Accepting request 352796 from home:stroeder:branches:network

update to 1.14, successfully tested on Tumbleweed x86_64 
1. purely as client for MS AD and
2. as KDC with LDAP backend

OBS-URL: https://build.opensuse.org/request/show/352796
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=154

krb5-1.13.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
-size 12133347

krb5-1.13.3.tar.gz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr
-4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr
-yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ
-ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8
-cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB
-LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4
-AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S
-zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm
-VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA==
-=UvFL
------END PGP SIGNATURE-----

krb5-1.14.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9
+size 12255176

krb5-1.14.tar.gz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L
+rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX
+IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm
+Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN
+GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP
+cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF
+X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl
+6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02
+P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA==
+=xlir
+-----END PGP SIGNATURE-----

krb5-mini.changes

@@ -1,7 +1,124 @@
+-------------------------------------------------------------------
+Tue Dec  8 20:40:26 UTC 2015 - michael@stroeder.com
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+
+Major changes in 1.14 (2015-11-20)
+==================================
+
+Administrator experience:
+
+* Add a new kdb5_util tabdump command to provide reporting-friendly
+  tabular dump formats (tab-separated or CSV) for the KDC database.
+  Unlike the normal dump format, each output table has a fixed number
+  of fields.  Some tables include human-readable forms of data that
+  are opaque in ordinary dump files.  This format is also suitable for
+  importing into relational databases for complex queries.
+* Add support to kadmin and kadmin.local for specifying a single
+  command line following any global options, where the command
+  arguments are split by the shell--for example, "kadmin getprinc
+  principalname".  Commands issued this way do not prompt for
+  confirmation or display warning messages, and exit with non-zero
+  status if the operation fails.
+* Accept the same principal flag names in kadmin as we do for the
+  default_principal_flags kdc.conf variable, and vice versa.  Also
+  accept flag specifiers in the form that kadmin prints, as well as
+  hexadecimal numbers.
+* Remove the triple-DES and RC4 encryption types from the default
+  value of supported_enctypes, which determines the default key and
+  salt types for new password-derived keys.  By default, keys will
+  only created only for AES128 and AES256.  This mitigates some types
+  of password guessing attacks.
+* Add support for directory names in the KRB5_CONFIG and
+  KRB5_KDC_PROFILE environment variables.
+* Add support for authentication indicators, which are ticket
+  annotations to indicate the strength of the initial authentication.
+  Add support for the "require_auth" string attribute, which can be
+  set on server principal entries to require an indicator when
+  authenticating to the server.
+* Add support for key version numbers larger than 255 in keytab files,
+  and for version numbers up to 65535 in KDC databases.
+* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+  during pre-authentication, corresponding to the client's most
+  preferred encryption type.
+* Add support for server name identification (SNI) when proxying KDC
+  requests over HTTPS.
+* Add support for the err_fmt profile parameter, which can be used to
+  generate custom-formatted error messages.
+
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+  [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+  crash. [CVE-2015-2697]
+
+Developer experience:
+
+* Change gss_acquire_cred_with_password() to acquire credentials into
+  a private memory credential cache.  Applications can use
+  gss_store_cred() to make the resulting credentials visible to other
+  processes.
+* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+  IAKERB or for non-standard variants of the krb5 mechanism OID unless
+  explicitly requested.  (SPNEGO will still accept the Microsoft
+  variant of the krb5 mechanism OID during negotiation.)
+* Change gss_accept_sec_context() not to accept tokens for IAKERB or
+  for non-standard variants of the krb5 mechanism OID unless an
+  acceptor credential is acquired for those mechanisms.
+* Change gss_acquire_cred() to immediately resolve credentials if the
+  time_rec parameter is not NULL, so that a correct expiration time
+  can be returned.  Normally credential resolution is delayed until
+  the target name is known.
+* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+  which can be used by plugin modules or applications to add prefixes
+  to existing detailed error messages.
+* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+  implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+* Add support for pre-authentication mechanisms which use multiple
+  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+  interface; these callbacks can be used to save marshalled state
+  information in an encrypted cookie for the next request.
+* Add a client_key() callback to the kdcpreauth interface to retrieve
+  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+  by the KDC.
+* Add an add_auth_indicator() callback to the kdcpreauth interface,
+  allowing pre-authentication modules to assert authentication
+  indicators.
+* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+  suppress sending the confidentiality and integrity flags in GSS
+  initiator tokens unless they are requested by the caller.  These
+  flags control the negotiated SASL security layer for the Microsoft
+  GSS-SPNEGO SASL mechanism.
+* Make the FILE credential cache implementation less prone to
+  corruption issues in multi-threaded programs, especially on
+  platforms with support for open file description locks.
+
+Performance:
+
+* On slave KDCs, poll the master KDC immediately after processing a
+  full resync, and do not require two full resyncs after the master
+  KDC's log file is reset.
+
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+  but within clock skew tolerances, rather than rejecting them
+  immediately after the server's view of the ticket expiration time.
+
 -------------------------------------------------------------------
 Mon Dec  7 08:04:45 UTC 2015 - michael@stroeder.com
 
