SHA256
1
0
forked from pool/krb5
Commit Graph

232 Commits

Author SHA256 Message Date
39ade0e594 Accepting request 1153219 from home:pmonrealgonzalez:branches:network
- Add crypto-policies support [bsc#1211301]
  * Update krb5.conf in vendor-files.tar.bz2

- Add crypto-policies support [bsc#1211301]
  * Update krb5.conf in vendor-files.tar.bz2

OBS-URL: https://build.opensuse.org/request/show/1153219
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=280
2024-03-11 07:49:33 +00:00
12dcc60b0b - update to 1.21.2 (bsc#1218211, CVE-2023-39975):
* Fix double-free in KDC TGS processing [CVE-2023-39975].
- update to 1.21.1 (CVE-2023-36054):
    with Windows KDCs.

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=278
2023-12-20 23:21:24 +00:00
157057f8f8 Accepting request 1114983 from home:dimstar:Factory
- Add explicit this-is-only-for-build-envs requires to krb5-mini
  and krb5-mini-devel: the mini flavors are currently excluded
  using special hacks from the FTP Tree. In order to eliminate this
  hack, we need to ensure the packages are not viable for real
  installations. We achieve this with a dep that is never provided,
  but ignored by OBS.

OBS-URL: https://build.opensuse.org/request/show/1114983
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=276
2023-10-03 12:17:40 +00:00
36feefeaf6 - update to 1.121.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing
    [CVE-2023-36054].
  * Added a credential cache type providing compatibility with
    the macOS 11 native credential cache.
  * libkadm5 will use the provided krb5_context object to read
    configuration values, instead of creating its own.
  * Added an interface to retrieve the ticket session key
    from a GSS context.
  * The KDC will no longer issue tickets with RC4 or triple-DES
    session keys unless explicitly configured with the new
    allow_rc4 or allow_des3 variables respectively.
  * The KDC will assume that all services can handle aes256-sha1
    session keys unless the service principal has a
    session_enctypes string attribute.
  * Support for PAC full KDC checksums has been added to
    mitigate an S4U2Proxy privilege escalation attack.
  * The PKINIT client will advertise a more modern set
    of supported CMS algorithms.
  * Removed unused code in libkrb5, libkrb5support,
    and the PKINIT module.
  * Modernized the KDC code for processing TGS requests,
    the code for encrypting and decrypting key data,
    the PAC handling code, and the GSS library packet
    parsing and composition code.
  * Improved the test framework's detection of memory
    errors in daemon processes when used with asan.

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=274
2023-07-15 18:25:31 +00:00
9b19498eb9 Accepting request 1084716 from home:fcrozat:branches:network
- Add _multibuild to define additional spec files as additional
  flavors.
  Eliminates the need for source package links in OBS.

- Add _multibuild to define additional spec files as additional
  flavors.
  Eliminates the need for source package links in OBS.

OBS-URL: https://build.opensuse.org/request/show/1084716
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=272
2023-05-04 13:49:47 +00:00
bed174ccde Accepting request 1073940 from home:dimstar:Factory
- Build mini flavor without keyutils support: breaks cycle between
  krb5-mini and keyutils.

OBS-URL: https://build.opensuse.org/request/show/1073940
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=270
2023-03-23 17:15:10 +00:00
2d89800a45 Accepting request 1069134 from home:scabrero:bsc1208887
- Update 0007-SELinux-integration.patch for SELinux 3.5;
  (bsc#1208887);

OBS-URL: https://build.opensuse.org/request/show/1069134
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=268
2023-03-06 14:30:02 +00:00
ae967cda93 Accepting request 1045519 from home:schubi2:pam_usr_etc
- Migration of PAM settings to /usr/lib/pam.d

OBS-URL: https://build.opensuse.org/request/show/1045519
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=266
2023-03-03 10:03:46 +00:00
83fc4d39c0 Accepting request 1042600 from home:scabrero:branches:network
- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
  already fixed in release 1.20.0

OBS-URL: https://build.opensuse.org/request/show/1042600
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=264
2022-12-14 09:47:16 +00:00
6580e8c91a Accepting request 1036182 from home:scabrero:branches:network
- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
  * Fix integer overflows in PAC parsing [CVE-2022-42898].
  * Fix null deref in KDC when decoding invalid NDR.
  * Fix memory leak in OTP kdcpreauth module.
  * Fix PKCS11 module path search.

- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
  * Fix integer overflows in PAC parsing [CVE-2022-42898].
  * Fix null deref in KDC when decoding invalid NDR.
  * Fix memory leak in OTP kdcpreauth module.
  * Fix PKCS11 module path search.

OBS-URL: https://build.opensuse.org/request/show/1036182
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=262
2022-11-17 16:22:59 +00:00
40f0f666d9 Accepting request 980314 from home:scabrero:branches:network
Align krb5-mini changelog and remove a couple of trailing white spaces

OBS-URL: https://build.opensuse.org/request/show/980314
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=260
2022-06-02 08:10:43 +00:00
7383de009b Accepting request 979732 from home:dirkmueller:Factory
- update to 1.20.0:
  * Added a "disable_pac" realm relation to suppress adding PAC authdata
    to tickets, for realms which do not need to support S4U requests.
  * Most credential cache types will use atomic replacement when a cache
    is reinitialized using kinit or refreshed from the client keytab.
  * kprop can now propagate databases with a dump size larger than 4GB,
    if both the client and server are upgraded.
  * kprop can now work over NATs that change the destination IP address,
    if the client is upgraded.
  * Updated the KDB interface.  The sign_authdata() method is replaced
    with the issue_pac() method, allowing KDB modules to add logon info
    and other buffers to the PAC issued by the KDC.
  * Host-based initiator names are better supported in the GSS krb5
    mechanism.
  * Replaced AD-SIGNEDPATH authdata with minimal PACs.
  * To avoid spurious replay errors, password change requests will not
    be attempted over UDP until the attempt over TCP fails.
  * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
  * Updated all code using OpenSSL to be compatible with OpenSSL 3.
  * Reorganized the libk5crypto build system to allow the OpenSSL
    back-end to pull in material from the builtin back-end depending on
    the OpenSSL version.
  * Simplified the PRNG logic to always use the platform PRNG.
  * Converted the remaining Tcl tests to Python.

OBS-URL: https://build.opensuse.org/request/show/979732
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=259
2022-05-31 11:34:39 +00:00
ff3493d16b Accepting request 967999 from home:dirkmueller:Factory
- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
  * Fix a denial of service attack against the KDC [CVE-2021-37750].
  * Fix KDC null deref on TGS inner body null server
  * Fix conformance issue in GSSAPI tests

OBS-URL: https://build.opensuse.org/request/show/967999
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=257
2022-04-19 12:10:56 +00:00
e6222c3074 Accepting request 949610 from home:scabrero:branches:network
- Added hardening to systemd services; (bsc#1181400);

OBS-URL: https://build.opensuse.org/request/show/949610
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=256
2022-01-28 09:04:21 +00:00
1bc05687c3 Accepting request 949537 from home:dmulder:Bug1109830
- Resolve "Credential cache directory /run/user/0/krb5cc does not
  exist while opening default credentials cache" by using a kernel
  keyring instead of a dir cache; (bsc#1109830);

I'm not sure if manually modifying the krb5.conf from vendor-files is correct. Are these stored somewhere in a repository?

OBS-URL: https://build.opensuse.org/request/show/949537
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=255
2022-01-28 08:48:41 +00:00
10dc124f2d Accepting request 921724 from home:scabrero:branches:network
Add CVE references from SLE to prepare submission for SLE 15 SP4/Leap 15.4

OBS-URL: https://build.opensuse.org/request/show/921724
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=254
2021-09-30 16:39:57 +00:00
cba0a3d8f7 Accepting request 915042 from home:scabrero:branches:network
- Fix KDC null pointer dereference via a FAST inner body that
  lacks a server field; (CVE-2021-37750); (bsc#1189929);
- Added patches:
  * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch

OBS-URL: https://build.opensuse.org/request/show/915042
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=253
2021-09-09 09:25:27 +00:00
d342aedfcc Accepting request 909709 from home:scabrero:branches:network
- Update to 1.19.2
  * Fix a denial of service attack against the KDC encrypted challenge
    code; (CVE-2021-36222);
  * Fix a memory leak when gss_inquire_cred() is called without a
    credential handle.

