diff --git a/krb5-doc.spec b/krb5-doc.spec index 2383244..4c635b1 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -14,7 +14,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.3 -Release: 63 +Release: 77 %define srcRoot krb5-1.6.3 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT diff --git a/krb5-plugins.spec b/krb5-plugins.spec index 087f29e..e4d8c9d 100644 --- a/krb5-plugins.spec +++ b/krb5-plugins.spec @@ -14,7 +14,7 @@ Name: krb5-plugins Version: 1.6.3 -Release: 7 +Release: 8 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.3 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -55,6 +55,8 @@ Patch37: krb5-1.6-fix-CVE-2007-5971.dif Patch38: krb5-1.6-fix-CVE-2007-5972.dif Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif +Patch41: krb5-trunk-kpasswd_tcp.patch +Patch42: krb5-trunk-seqnum.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -148,6 +150,8 @@ fi %patch38 %patch39 -p1 %patch40 +%patch41 +%patch42 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src diff --git a/krb5-trunk-kpasswd_tcp.patch b/krb5-trunk-kpasswd_tcp.patch new file mode 100644 index 0000000..47c6df8 --- /dev/null +++ b/krb5-trunk-kpasswd_tcp.patch @@ -0,0 +1,35 @@ +Fall back to TCP on kdc-unresolvable/unreachable errors. We still have +to wait for UDP to fail, so this might not be ideal. RT #5868. + +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c (revision 20199) ++++ src/lib/krb5/os/changepw.c (working copy) +@@ -251,11 +251,22 @@ + NULL, + NULL + ))) { +- +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } + diff --git a/krb5-trunk-seqnum.patch b/krb5-trunk-seqnum.patch new file mode 100644 index 0000000..31a7121 --- /dev/null +++ b/krb5-trunk-seqnum.patch @@ -0,0 +1,49 @@ +Every KRB-PRIV message we generate to include as part of a password change +request we create (after the first one) will include sequence numbers which +look "wrong" to the recipient, because previously generating other KRB-PRIV +messages will mess with the counters in the auth_context. Because the +current code attempts to reuse auth_context structures (and changing that +would be more invasive), we'll just save the sequence number values as they +are after we build the AP-REQ, and restore them before generating requests. +RT#5867. + +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c (revision 20195) ++++ src/lib/krb5/os/changepw.c (working copy) +@@ -34,6 +34,7 @@ + #include "k5-int.h" + #include "os-proto.h" + #include "cm.h" ++#include "../krb/auth_con.h" + + #include + #include +@@ -48,6 +49,7 @@ + krb5_principal set_password_for; + char *newpw; + krb5_data ap_req; ++ krb5_ui_4 remote_seq_num, local_seq_num; + }; + + +@@ -159,6 +161,9 @@ + &local_kaddr, NULL))) + goto cleanup; + ++ ctx->auth_context->remote_seq_number = ctx->remote_seq_num; ++ ctx->auth_context->local_seq_number = ctx->local_seq_num; ++ + if (ctx->set_password_for) + code = krb5int_mk_setpw_req(ctx->context, + ctx->auth_context, +@@ -225,6 +230,9 @@ + &callback_ctx.ap_req))) + goto cleanup; + ++ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number; ++ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number; ++ + do { + if ((code = krb5_locate_kpasswd(callback_ctx.context, + krb5_princ_realm(callback_ctx.context, diff --git a/krb5.changes b/krb5.changes index 5d5aa62..f363db1 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 14 17:44:59 CEST 2008 - mc@suse.de + +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) + ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de diff --git a/krb5.spec b/krb5.spec index 71f0183..0279d5c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Name: krb5 Version: 1.6.3 -Release: 40 +Release: 47 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -59,6 +59,8 @@ Patch37: krb5-1.6-fix-CVE-2007-5971.dif Patch38: krb5-1.6-fix-CVE-2007-5972.dif Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif +Patch41: krb5-trunk-kpasswd_tcp.patch +Patch42: krb5-trunk-seqnum.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -224,6 +226,8 @@ fi %patch38 %patch39 -p1 %patch40 +%patch41 +%patch42 cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src @@ -542,6 +546,10 @@ rm -rf %{buildroot} %{_mandir}/man1/krb5-config.1* %changelog +* Wed May 14 2008 mc@suse.de +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) * Thu Apr 10 2008 ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support