Accepting request 352796 from home:stroeder:branches:network
update to 1.14, successfully tested on Tumbleweed x86_64 1. purely as client for MS AD and 2. as KDC with LDAP backend OBS-URL: https://build.opensuse.org/request/show/352796 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=154
This commit is contained in:
Ismail Dönmez
committed by
Git OBS Bridge
Git OBS Bridge
parent
ee705d6c1a
commit
e9af2abc6d
114
krb5.changes
114
krb5.changes
@@ -1,7 +1,119 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
|
||||
|
||||
- Update to 1.14
|
||||
- dropped krb5-kvno-230379.patch
|
||||
- added krbdev.mit.edu-8301.patch fixing wrong function call
|
||||
|
||||
Major changes in 1.14 (2015-11-20)
|
||||
==================================
|
||||
|
||||
Administrator experience:
|
||||
|
||||
* Add a new kdb5_util tabdump command to provide reporting-friendly
|
||||
tabular dump formats (tab-separated or CSV) for the KDC database.
|
||||
Unlike the normal dump format, each output table has a fixed number
|
||||
of fields. Some tables include human-readable forms of data that
|
||||
are opaque in ordinary dump files. This format is also suitable for
|
||||
importing into relational databases for complex queries.
|
||||
* Add support to kadmin and kadmin.local for specifying a single
|
||||
command line following any global options, where the command
|
||||
arguments are split by the shell--for example, "kadmin getprinc
|
||||
principalname". Commands issued this way do not prompt for
|
||||
confirmation or display warning messages, and exit with non-zero
|
||||
status if the operation fails.
|
||||
* Accept the same principal flag names in kadmin as we do for the
|
||||
default_principal_flags kdc.conf variable, and vice versa. Also
|
||||
accept flag specifiers in the form that kadmin prints, as well as
|
||||
hexadecimal numbers.
|
||||
* Remove the triple-DES and RC4 encryption types from the default
|
||||
value of supported_enctypes, which determines the default key and
|
||||
salt types for new password-derived keys. By default, keys will
|
||||
only created only for AES128 and AES256. This mitigates some types
|
||||
of password guessing attacks.
|
||||
* Add support for directory names in the KRB5_CONFIG and
|
||||
KRB5_KDC_PROFILE environment variables.
|
||||
* Add support for authentication indicators, which are ticket
|
||||
annotations to indicate the strength of the initial authentication.
|
||||
Add support for the "require_auth" string attribute, which can be
|
||||
set on server principal entries to require an indicator when
|
||||
authenticating to the server.
|
||||
* Add support for key version numbers larger than 255 in keytab files,
|
||||
and for version numbers up to 65535 in KDC databases.
|
||||
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
|
||||
during pre-authentication, corresponding to the client's most
|
||||
preferred encryption type.
|
||||
* Add support for server name identification (SNI) when proxying KDC
|
||||
requests over HTTPS.
|
||||
* Add support for the err_fmt profile parameter, which can be used to
|
||||
generate custom-formatted error messages.
|
||||
|
||||
Code quality:
|
||||
|
||||
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
||||
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
||||
[CVE-2015-2698]
|
||||
* Fix build_principal memory bug that could cause a KDC
|
||||
crash. [CVE-2015-2697]
|
||||
|
||||
Developer experience:
|
||||
|
||||
* Change gss_acquire_cred_with_password() to acquire credentials into
|
||||
a private memory credential cache. Applications can use
|
||||
gss_store_cred() to make the resulting credentials visible to other
|
||||
processes.
|
||||
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
|
||||
IAKERB or for non-standard variants of the krb5 mechanism OID unless
|
||||
explicitly requested. (SPNEGO will still accept the Microsoft
|
||||
variant of the krb5 mechanism OID during negotiation.)
|
||||
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
|
||||
for non-standard variants of the krb5 mechanism OID unless an
|
||||
acceptor credential is acquired for those mechanisms.
|
||||
* Change gss_acquire_cred() to immediately resolve credentials if the
|
||||
time_rec parameter is not NULL, so that a correct expiration time
|
||||
can be returned. Normally credential resolution is delayed until
|
||||
the target name is known.
|
||||
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
|
||||
which can be used by plugin modules or applications to add prefixes
|
||||
to existing detailed error messages.
|
||||
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
|
||||
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
|
||||
* Add support for pre-authentication mechanisms which use multiple
|
||||
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
|
||||
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
|
||||
interface; these callbacks can be used to save marshalled state
|
||||
information in an encrypted cookie for the next request.
|
||||
* Add a client_key() callback to the kdcpreauth interface to retrieve
|
||||
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
|
||||
by the KDC.
|
||||
* Add an add_auth_indicator() callback to the kdcpreauth interface,
|
||||
allowing pre-authentication modules to assert authentication
|
||||
indicators.
|
||||
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
|
||||
suppress sending the confidentiality and integrity flags in GSS
|
||||
initiator tokens unless they are requested by the caller. These
|
||||
flags control the negotiated SASL security layer for the Microsoft
|
||||
GSS-SPNEGO SASL mechanism.
|
||||
* Make the FILE credential cache implementation less prone to
|
||||
corruption issues in multi-threaded programs, especially on
|
||||
platforms with support for open file description locks.
|
||||
|
||||
Performance:
|
||||
|
||||
* On slave KDCs, poll the master KDC immediately after processing a
|
||||
full resync, and do not require two full resyncs after the master
|
||||
KDC's log file is reset.
|
||||
|
||||
User experience:
|
||||
|
||||
* Make gss_accept_sec_context() accept tickets near their expiration
|
||||
but within clock skew tolerances, rather than rejecting them
|
||||
immediately after the server's view of the ticket expiration time.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
||||
|
||||
- Udapte to 1.13.3
|
||||
- Update to 1.13.3
|
||||
- removed patches for security fixes now in upstream source:
|
||||
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
||||
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
||||
|
||||
Reference in New Issue
Block a user