SHA256
1
0
forked from pool/krb5
Commit Graph

345 Commits

Author SHA256 Message Date
Ana Guerrero
0303b6cb4c Accepting request 1134351 from network
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
  * Fix double-free in KDC TGS processing [CVE-2023-39975].

- update to 1.21.1 (CVE-2023-36054):
    with Windows KDCs.

OBS-URL: https://build.opensuse.org/request/show/1134351
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=169
2023-12-21 22:37:52 +00:00
12dcc60b0b - update to 1.21.2 (bsc#1218211, CVE-2023-39975):
* Fix double-free in KDC TGS processing [CVE-2023-39975].
- update to 1.21.1 (CVE-2023-36054):
    with Windows KDCs.

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=278
2023-12-20 23:21:24 +00:00
Ana Guerrero
0f8352fed9 Accepting request 1114991 from network
OBS-URL: https://build.opensuse.org/request/show/1114991
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=168
2023-10-05 18:02:35 +00:00
157057f8f8 Accepting request 1114983 from home:dimstar:Factory
- Add explicit this-is-only-for-build-envs requires to krb5-mini
  and krb5-mini-devel: the mini flavors are currently excluded
  using special hacks from the FTP Tree. In order to eliminate this
  hack, we need to ensure the packages are not viable for real
  installations. We achieve this with a dep that is never provided,
  but ignored by OBS.

OBS-URL: https://build.opensuse.org/request/show/1114983
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=276
2023-10-03 12:17:40 +00:00
Ana Guerrero
01a27b5e5c Accepting request 1098841 from network
- update to 1.121.1 (CVE-2023-36054):
  * Fix potential uninitialized pointer free in kadm5 XDR parsing
    [CVE-2023-36054].
  * Added a credential cache type providing compatibility with
    the macOS 11 native credential cache.
  * libkadm5 will use the provided krb5_context object to read
    configuration values, instead of creating its own.
  * Added an interface to retrieve the ticket session key
    from a GSS context.
  * The KDC will no longer issue tickets with RC4 or triple-DES
    session keys unless explicitly configured with the new
    allow_rc4 or allow_des3 variables respectively.
  * The KDC will assume that all services can handle aes256-sha1
    session keys unless the service principal has a
    session_enctypes string attribute.
  * Support for PAC full KDC checksums has been added to
    mitigate an S4U2Proxy privilege escalation attack.
  * The PKINIT client will advertise a more modern set
    of supported CMS algorithms.
  * Removed unused code in libkrb5, libkrb5support,
    and the PKINIT module.
  * Modernized the KDC code for processing TGS requests,
    the code for encrypting and decrypting key data,
    the PAC handling code, and the GSS library packet
    parsing and composition code.
  * Improved the test framework's detection of memory
    errors in daemon processes when used with asan.

OBS-URL: https://build.opensuse.org/request/show/1098841
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=167
2023-07-17 17:22:54 +00:00
36feefeaf6 - update to 1.121.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing
    [CVE-2023-36054].
  * Added a credential cache type providing compatibility with
    the macOS 11 native credential cache.
  * libkadm5 will use the provided krb5_context object to read
    configuration values, instead of creating its own.
  * Added an interface to retrieve the ticket session key
    from a GSS context.
  * The KDC will no longer issue tickets with RC4 or triple-DES
    session keys unless explicitly configured with the new
    allow_rc4 or allow_des3 variables respectively.
  * The KDC will assume that all services can handle aes256-sha1
    session keys unless the service principal has a
    session_enctypes string attribute.
  * Support for PAC full KDC checksums has been added to
    mitigate an S4U2Proxy privilege escalation attack.
  * The PKINIT client will advertise a more modern set
    of supported CMS algorithms.
  * Removed unused code in libkrb5, libkrb5support,
    and the PKINIT module.
  * Modernized the KDC code for processing TGS requests,
    the code for encrypting and decrypting key data,
    the PAC handling code, and the GSS library packet
    parsing and composition code.
  * Improved the test framework's detection of memory
    errors in daemon processes when used with asan.

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=274
2023-07-15 18:25:31 +00:00
Dominique Leuenberger
4a71926b1b Accepting request 1084720 from network
OBS-URL: https://build.opensuse.org/request/show/1084720
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=166
2023-05-05 13:57:07 +00:00
9b19498eb9 Accepting request 1084716 from home:fcrozat:branches:network
- Add _multibuild to define additional spec files as additional
  flavors.
  Eliminates the need for source package links in OBS.