OBS-URL: https://build.opensuse.org/request/show/909709
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=252
2021-08-09 08:50:11 +00:00
b7fb4fe943 Accepting request 889948 from home:rzl
- Build with full Cyrus SASL support
  * Negotiating SASL credentials with an EXTERNAL bind mechanism requires
    interaction. Kerberos provides its own interaction function that skips
    all interaction, thus preventing the mechanism from working.

OBS-URL: https://build.opensuse.org/request/show/889948
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=250
2021-05-22 11:00:53 +00:00
01edb4e3d8 Accepting request 887827 from home:scabrero:branches:network
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);

OBS-URL: https://build.opensuse.org/request/show/887827
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=248
2021-04-24 09:17:08 +00:00
Peter Varkoly
ce0ee03f86 Accepting request 883658 from home:dirkmueller:Factory
- do not own %sbindir, it comes from filesystem package

OBS-URL: https://build.opensuse.org/request/show/883658
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=246
2021-04-12 12:07:29 +00:00
Michael Ströder
eb5c874150 Accepting request 873781 from home:scabrero:krb5_1_19_test
The distribution URL has changed from previous releases.

OBS-URL: https://build.opensuse.org/request/show/873781
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=244
2021-02-19 13:42:58 +00:00
Michael Ströder
ceafe406ff Accepting request 873760 from home:scabrero:krb5_1_19_test
- Update to 1.19.1
  * Fix a linking issue with Samba.
  * Better support multiple pkinit_identities values by checking whether
    certificates can be loaded for each value.

- Update to 1.19
  Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
  Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
  Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.

OBS-URL: https://build.opensuse.org/request/show/873760
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
2021-02-19 12:56:34 +00:00
964a1412da Accepting request 850135 from home:scabrero:branches:network
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.
- Update to 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.

OBS-URL: https://build.opensuse.org/request/show/850135
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=241
2020-12-05 17:18:57 +00:00
97a10d8037 Accepting request 819446 from home:Andreas_Schwab:Factory
- Don't fail if %{_lto_cflags} is empty

OBS-URL: https://build.opensuse.org/request/show/819446
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=239
2020-08-05 12:32:17 +00:00
3bbe5c3fdb Accepting request 814123 from home:dimstar:Factory
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
  no reasonable justification to step out of the defaults.

I'm aware this will take a few more packages to be changed to properly find krb5-config now, as some (not all) explicictly look for /usr/lib/mit/bin (most have this encoded as %{_libexecdir}/mit/bin - which is wrong anyway; libexecdir is changing to /usr/libexec - so krb5 does not follow that already anyway.

So instead of just trying some half-baked fixup, I decided to clean it up completely.

I also updated the files in vendor-files.tar.bz to have the correct path definitions and dropped the .csh and .sh profiles (which only added the extra added paths to $PATH - so we can just as well install to /usr/ anyway)

If there is anything substantial I missed that makes this change a bad idea, I'm open for discussions

OBS-URL: https://build.opensuse.org/request/show/814123
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=237
2020-06-15 09:07:04 +00:00
32e64938c1 Accepting request 810166 from home:scabrero:branches:network
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)

OBS-URL: https://build.opensuse.org/request/show/810166
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=235
2020-06-06 06:52:29 +00:00
2564aa071d Accepting request 809058 from home:cgiboudeaux:branches:network
- Don't add the lto flags to the public link options. (boo#1172038)

- Don't add the lto flags to the public link options. (boo#1172038)

OBS-URL: https://build.opensuse.org/request/show/809058
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=234
2020-05-28 14:56:34 +00:00
4598210276 Accepting request 800735 from home:scabrero:branches:network
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/800735
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=232
2020-05-15 07:08:53 +00:00
8ccc2d47d3 Accepting request 798828 from home:dimstar:Factory
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

OBS-URL: https://build.opensuse.org/request/show/798828
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=230
2020-04-29 09:47:44 +00:00
Tomáš Chvátal
f2bf4325ae Accepting request 789691 from home:scabrero:branches:network
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
  * 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/789691
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=228
2020-03-30 10:04:03 +00:00
7a27c19df2 Accepting request 778977 from home:scarabeus_iv:branches:network
- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

