Accepting request 352796 from home:stroeder:branches:network
update to 1.14, successfully tested on Tumbleweed x86_64 1. purely as client for MS AD and 2. as KDC with LDAP backend OBS-URL: https://build.opensuse.org/request/show/352796 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=154
This commit is contained in:
parent
ee705d6c1a
commit
e9af2abc6d
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:5d4af08ead9b7a1e9493cfd65e821234f151a46736e1ce586f886c8a8e65fabe
|
|
||||||
size 12133347
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJWYePPAAoJEKMvF/0AVcMFExYMAIJ4l6N0p00Gsh2smjTCrGcr
|
|
||||||
4ZemT6ovZW1bYhqKjnfeN1Csg0OEUKHUN20NRUuLhqOfDSU9UxJHXJ8azLTjopQr
|
|
||||||
yqe5teby2ki+cOcfcYbDUkRmLaG9wkrDiTIPV9SIObJCwuQfEhB4MMAw6hhMzLWZ
|
|
||||||
ENKqsGOxXrCCuDlcmHYgc7kRV2oa7ko72Lti70PpM3/mENGUHURz9tu/c8cratv8
|
|
||||||
cJYLQibi7w1lA8qg2tKjqzwXJTLRfxm44cUOBWmD3Ph3XtfME7qmo56tYiiD2LIB
|
|
||||||
LiYBjipxWwK5LCTYb+2v1WMUcRamZ1J2JhzkNAwetocduuM3DRLCFcFlgTZS39n4
|
|
||||||
AqIX7vmpbHljFY8IJ0UBfYTuR9+McfkXSKZN+QiQKr0BMNJbFPhjonSWkotXS39S
|
|
||||||
zyX2jDzBj5zXaBQ0aTL4w82XqIalIDWR9NXOPWggfSRcxMSiMSywl19eBAXk5Qfm
|
|
||||||
VGCb4CRB7CKBIsQbq2El5c2gTJP/lh/fnOqRfsvQXA==
|
|
||||||
=UvFL
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
krb5-1.14.tar.gz
Normal file
3
krb5-1.14.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:cedb07fad8331e3ff2983d26e977a2ddba622f379c2b19bfea85bd695930f9e9
|
||||||
|
size 12255176
|
14
krb5-1.14.tar.gz.asc
Normal file
14
krb5-1.14.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJWT4hUAAoJEKMvF/0AVcMFE44L/iuBH47TzpEn9RudgxMvxp7L
|
||||||
|
rREaBF/sIdMg0I8aUONtxw7nvh091s8SXus8UZiRYqPO+trB2pB52P1iQ4G9TBPX
|
||||||
|
IOkAEtxu/Sojfp2BxRd6NCBw+n90axNQDWogSN8U6XmK1szpiQz2KdaxfNTv5Lzm
|
||||||
|
Jtx/6p39DM7M72gkrFl8ZDEi2xKqyA1+fcCti3Q/Wdwx73HqWctHYNcjUtJH5bvN
|
||||||
|
GlTQq1PynPoHf8LqxVz6jquhuBgb2d2z8Q4hhQKlJF8x131vppeiWuDv3ExkcWKP
|
||||||
|
cvssUz8C1Ty7LF0ax0fwzQo22yEeTIHayvpbVidSiW8RUGUEiMzhaHcD3BTsQ5WF
|
||||||
|
X+l+xKqvZniB9Vs6KtbP4ErM6Rj+tNQJy8iMzEyDFTIuEFjK0497XGgBIp9FpgOl
|
||||||
|
6Rh9EXY66GUuU5FTnmGpmm3HxnhYWFDdj/vxj8DKTr5EmxAoc4j0fUp/ze4ZMZ02
|
||||||
|
P14WS5B4DSfqZO+vaOKHmtmZH0J/ZS/8x7JIuz4cQA==
|
||||||
|
=xlir
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,124 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
|
||||||
|
|
||||||
|
- Update to 1.14
|
||||||
|
- dropped krb5-kvno-230379.patch
|
||||||
|
- added krbdev.mit.edu-8301.patch fixing wrong function call
|
||||||
|
|
||||||
|
Major changes in 1.14 (2015-11-20)
|
||||||
|
==================================
|
||||||
|
|
||||||
|
Administrator experience:
|
||||||
|
|
||||||
|
* Add a new kdb5_util tabdump command to provide reporting-friendly
|
||||||
|
tabular dump formats (tab-separated or CSV) for the KDC database.