- Add _multibuild to define additional spec files as additional
  flavors.
  Eliminates the need for source package links in OBS.

OBS-URL: https://build.opensuse.org/request/show/1084716
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=272
2023-05-04 13:49:47 +00:00
Dominique Leuenberger
e1286c714b Accepting request 1074019 from network
OBS-URL: https://build.opensuse.org/request/show/1074019
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=165
2023-04-01 19:13:15 +00:00
bed174ccde Accepting request 1073940 from home:dimstar:Factory
- Build mini flavor without keyutils support: breaks cycle between
  krb5-mini and keyutils.

OBS-URL: https://build.opensuse.org/request/show/1073940
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=270
2023-03-23 17:15:10 +00:00
Dominique Leuenberger
cde206b112 Accepting request 1069660 from network
OBS-URL: https://build.opensuse.org/request/show/1069660
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=164
2023-03-07 15:48:24 +00:00
2d89800a45 Accepting request 1069134 from home:scabrero:bsc1208887
- Update 0007-SELinux-integration.patch for SELinux 3.5;
  (bsc#1208887);

OBS-URL: https://build.opensuse.org/request/show/1069134
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=268
2023-03-06 14:30:02 +00:00
Dominique Leuenberger
12c583dafc Accepting request 1069137 from network
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1069137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=163
2023-03-05 19:07:51 +00:00
ae967cda93 Accepting request 1045519 from home:schubi2:pam_usr_etc
- Migration of PAM settings to /usr/lib/pam.d

OBS-URL: https://build.opensuse.org/request/show/1045519
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=266
2023-03-03 10:03:46 +00:00
Dominique Leuenberger
040abea7ab Accepting request 1042851 from network
OBS-URL: https://build.opensuse.org/request/show/1042851
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=162
2022-12-16 16:50:43 +00:00
83fc4d39c0 Accepting request 1042600 from home:scabrero:branches:network
- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
  already fixed in release 1.20.0

OBS-URL: https://build.opensuse.org/request/show/1042600
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=264
2022-12-14 09:47:16 +00:00
Dominique Leuenberger
b5b0a704c9 Accepting request 1036481 from network
OBS-URL: https://build.opensuse.org/request/show/1036481
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=161
2022-11-18 14:42:33 +00:00
6580e8c91a Accepting request 1036182 from home:scabrero:branches:network
- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
  * Fix integer overflows in PAC parsing [CVE-2022-42898].
  * Fix null deref in KDC when decoding invalid NDR.
  * Fix memory leak in OTP kdcpreauth module.
  * Fix PKCS11 module path search.

- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
  * Fix integer overflows in PAC parsing [CVE-2022-42898].
  * Fix null deref in KDC when decoding invalid NDR.
  * Fix memory leak in OTP kdcpreauth module.
  * Fix PKCS11 module path search.

OBS-URL: https://build.opensuse.org/request/show/1036182
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=262
2022-11-17 16:22:59 +00:00
Dominique Leuenberger
a6457936b4 Accepting request 981266 from network
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/981266
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=160
2022-06-18 20:05:50 +00:00
40f0f666d9 Accepting request 980314 from home:scabrero:branches:network
Align krb5-mini changelog and remove a couple of trailing white spaces

OBS-URL: https://build.opensuse.org/request/show/980314
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=260
2022-06-02 08:10:43 +00:00
7383de009b Accepting request 979732 from home:dirkmueller:Factory
- update to 1.20.0:
  * Added a "disable_pac" realm relation to suppress adding PAC authdata
    to tickets, for realms which do not need to support S4U requests.
  * Most credential cache types will use atomic replacement when a cache
    is reinitialized using kinit or refreshed from the client keytab.
  * kprop can now propagate databases with a dump size larger than 4GB,
    if both the client and server are upgraded.
  * kprop can now work over NATs that change the destination IP address,
    if the client is upgraded.
  * Updated the KDB interface.  The sign_authdata() method is replaced
    with the issue_pac() method, allowing KDB modules to add logon info
    and other buffers to the PAC issued by the KDC.
  * Host-based initiator names are better supported in the GSS krb5
    mechanism.
  * Replaced AD-SIGNEDPATH authdata with minimal PACs.
  * To avoid spurious replay errors, password change requests will not
    be attempted over UDP until the attempt over TCP fails.
  * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
  * Updated all code using OpenSSL to be compatible with OpenSSL 3.
  * Reorganized the libk5crypto build system to allow the OpenSSL
    back-end to pull in material from the builtin back-end depending on
    the OpenSSL version.
  * Simplified the PRNG logic to always use the platform PRNG.
  * Converted the remaining Tcl tests to Python.

