SHA256
1
0
forked from pool/krb5
Commit Graph

302 Commits

Author SHA256 Message Date
Dominique Leuenberger
af03cb9337 Accepting request 824487 from network
OBS-URL: https://build.opensuse.org/request/show/824487
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=149
2020-08-17 09:58:34 +00:00
97a10d8037 Accepting request 819446 from home:Andreas_Schwab:Factory
- Don't fail if %{_lto_cflags} is empty

OBS-URL: https://build.opensuse.org/request/show/819446
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=239
2020-08-05 12:32:17 +00:00
Dominique Leuenberger
0404bd9c4f Accepting request 814662 from network
OBS-URL: https://build.opensuse.org/request/show/814662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=148
2020-07-21 14:42:53 +00:00
3bbe5c3fdb Accepting request 814123 from home:dimstar:Factory
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
  no reasonable justification to step out of the defaults.

I'm aware this will take a few more packages to be changed to properly find krb5-config now, as some (not all) explicictly look for /usr/lib/mit/bin (most have this encoded as %{_libexecdir}/mit/bin - which is wrong anyway; libexecdir is changing to /usr/libexec - so krb5 does not follow that already anyway.

So instead of just trying some half-baked fixup, I decided to clean it up completely.

I also updated the files in vendor-files.tar.bz to have the correct path definitions and dropped the .csh and .sh profiles (which only added the extra added paths to $PATH - so we can just as well install to /usr/ anyway)

If there is anything substantial I missed that makes this change a bad idea, I'm open for discussions

OBS-URL: https://build.opensuse.org/request/show/814123
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=237
2020-06-15 09:07:04 +00:00
Dominique Leuenberger
5d444aa82c Accepting request 812027 from network
OBS-URL: https://build.opensuse.org/request/show/812027
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=147
2020-06-11 12:42:08 +00:00
32e64938c1 Accepting request 810166 from home:scabrero:branches:network
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)
- Update to 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Update logrotate script, call systemd to reload the services
  instead of init-scripts. (boo#1169357)

OBS-URL: https://build.opensuse.org/request/show/810166
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=235
2020-06-06 06:52:29 +00:00
2564aa071d Accepting request 809058 from home:cgiboudeaux:branches:network
- Don't add the lto flags to the public link options. (boo#1172038)

- Don't add the lto flags to the public link options. (boo#1172038)

OBS-URL: https://build.opensuse.org/request/show/809058
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=234
2020-05-28 14:56:34 +00:00
Dominique Leuenberger
bb6082deee Accepting request 805750 from network
OBS-URL: https://build.opensuse.org/request/show/805750
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=146
2020-05-19 12:43:09 +00:00
4598210276 Accepting request 800735 from home:scabrero:branches:network
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
- Upgrade to 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "service@" as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs. 
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/800735
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=232
2020-05-15 07:08:53 +00:00
Dominique Leuenberger
f4cac235f6 Accepting request 798844 from network
OBS-URL: https://build.opensuse.org/request/show/798844
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=145
2020-05-09 17:48:07 +00:00
8ccc2d47d3 Accepting request 798828 from home:dimstar:Factory
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec.

OBS-URL: https://build.opensuse.org/request/show/798828
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=230
2020-04-29 09:47:44 +00:00
Dominique Leuenberger
856f9cd399 Accepting request 789700 from network
OBS-URL: https://build.opensuse.org/request/show/789700
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=144
2020-04-04 10:04:03 +00:00
Tomáš Chvátal
f2bf4325ae Accepting request 789691 from home:scabrero:branches:network
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
  * 0009-Fix-null-dereference-qualifying-short-hostnames.patch

OBS-URL: https://build.opensuse.org/request/show/789691
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=228
2020-03-30 10:04:03 +00:00
Dominique Leuenberger
28eaa99663 Accepting request 779310 from network
OBS-URL: https://build.opensuse.org/request/show/779310
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=143
2020-02-28 14:18:59 +00:00
7a27c19df2 Accepting request 778977 from home:scarabeus_iv:branches:network
- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies

OBS-URL: https://build.opensuse.org/request/show/778977
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=226
2020-02-26 08:25:58 +00:00
Tomáš Chvátal
2225cdd33f OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=225 2020-02-25 08:14:16 +00:00
Tomáš Chvátal
70aa357ac9 Accepting request 777881 from home:scabrero:branches:network
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch

OBS-URL: https://build.opensuse.org/request/show/777881
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
2020-02-25 07:55:08 +00:00
Dominique Leuenberger
7e5dbc8d34 Accepting request 756043 from network
OBS-URL: https://build.opensuse.org/request/show/756043
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=142
2019-12-16 16:26:13 +00:00
Tomáš Chvátal
30ac12137f Accepting request 756027 from home:scabrero:branches:network
- Upgrade to 1.17.1
  * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
  * Fix a bug preventing time skew correction from working when a KCM
    credential cache is used.