-- Udapte to 1.13.3
+- Update to 1.13.3
+- removed patches for security fixes now in upstream source:
+  0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+  0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+  0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+  0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
 
 Major changes in 1.13.3 (2015-12-04)
 ====================================
@@ -19,10 +136,28 @@ krb5-1.14 release series or later.
   krb5-1.10 or earlier.
 
 -------------------------------------------------------------------
-Mon Jun  1 07:38:15 UTC 2015 - hguo@suse.com
+Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+  to fix a memory corruption regression introduced by resolution of
+  CVE-2015-2698. bsc#954204
+
+-------------------------------------------------------------------
+Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
+
+- Make kadmin.local man page available without having to install krb5-client. bsc#948011
+- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+  to fix build_principal memory bug [CVE-2015-2697] bsc#952190
+- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+  to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
+- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+  to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
+
+-------------------------------------------------------------------
+Mon Jun  1 07:31:52 UTC 2015 - hguo@suse.com
 
 - Let server depend on libev (module of libverto). This was the
-  embedded implementation before the seperation of libverto from krb.
+  preferred implementation before the seperation of libverto from krb.
 
 -------------------------------------------------------------------
 Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org

krb5-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 1
-%define srcRoot krb5-1.13.3
+%define srcRoot krb5-1.14
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -30,7 +30,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.13.3
+Version:        1.14
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -82,7 +82,8 @@ Patch8:         krb5-1.12-api.patch
 Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
-Patch14:        krb5-kvno-230379.patch
+# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
+Patch15:        krbdev.mit.edu-8301.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -200,7 +201,7 @@ Include Files for Development
 %patch11 -p1
 %patch12 -p1
 %patch13 -p0
-%patch14 -p1
+%patch15 -p1
 
 %build
 # needs to be re-generated
@@ -247,6 +248,9 @@ cp -a html_subst ../../html
 cd ..
 %endif
 
+# Copy kadmin manual page into kadmin.local's due to the split between client and server package
+cp man/kadmin.man man/kadmin.local.8
+
 %install
 
 # Where per-user keytabs live by default.
@@ -349,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 # doesn't support disabling it at build time
 rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
 %endif
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
 