OBS-URL: https://build.opensuse.org/request/show/979732
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=259
2022-05-31 11:34:39 +00:00
Dominique Leuenberger
5bc3270864 Accepting request 970776 from network
OBS-URL: https://build.opensuse.org/request/show/970776
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=159
2022-04-23 17:44:51 +00:00
ff3493d16b Accepting request 967999 from home:dirkmueller:Factory
- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
  * Fix a denial of service attack against the KDC [CVE-2021-37750].
  * Fix KDC null deref on TGS inner body null server
  * Fix conformance issue in GSSAPI tests

OBS-URL: https://build.opensuse.org/request/show/967999
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=257
2022-04-19 12:10:56 +00:00
Dominique Leuenberger
75d2ffca36 Accepting request 949613 from network
OBS-URL: https://build.opensuse.org/request/show/949613
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=158
2022-02-07 22:36:47 +00:00
e6222c3074 Accepting request 949610 from home:scabrero:branches:network
- Added hardening to systemd services; (bsc#1181400);

OBS-URL: https://build.opensuse.org/request/show/949610
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=256
2022-01-28 09:04:21 +00:00
1bc05687c3 Accepting request 949537 from home:dmulder:Bug1109830
- Resolve "Credential cache directory /run/user/0/krb5cc does not
  exist while opening default credentials cache" by using a kernel
  keyring instead of a dir cache; (bsc#1109830);

I'm not sure if manually modifying the krb5.conf from vendor-files is correct. Are these stored somewhere in a repository?

OBS-URL: https://build.opensuse.org/request/show/949537
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=255
2022-01-28 08:48:41 +00:00
Dominique Leuenberger
76bd4abcdd Accepting request 922420 from network
OBS-URL: https://build.opensuse.org/request/show/922420
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=157
2021-09-30 21:43:26 +00:00
10dc124f2d Accepting request 921724 from home:scabrero:branches:network
Add CVE references from SLE to prepare submission for SLE 15 SP4/Leap 15.4

OBS-URL: https://build.opensuse.org/request/show/921724
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=254
2021-09-30 16:39:57 +00:00
Dominique Leuenberger
0c7c29efce Accepting request 917690 from network
OBS-URL: https://build.opensuse.org/request/show/917690
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=156
2021-09-12 18:09:33 +00:00
cba0a3d8f7 Accepting request 915042 from home:scabrero:branches:network
- Fix KDC null pointer dereference via a FAST inner body that
  lacks a server field; (CVE-2021-37750); (bsc#1189929);
- Added patches:
  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

OBS-URL: https://build.opensuse.org/request/show/915042
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=253
2021-09-09 09:25:27 +00:00
Richard Brown
b8e090719d Accepting request 910805 from network
OBS-URL: https://build.opensuse.org/request/show/910805
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=155
2021-08-18 06:55:06 +00:00
d342aedfcc Accepting request 909709 from home:scabrero:branches:network
- Update to 1.19.2
  * Fix a denial of service attack against the KDC encrypted challenge
    code; (CVE-2021-36222);
  * Fix a memory leak when gss_inquire_cred() is called without a
    credential handle.

OBS-URL: https://build.opensuse.org/request/show/909709
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=252
2021-08-09 08:50:11 +00:00
Dominique Leuenberger
9d921b770f Accepting request 894925 from network
OBS-URL: https://build.opensuse.org/request/show/894925
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=154
2021-06-01 08:33:49 +00:00
b7fb4fe943 Accepting request 889948 from home:rzl
- Build with full Cyrus SASL support
  * Negotiating SASL credentials with an EXTERNAL bind mechanism requires
    interaction. Kerberos provides its own interaction function that skips
    all interaction, thus preventing the mechanism from working.

