- Upgrade to 1.15.2
* Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]
* Fix kadm5 setkey operation with LDAP KDB module
* Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
* Fix client null dereference when KDC offers encrypted challenge
without FAST
* Ignore dotfiles when processing profile includedir directive
* Improve documentation
- Upgrade to 1.15.2
* Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]
* Fix kadm5 setkey operation with LDAP KDB module
* Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
* Fix client null dereference when KDC offers encrypted challenge
without FAST
* Ignore dotfiles when processing profile includedir directive
* Improve documentation
OBS-URL: https://build.opensuse.org/request/show/528703
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=196
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
names. (bsc#1054028)
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
names. (bsc#1054028)
- Prevent kadmind.service startup failure caused by absence of
LDAP service. (bsc#903543)
OBS-URL: https://build.opensuse.org/request/show/517510
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=129
in order to improve client security in handling service principle
names. (bsc#1054028)
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
names. (bsc#1054028)
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=194
copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
- bug#928978 owned by varkoly@suse.com: VUL-0
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
to requires_preauth bypass
- bug#910457 owned by varkoly@suse.com: VUL-1
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
name as a password policy name
- bug#991088 owned by hguo@suse.com: VUL-1
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
- [fate#320326](https://fate.suse.com/320326)
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
from \cite
- There is no change made about the package itself, this is only
copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=191
This is a new source code upload with the krb5.keyring updated
The keyring missed Greg Hudson his gpg signature:
C4493CB739F4A89F9852CBC20CBA08575F8372DF
The command to create the keyring is:
gpg2 --export --export-options export-minimal \
2C732B1C0DBEF678AB3AF606A32F17FD0055C305 \
C4493CB739F4A89F9852CBC20CBA08575F8372DF > krb5.keyring
OBS-URL: https://build.opensuse.org/request/show/478007
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=185
- Upgrade from 1.14.2 to 1.14.3:
* Improve some error messages
* Improve documentation
* Allow a principal with nonexistent policy to bypass the minimum
password lifetime check, consistent with other aspects of
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
- Upgrade from 1.14.2 to 1.14.3:
* Improve some error messages
* Improve documentation
* Allow a principal with nonexistent policy to bypass the minimum
password lifetime check, consistent with other aspects of
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
OBS-URL: https://build.opensuse.org/request/show/412764
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=121
------------------------------------------------------------------
- Remove source file ccapi/common/win/OldCC/autolock.hxx
that is not needed and does not carry an acceptable license.
(bsc#968111)
- Remove comments breaking post scripts.
- Do no use systemd_requires macros in main package, it adds
unneeded dependencies which pulls systemd into minimal chroot.
- Only call %insserv_prereq when building for pre-systemd
distributions.
- Optimise some %post/%postun when only /sbin/ldconfig is called.
------------------------------------------------------------------
- Remove source file ccapi/common/win/OldCC/autolock.hxx
that is not needed and does not carry an acceptable license.
(bsc#968111)
OBS-URL: https://build.opensuse.org/request/show/406062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=120
- Remove source file ccapi/common/win/OldCC/autolock.hxx
that is not needed and does not carry an acceptable license.
(bsc#968111)
------------------------------------------------------------------
- Remove source file ccapi/common/win/OldCC/autolock.hxx
that is not needed and does not carry an acceptable license.
(bsc#968111)
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=168
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
(bsc#963968)
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
(bsc#963975)
- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
(bsc#963964)
OBS-URL: https://build.opensuse.org/request/show/357309
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=158
- Add two patches from Fedora, fixing two crashes:
* krb5-fix_interposer.patch
* krb5-mechglue_inqure_attrs.patch
- Update to 1.14
- dropped krb5-kvno-230379.patch
- added krbdev.mit.edu-8301.patch fixing wrong function call
Major changes in 1.14 (2015-11-20)
==================================
Administrator experience:
* Add a new kdb5_util tabdump command to provide reporting-friendly
tabular dump formats (tab-separated or CSV) for the KDC database.
Unlike the normal dump format, each output table has a fixed number
of fields. Some tables include human-readable forms of data that
are opaque in ordinary dump files. This format is also suitable for
importing into relational databases for complex queries.
* Add support to kadmin and kadmin.local for specifying a single
command line following any global options, where the command
arguments are split by the shell--for example, "kadmin getprinc
principalname". Commands issued this way do not prompt for
confirmation or display warning messages, and exit with non-zero
status if the operation fails.
* Accept the same principal flag names in kadmin as we do for the
default_principal_flags kdc.conf variable, and vice versa. Also
accept flag specifiers in the form that kadmin prints, as well as
hexadecimal numbers.
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key and
salt types for new password-derived keys. By default, keys will
only created only for AES128 and AES256. This mitigates some types
OBS-URL: https://build.opensuse.org/request/show/353069
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=114