|
||||||
|
Unlike the normal dump format, each output table has a fixed number
|
||||||
|
of fields. Some tables include human-readable forms of data that
|
||||||
|
are opaque in ordinary dump files. This format is also suitable for
|
||||||
|
importing into relational databases for complex queries.
|
||||||
|
* Add support to kadmin and kadmin.local for specifying a single
|
||||||
|
command line following any global options, where the command
|
||||||
|
arguments are split by the shell--for example, "kadmin getprinc
|
||||||
|
principalname". Commands issued this way do not prompt for
|
||||||
|
confirmation or display warning messages, and exit with non-zero
|
||||||
|
status if the operation fails.
|
||||||
|
* Accept the same principal flag names in kadmin as we do for the
|
||||||
|
default_principal_flags kdc.conf variable, and vice versa. Also
|
||||||
|
accept flag specifiers in the form that kadmin prints, as well as
|
||||||
|
hexadecimal numbers.
|
||||||
|
* Remove the triple-DES and RC4 encryption types from the default
|
||||||
|
value of supported_enctypes, which determines the default key and
|
||||||
|
salt types for new password-derived keys. By default, keys will
|
||||||
|
only created only for AES128 and AES256. This mitigates some types
|
||||||
|
of password guessing attacks.
|
||||||
|
* Add support for directory names in the KRB5_CONFIG and
|
||||||
|
KRB5_KDC_PROFILE environment variables.
|
||||||
|
* Add support for authentication indicators, which are ticket
|
||||||
|
annotations to indicate the strength of the initial authentication.
|
||||||
|
Add support for the "require_auth" string attribute, which can be
|
||||||
|
set on server principal entries to require an indicator when
|
||||||
|
authenticating to the server.
|
||||||
|
* Add support for key version numbers larger than 255 in keytab files,
|
||||||
|
and for version numbers up to 65535 in KDC databases.
|
||||||
|
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
|
||||||
|
during pre-authentication, corresponding to the client's most
|
||||||
|
preferred encryption type.
|
||||||
|
* Add support for server name identification (SNI) when proxying KDC
|
||||||
|
requests over HTTPS.
|
||||||
|
* Add support for the err_fmt profile parameter, which can be used to
|
||||||
|
generate custom-formatted error messages.
|
||||||
|
|
||||||
|
Code quality:
|
||||||
|
|
||||||
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
||||||
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
||||||
|
[CVE-2015-2698]
|
||||||
|
* Fix build_principal memory bug that could cause a KDC
|
||||||
|
crash. [CVE-2015-2697]
|
||||||
|
|
||||||
|
Developer experience:
|
||||||
|
|
||||||
|
* Change gss_acquire_cred_with_password() to acquire credentials into
|
||||||
|
a private memory credential cache. Applications can use
|
||||||
|
gss_store_cred() to make the resulting credentials visible to other
|
||||||
|
processes.
|
||||||
|
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
|
||||||
|
IAKERB or for non-standard variants of the krb5 mechanism OID unless
|
||||||
|
explicitly requested. (SPNEGO will still accept the Microsoft
|
||||||
|
variant of the krb5 mechanism OID during negotiation.)
|
||||||
|
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
|
||||||
|
for non-standard variants of the krb5 mechanism OID unless an
|
||||||
|
acceptor credential is acquired for those mechanisms.
|
||||||
|
* Change gss_acquire_cred() to immediately resolve credentials if the
|
||||||
|
time_rec parameter is not NULL, so that a correct expiration time
|
||||||
|
can be returned. Normally credential resolution is delayed until
|
||||||
|
the target name is known.
|
||||||
|
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
|
||||||
|
which can be used by plugin modules or applications to add prefixes
|
||||||
|
to existing detailed error messages.
|
||||||
|
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
|
||||||
|
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
|
||||||
|
* Add support for pre-authentication mechanisms which use multiple
|
||||||
|
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
|
||||||
|
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
|
||||||
|
interface; these callbacks can be used to save marshalled state
|
||||||
|
information in an encrypted cookie for the next request.
|
||||||
|
* Add a client_key() callback to the kdcpreauth interface to retrieve
|
||||||
|
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
|
||||||
|
by the KDC.
|
||||||
|
* Add an add_auth_indicator() callback to the kdcpreauth interface,
|
||||||
|
allowing pre-authentication modules to assert authentication
|
||||||
|
indicators.