OBS-URL: https://build.opensuse.org/request/show/756027
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=222
2019-12-12 11:10:52 +00:00
Dominique Leuenberger
0df1daf310 Accepting request 721101 from network
OBS-URL: https://build.opensuse.org/request/show/721101
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=141
2019-08-15 10:25:50 +00:00
Tomáš Chvátal
c313f4544f Accepting request 721095 from home:scabrero:branches:network
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
  (bsc#1144047);

OBS-URL: https://build.opensuse.org/request/show/721095
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=220
2019-08-05 18:08:17 +00:00
Dominique Leuenberger
44fb2004ff Accepting request 718535 from network
OBS-URL: https://build.opensuse.org/request/show/718535
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=140
2019-08-05 08:28:48 +00:00
462ccca80d Accepting request 718507 from home:mgerstner:branches:network
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

OBS-URL: https://build.opensuse.org/request/show/718507
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=218
2019-07-25 11:56:17 +00:00
Dominique Leuenberger
58341eef9e Accepting request 701544 from network
OBS-URL: https://build.opensuse.org/request/show/701544
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=139
2019-05-16 19:55:25 +00:00
Tomáš Chvátal
5a542f45bd Accepting request 701295 from home:scabrero:branches:network
- Move LDAP schema files from /usr/share/doc/packages/krb5 to
  /usr/share/kerberos/ldap; (bsc#1134217);

OBS-URL: https://build.opensuse.org/request/show/701295
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=216
2019-05-08 10:10:09 +00:00
Yuchen Lin
9cfbbfdef3 Accepting request 674895 from network
OBS-URL: https://build.opensuse.org/request/show/674895
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=138
2019-02-19 12:54:57 +00:00
Tomáš Chvátal
05a3f5da3c Accepting request 674684 from home:jengelh:branches:network
- Replace old $RPM_* shell vars

OBS-URL: https://build.opensuse.org/request/show/674684
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=214
2019-02-14 08:52:23 +00:00
cd90bbcf23 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=213 2019-02-13 17:07:05 +00:00
d42ae2c82a Accepting request 670179 from home:scabrero:branches:network
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
- Upgrade to 1.17. Major changes:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "kdb5_util dump" will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
  by transactional updates; (bsc#1100126);
- Rename patches:
  * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
  * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
  * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
  * krb5-1.6.3-gssapi_improve_errormessages.dif to
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
  * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
  * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
  * krb5-1.12-selinux-label.patch =>  0008-krb5-1.12-selinux-label.patch
  * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch

OBS-URL: https://build.opensuse.org/request/show/670179
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212
2019-02-13 17:01:33 +00:00
Dominique Leuenberger
6b8422d303 Accepting request 642079 from network
OBS-URL: https://build.opensuse.org/request/show/642079
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=137
2018-10-29 13:13:32 +00:00
Ismail Dönmez
b76b76ea62 Accepting request 640882 from home:jmcdough:branches:network
Update to krb5-1.16.1

OBS-URL: https://build.opensuse.org/request/show/640882
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=210
2018-10-15 15:08:42 +00:00
Dominique Leuenberger
177f5a85da Accepting request 617494 from network
OBS-URL: https://build.opensuse.org/request/show/617494
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=136
2018-06-27 08:15:42 +00:00
Michael Ströder
1ffda59b05 Accepting request 617492 from home:mcepl
BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package

OBS-URL: https://build.opensuse.org/request/show/617492
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=208
2018-06-18 11:26:07 +00:00
Dominique Leuenberger
275115ee4b Accepting request 604020 from network
OBS-URL: https://build.opensuse.org/request/show/604020
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=135
2018-05-10 13:43:54 +00:00
Michael Ströder
5dab1b263d Accepting request 603974 from home:stroeder:branches:network
Security fixes in release 1.15.3

OBS-URL: https://build.opensuse.org/request/show/603974
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=206
2018-05-04 11:22:34 +00:00
Dominique Leuenberger
18c2475063 Accepting request 602715 from network
OBS-URL: https://build.opensuse.org/request/show/602715
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=134
2018-05-02 10:16:43 +00:00
OBS User mrdocs
9cf7cfa8e9 Accepting request 601071 from home:luizluca:branches:network
- Added support for /etc/krb5.conf.d/ for configuration snippets