 %find_lang mit-krb5
 

krb5.changes

@@ -1,7 +1,119 @@
+-------------------------------------------------------------------
+Tue Dec  8 20:40:26 UTC 2015 - michael@stroeder.com
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+
+Major changes in 1.14 (2015-11-20)
+==================================
+
+Administrator experience:
+
+* Add a new kdb5_util tabdump command to provide reporting-friendly
+  tabular dump formats (tab-separated or CSV) for the KDC database.
+  Unlike the normal dump format, each output table has a fixed number
+  of fields.  Some tables include human-readable forms of data that
+  are opaque in ordinary dump files.  This format is also suitable for
+  importing into relational databases for complex queries.
+* Add support to kadmin and kadmin.local for specifying a single
+  command line following any global options, where the command
+  arguments are split by the shell--for example, "kadmin getprinc
+  principalname".  Commands issued this way do not prompt for
+  confirmation or display warning messages, and exit with non-zero
+  status if the operation fails.
+* Accept the same principal flag names in kadmin as we do for the
+  default_principal_flags kdc.conf variable, and vice versa.  Also
+  accept flag specifiers in the form that kadmin prints, as well as
+  hexadecimal numbers.
+* Remove the triple-DES and RC4 encryption types from the default
+  value of supported_enctypes, which determines the default key and
+  salt types for new password-derived keys.  By default, keys will
+  only created only for AES128 and AES256.  This mitigates some types
+  of password guessing attacks.
+* Add support for directory names in the KRB5_CONFIG and
+  KRB5_KDC_PROFILE environment variables.
+* Add support for authentication indicators, which are ticket
+  annotations to indicate the strength of the initial authentication.
+  Add support for the "require_auth" string attribute, which can be
+  set on server principal entries to require an indicator when
+  authenticating to the server.
+* Add support for key version numbers larger than 255 in keytab files,
+  and for version numbers up to 65535 in KDC databases.
+* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+  during pre-authentication, corresponding to the client's most
+  preferred encryption type.
+* Add support for server name identification (SNI) when proxying KDC
+  requests over HTTPS.
+* Add support for the err_fmt profile parameter, which can be used to
+  generate custom-formatted error messages.
+
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+  [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+  crash. [CVE-2015-2697]
+
+Developer experience:
+
+* Change gss_acquire_cred_with_password() to acquire credentials into
+  a private memory credential cache.  Applications can use
+  gss_store_cred() to make the resulting credentials visible to other
+  processes.
+* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+  IAKERB or for non-standard variants of the krb5 mechanism OID unless
+  explicitly requested.  (SPNEGO will still accept the Microsoft
+  variant of the krb5 mechanism OID during negotiation.)
+* Change gss_accept_sec_context() not to accept tokens for IAKERB or
+  for non-standard variants of the krb5 mechanism OID unless an
+  acceptor credential is acquired for those mechanisms.
+* Change gss_acquire_cred() to immediately resolve credentials if the
+  time_rec parameter is not NULL, so that a correct expiration time
+  can be returned.  Normally credential resolution is delayed until
+  the target name is known.
+* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+  which can be used by plugin modules or applications to add prefixes
+  to existing detailed error messages.
+* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+  implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+* Add support for pre-authentication mechanisms which use multiple
+  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+  interface; these callbacks can be used to save marshalled state
+  information in an encrypted cookie for the next request.
+* Add a client_key() callback to the kdcpreauth interface to retrieve
+  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+  by the KDC.
+* Add an add_auth_indicator() callback to the kdcpreauth interface,
+  allowing pre-authentication modules to assert authentication
+  indicators.
+* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+  suppress sending the confidentiality and integrity flags in GSS
+  initiator tokens unless they are requested by the caller.  These
+  flags control the negotiated SASL security layer for the Microsoft
+  GSS-SPNEGO SASL mechanism.
+* Make the FILE credential cache implementation less prone to
+  corruption issues in multi-threaded programs, especially on
+  platforms with support for open file description locks.
+
+Performance:
+
+* On slave KDCs, poll the master KDC immediately after processing a
+  full resync, and do not require two full resyncs after the master
+  KDC's log file is reset.
+
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+  but within clock skew tolerances, rather than rejecting them
+  immediately after the server's view of the ticket expiration time.
+
 -------------------------------------------------------------------
 Mon Dec  7 08:04:45 UTC 2015 - michael@stroeder.com
 
-- Udapte to 1.13.3
+- Update to 1.13.3
 - removed patches for security fixes now in upstream source:
   0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
   0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch

krb5.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package krb5
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 %define build_mini 0
-%define srcRoot krb5-1.13.3
+%define srcRoot krb5-1.14
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
 %define krb5docdir  %{_defaultdocdir}/krb5
 
@@ -30,7 +30,7 @@ BuildRequires:  keyutils-devel
 BuildRequires:  libcom_err-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  ncurses-devel
-Version:        1.13.3
+Version:        1.14
 Release:        0
 Summary:        MIT Kerberos5 Implementation--Libraries
 License:        MIT
@@ -82,7 +82,8 @@ Patch8:         krb5-1.12-api.patch
 Patch11:        krb5-1.12-ksu-path.patch
 Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
-Patch14:        krb5-kvno-230379.patch
+# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
+Patch15:        krbdev.mit.edu-8301.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -200,7 +201,7 @@ Include Files for Development
 %patch11 -p1
 %patch12 -p1
 %patch13 -p0
-%patch14 -p1
+%patch15 -p1
 
 %build
 # needs to be re-generated
@@ -352,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
 # doesn't support disabling it at build time
 rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
 %endif
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
 
 %find_lang mit-krb5
 

krbdev.mit.edu-8301.patch

@@ -0,0 +1,11 @@
+--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2015-11-20 21:28:42.000000000 +0100
++++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2015-12-09 20:17:00.465765527 +0100
+@@ -684,7 +684,7 @@
+                 if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+                     int ost = st;
+                     st = EINVAL;
+-                    k5_prependmsg(context, ost, st, _("'%s' not found"),
++                    k5_wrapmsg(context, ost, st, _("'%s' not found"),
+                                   xargs.containerdn);
+                 }
+                 goto cleanup;