|
||||||
|
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
|
||||||
|
suppress sending the confidentiality and integrity flags in GSS
|
||||||
|
initiator tokens unless they are requested by the caller. These
|
||||||
|
flags control the negotiated SASL security layer for the Microsoft
|
||||||
|
GSS-SPNEGO SASL mechanism.
|
||||||
|
* Make the FILE credential cache implementation less prone to
|
||||||
|
corruption issues in multi-threaded programs, especially on
|
||||||
|
platforms with support for open file description locks.
|
||||||
|
|
||||||
|
Performance:
|
||||||
|
|
||||||
|
* On slave KDCs, poll the master KDC immediately after processing a
|
||||||
|
full resync, and do not require two full resyncs after the master
|
||||||
|
KDC's log file is reset.
|
||||||
|
|
||||||
|
User experience:
|
||||||
|
|
||||||
|
* Make gss_accept_sec_context() accept tickets near their expiration
|
||||||
|
but within clock skew tolerances, rather than rejecting them
|
||||||
|
immediately after the server's view of the ticket expiration time.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
||||||
|
|
||||||
- Udapte to 1.13.3
|
- Update to 1.13.3
|
||||||
|
- removed patches for security fixes now in upstream source:
|
||||||
|
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
||||||
|
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
||||||
|
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
||||||
|
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
||||||
|
|
||||||
Major changes in 1.13.3 (2015-12-04)
|
Major changes in 1.13.3 (2015-12-04)
|
||||||
====================================
|
====================================
|
||||||
@ -19,10 +136,28 @@ krb5-1.14 release series or later.
|
|||||||
krb5-1.10 or earlier.
|
krb5-1.10 or earlier.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jun 1 07:38:15 UTC 2015 - hguo@suse.com
|
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
|
||||||
|
to fix a memory corruption regression introduced by resolution of
|
||||||
|
CVE-2015-2698. bsc#954204
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
|
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
|
||||||
|
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
||||||
|
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
|
||||||
|
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
||||||
|
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
|
||||||
|
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
|
||||||
|
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com
|
||||||
|
|
||||||
- Let server depend on libev (module of libverto). This was the
|
- Let server depend on libev (module of libverto). This was the
|
||||||
embedded implementation before the seperation of libverto from krb.
|
preferred implementation before the seperation of libverto from krb.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org
|
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package krb5-mini
|
# spec file for package krb5-mini
|
||||||
#
|
#
|
||||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 1
|
%define build_mini 1
|
||||||
%define srcRoot krb5-1.13.3
|
%define srcRoot krb5-1.14
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.13.3
|
Version: 1.14
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -82,7 +82,8 @@ Patch8: krb5-1.12-api.patch
|
|||||||
Patch11: krb5-1.12-ksu-path.patch
|
Patch11: krb5-1.12-ksu-path.patch
|
||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch14: krb5-kvno-230379.patch
|
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
|
||||||
|
Patch15: krbdev.mit.edu-8301.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -200,7 +201,7 @@ Include Files for Development
|
|||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch14 -p1
|
%patch15 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
@ -247,6 +248,9 @@ cp -a html_subst ../../html
|
|||||||
cd ..
|
cd ..
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
|
||||||
|
cp man/kadmin.man man/kadmin.local.8
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
|
||||||
# Where per-user keytabs live by default.
|
# Where per-user keytabs live by default.
|
||||||
@ -349,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
|
|||||||
# doesn't support disabling it at build time
|
# doesn't support disabling it at build time
|
||||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
||||||
%endif
|
%endif
|
||||||
|
# manually remove test plugin since configure doesn't support disabling it at build time
|
||||||
|
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||||
|
|
||||||
%find_lang mit-krb5
|
%find_lang mit-krb5
|
||||||
|
|
||||||
|
114
krb5.changes
114
krb5.changes
@ -1,7 +1,119 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com
|
||||||
|
|
||||||
|
- Update to 1.14
|
||||||
|
- dropped krb5-kvno-230379.patch
|
||||||
|
- added krbdev.mit.edu-8301.patch fixing wrong function call
|
||||||
|
|
||||||
|
Major changes in 1.14 (2015-11-20)
|
||||||
|
==================================
|
||||||
|
|
||||||
|
Administrator experience:
|
||||||
|
|
||||||
|
* Add a new kdb5_util tabdump command to provide reporting-friendly
|
||||||
|
tabular dump formats (tab-separated or CSV) for the KDC database.