OBS-URL: https://build.opensuse.org/request/show/778977
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=226
2020-02-26 08:25:58 +00:00
Tomáš Chvátal
2225cdd33f OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=225 2020-02-25 08:14:16 +00:00
Tomáš Chvátal
70aa357ac9 Accepting request 777881 from home:scabrero:branches:network
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch

OBS-URL: https://build.opensuse.org/request/show/777881
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
2020-02-25 07:55:08 +00:00
Tomáš Chvátal
30ac12137f Accepting request 756027 from home:scabrero:branches:network
- Upgrade to 1.17.1
  * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
  * Fix a bug preventing time skew correction from working when a KCM
    credential cache is used.

OBS-URL: https://build.opensuse.org/request/show/756027
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=222
2019-12-12 11:10:52 +00:00
Tomáš Chvátal
c313f4544f Accepting request 721095 from home:scabrero:branches:network
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
  (bsc#1144047);

OBS-URL: https://build.opensuse.org/request/show/721095
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=220
2019-08-05 18:08:17 +00:00
462ccca80d Accepting request 718507 from home:mgerstner:branches:network
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

OBS-URL: https://build.opensuse.org/request/show/718507
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=218
2019-07-25 11:56:17 +00:00
Tomáš Chvátal
5a542f45bd Accepting request 701295 from home:scabrero:branches:network
- Move LDAP schema files from /usr/share/doc/packages/krb5 to
  /usr/share/kerberos/ldap; (bsc#1134217);

OBS-URL: https://build.opensuse.org/request/show/701295
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=216
2019-05-08 10:10:09 +00:00
Tomáš Chvátal
05a3f5da3c Accepting request 674684 from home:jengelh:branches:network
- Replace old $RPM_* shell vars

OBS-URL: https://build.opensuse.org/request/show/674684
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=214
2019-02-14 08:52:23 +00:00
cd90bbcf23 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=213 2019-02-13 17:07:05 +00:00
d42ae2c82a Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch

OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 17:01:33 +00:00
Ismail Dönmez
b76b76ea62 Accepting request 640882 from home:jmcdough:branches:network
Update to krb5-1.16.1

OBS-URL: https://build.opensuse.org/request/show/640882
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=210
2018-10-15 15:08:42 +00:00
Michael Ströder
1ffda59b05 Accepting request 617492 from home:mcepl
BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package

OBS-URL: https://build.opensuse.org/request/show/617492
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=208
2018-06-18 11:26:07 +00:00
Michael Ströder
5dab1b263d Accepting request 603974 from home:stroeder:branches:network
Security fixes in release 1.15.3

OBS-URL: https://build.opensuse.org/request/show/603974
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=206
2018-05-04 11:22:34 +00:00
OBS User mrdocs
9cf7cfa8e9 Accepting request 601071 from home:luizluca:branches:network
- Added support for /etc/krb5.conf.d/ for configuration snippets

/etc/krb5.conf.d/ existance is now mandatory

OBS-URL: https://build.opensuse.org/request/show/601071
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=204
2018-05-01 03:19:15 +00:00
Michael Ströder
9ec64c1b6a Accepting request 544664 from home:RBrownSUSE:branches:network
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544664
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=202
2017-11-23 14:51:34 +00:00
Howard Guo
e5f49d0c42 - Remove build dependency doxygen, python-Cheetah, python-Sphinx,
python-libxml2, python-lxml, most of which are python 2 programs.
  Consequently remove -doc subpackage. Users are encouraged to use
  online documentation. (bsc#1066461)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=200
2017-11-06 10:43:49 +00:00
Michael Ströder
c09363cbd0 Accepting request 530605 from home:jengelh:branches:network
- Update package descriptions.

OBS-URL: https://build.opensuse.org/request/show/530605
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=198
2017-10-02 23:37:48 +00:00
Michael Ströder
f7aad59b95 Accepting request 528703 from home:stroeder:branches:network
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation

OBS-URL: https://build.opensuse.org/request/show/528703
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=196
2017-09-27 08:29:01 +00:00
Howard Guo
45350c1e0c - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
  names. (bsc#1054028)

- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=194
2017-08-18 08:38:17 +00:00