- Add explicit this-is-only-for-build-envs requires to krb5-mini
and krb5-mini-devel: the mini flavors are currently excluded
using special hacks from the FTP Tree. In order to eliminate this
hack, we need to ensure the packages are not viable for real
installations. We achieve this with a dep that is never provided,
but ignored by OBS.
OBS-URL: https://build.opensuse.org/request/show/1114983
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=276
- update to 1.121.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
* Added a credential cache type providing compatibility with
the macOS 11 native credential cache.
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key
from a GSS context.
* The KDC will no longer issue tickets with RC4 or triple-DES
session keys unless explicitly configured with the new
allow_rc4 or allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1
session keys unless the service principal has a
session_enctypes string attribute.
* Support for PAC full KDC checksums has been added to
mitigate an S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set
of supported CMS algorithms.
* Removed unused code in libkrb5, libkrb5support,
and the PKINIT module.
* Modernized the KDC code for processing TGS requests,
the code for encrypting and decrypting key data,
the PAC handling code, and the GSS library packet
parsing and composition code.
* Improved the test framework's detection of memory
errors in daemon processes when used with asan.
OBS-URL: https://build.opensuse.org/request/show/1098841
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=167
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
* Added a credential cache type providing compatibility with
the macOS 11 native credential cache.
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key
from a GSS context.
* The KDC will no longer issue tickets with RC4 or triple-DES
session keys unless explicitly configured with the new
allow_rc4 or allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1
session keys unless the service principal has a
session_enctypes string attribute.
* Support for PAC full KDC checksums has been added to
mitigate an S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set
of supported CMS algorithms.
* Removed unused code in libkrb5, libkrb5support,
and the PKINIT module.
* Modernized the KDC code for processing TGS requests,
the code for encrypting and decrypting key data,
the PAC handling code, and the GSS library packet
parsing and composition code.
* Improved the test framework's detection of memory
errors in daemon processes when used with asan.
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=274
- update to 1.20.0:
* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.
* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5
mechanism.
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
OBS-URL: https://build.opensuse.org/request/show/979732
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=259
- Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether
certificates can be loaded for each value.
- Update to 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution
* Added client and KDC support for Microsoft's Resource-Based Constrained
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
OBS-URL: https://build.opensuse.org/request/show/873760
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
- Update to 1.18.3
* Fix a denial of service vulnerability when decoding Kerberos
protocol messages.
* Fix a locking issue with the LMDB KDB module which could cause
KDC and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
and unloaded while libkrb5support remains loaded.
- Update to 1.18.3
* Fix a denial of service vulnerability when decoding Kerberos
protocol messages.
* Fix a locking issue with the LMDB KDB module which could cause
KDC and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
and unloaded while libkrb5support remains loaded.
OBS-URL: https://build.opensuse.org/request/show/850135
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=241
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
no reasonable justification to step out of the defaults.
I'm aware this will take a few more packages to be changed to properly find krb5-config now, as some (not all) explicictly look for /usr/lib/mit/bin (most have this encoded as %{_libexecdir}/mit/bin - which is wrong anyway; libexecdir is changing to /usr/libexec - so krb5 does not follow that already anyway.
So instead of just trying some half-baked fixup, I decided to clean it up completely.
I also updated the files in vendor-files.tar.bz to have the correct path definitions and dropped the .csh and .sh profiles (which only added the extra added paths to $PATH - so we can just as well install to /usr/ anyway)
If there is anything substantial I missed that makes this change a bad idea, I'm open for discussions
OBS-URL: https://build.opensuse.org/request/show/814123
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=237
- Update to 1.18.2
* Fix a SPNEGO regression where an acceptor using the default credential
would improperly filter mechanisms, causing a negotiation failure.
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt
principal's first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to link
against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential might
not be reported.
- Update logrotate script, call systemd to reload the services
instead of init-scripts. (boo#1169357)
- Update to 1.18.2
* Fix a SPNEGO regression where an acceptor using the default credential
would improperly filter mechanisms, causing a negotiation failure.
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt
principal's first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to link
against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential might
not be reported.
- Update logrotate script, call systemd to reload the services
instead of init-scripts. (boo#1169357)
OBS-URL: https://build.opensuse.org/request/show/810166
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=235