|
||||||
|
Unlike the normal dump format, each output table has a fixed number
|
||||||
|
of fields. Some tables include human-readable forms of data that
|
||||||
|
are opaque in ordinary dump files. This format is also suitable for
|
||||||
|
importing into relational databases for complex queries.
|
||||||
|
* Add support to kadmin and kadmin.local for specifying a single
|
||||||
|
command line following any global options, where the command
|
||||||
|
arguments are split by the shell--for example, "kadmin getprinc
|
||||||
|
principalname". Commands issued this way do not prompt for
|
||||||
|
confirmation or display warning messages, and exit with non-zero
|
||||||
|
status if the operation fails.
|
||||||
|
* Accept the same principal flag names in kadmin as we do for the
|
||||||
|
default_principal_flags kdc.conf variable, and vice versa. Also
|
||||||
|
accept flag specifiers in the form that kadmin prints, as well as
|
||||||
|
hexadecimal numbers.
|
||||||
|
* Remove the triple-DES and RC4 encryption types from the default
|
||||||
|
value of supported_enctypes, which determines the default key and
|
||||||
|
salt types for new password-derived keys. By default, keys will
|
||||||
|
only created only for AES128 and AES256. This mitigates some types
|
||||||
|
of password guessing attacks.
|
||||||
|
* Add support for directory names in the KRB5_CONFIG and
|
||||||
|
KRB5_KDC_PROFILE environment variables.
|
||||||
|
* Add support for authentication indicators, which are ticket
|
||||||
|
annotations to indicate the strength of the initial authentication.
|
||||||
|
Add support for the "require_auth" string attribute, which can be
|
||||||
|
set on server principal entries to require an indicator when
|
||||||
|
authenticating to the server.
|
||||||
|
* Add support for key version numbers larger than 255 in keytab files,
|
||||||
|
and for version numbers up to 65535 in KDC databases.
|
||||||
|
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
|
||||||
|
during pre-authentication, corresponding to the client's most
|
||||||
|
preferred encryption type.
|
||||||
|
* Add support for server name identification (SNI) when proxying KDC
|
||||||
|
requests over HTTPS.
|
||||||
|
* Add support for the err_fmt profile parameter, which can be used to
|
||||||
|
generate custom-formatted error messages.
|
||||||
|
|
||||||
|
Code quality:
|
||||||
|
|
||||||
|
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
|
||||||
|
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
|
||||||
|
[CVE-2015-2698]
|
||||||
|
* Fix build_principal memory bug that could cause a KDC
|
||||||
|
crash. [CVE-2015-2697]
|
||||||
|
|
||||||
|
Developer experience:
|
||||||
|
|
||||||
|
* Change gss_acquire_cred_with_password() to acquire credentials into
|
||||||
|
a private memory credential cache. Applications can use
|
||||||
|
gss_store_cred() to make the resulting credentials visible to other
|
||||||
|
processes.
|
||||||
|
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
|
||||||
|
IAKERB or for non-standard variants of the krb5 mechanism OID unless
|
||||||
|
explicitly requested. (SPNEGO will still accept the Microsoft
|
||||||
|
variant of the krb5 mechanism OID during negotiation.)
|
||||||
|
* Change gss_accept_sec_context() not to accept tokens for IAKERB or
|
||||||
|
for non-standard variants of the krb5 mechanism OID unless an
|
||||||
|
acceptor credential is acquired for those mechanisms.
|
||||||
|
* Change gss_acquire_cred() to immediately resolve credentials if the
|
||||||
|
time_rec parameter is not NULL, so that a correct expiration time
|
||||||
|
can be returned. Normally credential resolution is delayed until
|
||||||
|
the target name is known.
|
||||||
|
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
|
||||||
|
which can be used by plugin modules or applications to add prefixes
|
||||||
|
to existing detailed error messages.
|
||||||
|
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
|
||||||
|
implement the RFC 6113 PRF+ operation and key derivation using PRF+.
|
||||||
|
* Add support for pre-authentication mechanisms which use multiple
|
||||||
|
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
|
||||||
|
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
|
||||||
|
interface; these callbacks can be used to save marshalled state
|
||||||
|
information in an encrypted cookie for the next request.
|
||||||
|
* Add a client_key() callback to the kdcpreauth interface to retrieve
|
||||||
|
the chosen client key, corresponding to the ETYPE-INFO2 entry sent
|
||||||
|
by the KDC.
