 - David Mulder diff --git a/krb5.changes b/krb5.changes index c53303e..dfd868e 100644 --- a/krb5.changes +++ b/krb5.changes @@ -24,7 +24,7 @@ Sun May 29 19:14:02 UTC 2022 - Dirk Müller back-end to pull in material from the builtin back-end depending on the OpenSSL version. * Simplified the PRNG logic to always use the platform PRNG. - * Converted the remaining Tcl tests to Python. + * Converted the remaining Tcl tests to Python. ------------------------------------------------------------------- Sat Apr 9 11:31:42 UTC 2022 - Dirk Müller