OBS-URL: https://build.opensuse.org/request/show/889948
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=250
2021-05-22 11:00:53 +00:00
Dominique Leuenberger
6472973cd4 Accepting request 888170 from network
OBS-URL: https://build.opensuse.org/request/show/888170
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=153
2021-04-28 23:36:29 +00:00
01edb4e3d8 Accepting request 887827 from home:scabrero:branches:network
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);

OBS-URL: https://build.opensuse.org/request/show/887827
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=248
2021-04-24 09:17:08 +00:00
Dominique Leuenberger
fba18b14b9 Accepting request 884639 from network
OBS-URL: https://build.opensuse.org/request/show/884639
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=152
2021-04-15 14:56:34 +00:00
Peter Varkoly
ce0ee03f86 Accepting request 883658 from home:dirkmueller:Factory
- do not own %sbindir, it comes from filesystem package

OBS-URL: https://build.opensuse.org/request/show/883658
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=246
2021-04-12 12:07:29 +00:00
Richard Brown
6b0dfc7fec Accepting request 873782 from network
OBS-URL: https://build.opensuse.org/request/show/873782
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=151
2021-03-02 13:41:25 +00:00
Michael Ströder
eb5c874150 Accepting request 873781 from home:scabrero:krb5_1_19_test
The distribution URL has changed from previous releases.

OBS-URL: https://build.opensuse.org/request/show/873781
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=244
2021-02-19 13:42:58 +00:00
Michael Ströder
ceafe406ff Accepting request 873760 from home:scabrero:krb5_1_19_test
- Update to 1.19.1
  * Fix a linking issue with Samba.
  * Better support multiple pkinit_identities values by checking whether
    certificates can be loaded for each value.

- Update to 1.19
  Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
  Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
  Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.

OBS-URL: https://build.opensuse.org/request/show/873760
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
2021-02-19 12:56:34 +00:00
Dominique Leuenberger
30c9d7c831 Accepting request 853303 from network
OBS-URL: https://build.opensuse.org/request/show/853303
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=150
2020-12-16 09:58:40 +00:00
964a1412da Accepting request 850135 from home:scabrero:branches:network
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

OBS-URL: https://build.opensuse.org/request/show/850135
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=241
2020-12-05 17:18:57 +00:00
Dominique Leuenberger
af03cb9337 Accepting request 824487 from network
OBS-URL: https://build.opensuse.org/request/show/824487
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=149
2020-08-17 09:58:34 +00:00
97a10d8037 Accepting request 819446 from home:Andreas_Schwab:Factory
- Don't fail if %{_lto_cflags} is empty

OBS-URL: https://build.opensuse.org/request/show/819446
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=239
2020-08-05 12:32:17 +00:00
Dominique Leuenberger
0404bd9c4f Accepting request 814662 from network
OBS-URL: https://build.opensuse.org/request/show/814662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=148
2020-07-21 14:42:53 +00:00
3bbe5c3fdb Accepting request 814123 from home:dimstar:Factory
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
  no reasonable justification to step out of the defaults.

I'm aware this will take a few more packages to be changed to properly find krb5-config now, as some (not all) explicictly look for /usr/lib/mit/bin (most have this encoded as %{_libexecdir}/mit/bin - which is wrong anyway; libexecdir is changing to /usr/libexec - so krb5 does not follow that already anyway.

So instead of just trying some half-baked fixup, I decided to clean it up completely.

I also updated the files in vendor-files.tar.bz to have the correct path definitions and dropped the .csh and .sh profiles (which only added the extra added paths to $PATH - so we can just as well install to /usr/ anyway)

If there is anything substantial I missed that makes this change a bad idea, I'm open for discussions

OBS-URL: https://build.opensuse.org/request/show/814123
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=237
2020-06-15 09:07:04 +00:00
Dominique Leuenberger
5d444aa82c Accepting request 812027 from network
OBS-URL: https://build.opensuse.org/request/show/812027
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=147
2020-06-11 12:42:08 +00:00
32e64938c1 Accepting request 810166 from home:scabrero:branches:network
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)

OBS-URL: https://build.opensuse.org/request/show/810166
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=235
2020-06-06 06:52:29 +00:00
2564aa071d Accepting request 809058 from home:cgiboudeaux:branches:network
- Don't add the lto flags to the public link options. (boo#1172038)

- Don't add the lto flags to the public link options. (boo#1172038)

OBS-URL: https://build.opensuse.org/request/show/809058
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=234
2020-05-28 14:56:34 +00:00