|
||||||
|
* Add an add_auth_indicator() callback to the kdcpreauth interface,
|
||||||
|
allowing pre-authentication modules to assert authentication
|
||||||
|
indicators.
|
||||||
|
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
|
||||||
|
suppress sending the confidentiality and integrity flags in GSS
|
||||||
|
initiator tokens unless they are requested by the caller. These
|
||||||
|
flags control the negotiated SASL security layer for the Microsoft
|
||||||
|
GSS-SPNEGO SASL mechanism.
|
||||||
|
* Make the FILE credential cache implementation less prone to
|
||||||
|
corruption issues in multi-threaded programs, especially on
|
||||||
|
platforms with support for open file description locks.
|
||||||
|
|
||||||
|
Performance:
|
||||||
|
|
||||||
|
* On slave KDCs, poll the master KDC immediately after processing a
|
||||||
|
full resync, and do not require two full resyncs after the master
|
||||||
|
KDC's log file is reset.
|
||||||
|
|
||||||
|
User experience:
|
||||||
|
|
||||||
|
* Make gss_accept_sec_context() accept tickets near their expiration
|
||||||
|
but within clock skew tolerances, rather than rejecting them
|
||||||
|
immediately after the server's view of the ticket expiration time.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com
|
||||||
|
|
||||||
- Udapte to 1.13.3
|
- Update to 1.13.3
|
||||||
- removed patches for security fixes now in upstream source:
|
- removed patches for security fixes now in upstream source:
|
||||||
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
|
||||||
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
|
||||||
|
13
krb5.spec
13
krb5.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package krb5
|
# spec file for package krb5
|
||||||
#
|
#
|
||||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
%define build_mini 0
|
%define build_mini 0
|
||||||
%define srcRoot krb5-1.13.3
|
%define srcRoot krb5-1.14
|
||||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||||
%define krb5docdir %{_defaultdocdir}/krb5
|
%define krb5docdir %{_defaultdocdir}/krb5
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ BuildRequires: keyutils-devel
|
|||||||
BuildRequires: libcom_err-devel
|
BuildRequires: libcom_err-devel
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
Version: 1.13.3
|
Version: 1.14
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: MIT Kerberos5 Implementation--Libraries
|
Summary: MIT Kerberos5 Implementation--Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -82,7 +82,8 @@ Patch8: krb5-1.12-api.patch
|
|||||||
Patch11: krb5-1.12-ksu-path.patch
|
Patch11: krb5-1.12-ksu-path.patch
|
||||||
Patch12: krb5-1.12-selinux-label.patch
|
Patch12: krb5-1.12-selinux-label.patch
|
||||||
Patch13: krb5-1.9-debuginfo.patch
|
Patch13: krb5-1.9-debuginfo.patch
|
||||||
Patch14: krb5-kvno-230379.patch
|
# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
|
||||||
|
Patch15: krbdev.mit.edu-8301.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||||
PreReq: %fillup_prereq
|
PreReq: %fillup_prereq
|
||||||
@ -200,7 +201,7 @@ Include Files for Development
|
|||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p0
|
%patch13 -p0
|
||||||
%patch14 -p1
|
%patch15 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# needs to be re-generated
|
# needs to be re-generated
|
||||||
@ -352,6 +353,8 @@ rm -rf %{buildroot}/usr/lib/mit/share/examples
|
|||||||
# doesn't support disabling it at build time
|
# doesn't support disabling it at build time
|
||||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
||||||
%endif
|
%endif
|
||||||
|
# manually remove test plugin since configure doesn't support disabling it at build time
|
||||||
|
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||||
|
|
||||||
%find_lang mit-krb5
|
%find_lang mit-krb5
|
||||||
|
|
||||||
|
11
krbdev.mit.edu-8301.patch
Normal file
11
krbdev.mit.edu-8301.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- krb5-1.14.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-11-20 21:28:42.000000000 +0100
|
||||||
|
+++ krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2015-12-09 20:17:00.465765527 +0100
|
||||||
|
@@ -684,7 +684,7 @@
|
||||||
|
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
|
||||||
|
int ost = st;
|
||||||
|
st = EINVAL;
|
||||||
|
- k5_prependmsg(context, ost, st, _("'%s' not found"),
|
||||||
|
+ k5_wrapmsg(context, ost, st, _("'%s' not found"),
|
||||||
|
xargs.containerdn);
|
||||||
|
}
|
||||||
|
goto cleanup;
|
Loading…
Reference in New Issue
Block a user