/etc/krb5.conf.d/ existance is now mandatory

OBS-URL: https://build.opensuse.org/request/show/601071
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=204
2018-05-01 03:19:15 +00:00
Dominique Leuenberger
7b6948fbbf Accepting request 544747 from network
OBS-URL: https://build.opensuse.org/request/show/544747
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=133
2017-11-30 11:31:32 +00:00
Michael Ströder
9ec64c1b6a Accepting request 544664 from home:RBrownSUSE:branches:network
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544664
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=202
2017-11-23 14:51:34 +00:00
Dominique Leuenberger
f6c12b0a7b Accepting request 539257 from network
- Remove build dependency doxygen, python-Cheetah, python-Sphinx,
  python-libxml2, python-lxml, most of which are python 2 programs.
  Consequently remove -doc subpackage. Users are encouraged to use
  online documentation. (bsc#1066461)

OBS-URL: https://build.opensuse.org/request/show/539257
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=132
2017-11-11 13:14:21 +00:00
Howard Guo
e5f49d0c42 - Remove build dependency doxygen, python-Cheetah, python-Sphinx,
python-libxml2, python-lxml, most of which are python 2 programs.
  Consequently remove -doc subpackage. Users are encouraged to use
  online documentation. (bsc#1066461)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=200
2017-11-06 10:43:49 +00:00
Dominique Leuenberger
65956d3363 Accepting request 530615 from network
1

OBS-URL: https://build.opensuse.org/request/show/530615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=131
2017-10-05 09:48:05 +00:00
Michael Ströder
c09363cbd0 Accepting request 530605 from home:jengelh:branches:network
- Update package descriptions.

OBS-URL: https://build.opensuse.org/request/show/530605
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=198
2017-10-02 23:37:48 +00:00
Dominique Leuenberger
05310b3a34 Accepting request 528906 from network
1

OBS-URL: https://build.opensuse.org/request/show/528906
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=130
2017-10-01 14:58:35 +00:00
Michael Ströder
f7aad59b95 Accepting request 528703 from home:stroeder:branches:network
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation
- Upgrade to 1.15.2
  * Fix a KDC denial of service vulnerability caused by unset status
    strings [CVE-2017-11368]
  * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
  * Fix kadm5 setkey operation with LDAP KDB module
  * Use a ten-second timeout after successful connection for HTTPS KDC
    requests, as we do for TCP requests
  * Fix client null dereference when KDC offers encrypted challenge
    without FAST
  * Ignore dotfiles when processing profile includedir directive
  * Improve documentation

OBS-URL: https://build.opensuse.org/request/show/528703
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=196
2017-09-27 08:29:01 +00:00
Dominique Leuenberger
06fb469c84 Accepting request 517510 from network
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)

- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)

- Prevent kadmind.service startup failure caused by absence of
  LDAP service. (bsc#903543)

OBS-URL: https://build.opensuse.org/request/show/517510
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=129
2017-08-21 09:32:24 +00:00
Howard Guo
45350c1e0c - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
in order to improve client security in handling service principle
  names. (bsc#1054028)

- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=194
2017-08-18 08:38:17 +00:00
Howard Guo
17c6c6c5ee - Prevent kadmind.service startup failure caused by absence of
LDAP service. (bsc#903543)

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=193
2017-08-11 09:12:41 +00:00
Dominique Leuenberger
1ea059ff9c Accepting request 501409 from network
OBS-URL: https://build.opensuse.org/request/show/501409
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=128
2017-06-15 09:19:29 +00:00
Howard Guo
1d1e68ea09 - There is no change made about the package itself, this is only
copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
  krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
  CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
  krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1
  CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
- bug#928978 owned by varkoly@suse.com: VUL-0
  CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
  to requires_preauth bypass
- bug#910457 owned by varkoly@suse.com: VUL-1
  CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
  name as a password policy name
- bug#991088 owned by hguo@suse.com: VUL-1
  CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
- [fate#320326](https://fate.suse.com/320326)
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
  from \cite

- There is no change made about the package itself, this is only
  copying over some changelog texts from SLE package:
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
  krb5: denial of service in krb5_read_message
- bug#912002 owned by varkoly@suse.com: VUL-0
  CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
  krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- bug#910458 owned by varkoly@suse.com: VUL-1

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=191
2017-06-06 13:39:13 +00:00