------------------------------------------------------------------- Thu Oct 30 12:34:56 CET 2008 - olh@suse.de - obsolete old -XXbit packages (bnc#437293) ------------------------------------------------------------------- Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de - in case we use ldap as database backend, ldap should be started before krb5kdc ------------------------------------------------------------------- Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de - add new fixes to post 1.6.3 patch * fix mem leak in krb5_gss_accept_sec_context() * keep minor_status * kadm5_decrypt_key: A ktype of -1 is documented as meaning "to be ignored" * Reject socket fds > FD_SETSIZE ------------------------------------------------------------------- Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de - add patches from SVN post 1.6.3 * krb5_string_to_keysalts: Fix an infinite loop * fix some mutex issues * better recovery from corrupt rcache files * some more small fixes ------------------------------------------------------------------- Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de - add case-insensitive.dif (FATE#300771) - minor fixes for ktutil man page - reduce rpmlint warnings ------------------------------------------------------------------- Wed May 14 17:44:59 CEST 2008 - mc@suse.de - Fall back to TCP on kdc-unresolvable/unreachable errors. - restore valid sequence number before generating requests (fix changing passwords in mixed ipv4/ipv6 enviroments) ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support ------------------------------------------------------------------- Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de - modify krb5-config to not output rpath and cflags in --libs (bnc#378270) ------------------------------------------------------------------- Fri Mar 14 11:27:55 CET 2008 - mc@suse.de - fix two security bugs: * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) fix double free [bnc#361373] * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) Memory corruption while too many open file descriptors [bnc#363151] - change default config file. Comment out the examples. ------------------------------------------------------------------- Fri Dec 14 10:48:52 CET 2007 - mc@suse.de - fix several security bugs: * CVE-2007-5894 apparent uninit length * CVE-2007-5902 integer overflow * CVE-2007-5971 free of non-heap pointer and double-free * CVE-2007-5972 double fclose() [#346745, #346748, #346746, #346749, #346747] ------------------------------------------------------------------- Tue Dec 4 16:36:07 CET 2007 - mc@suse.de - improve GSSAPI error messages ------------------------------------------------------------------- Tue Nov 6 13:53:17 CET 2007 - mc@suse.de - add coreutils to PreReq ------------------------------------------------------------------- Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles ------------------------------------------------------------------- Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that that the client library will not failover to the next KDC. [#310540] ------------------------------------------------------------------- Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. * patch for referrals loop ------------------------------------------------------------------- Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de - fix a problem with the originally published patch for MITKRB5-SA-2007-006 - CVE-2007-3999 [#302377] ------------------------------------------------------------------- Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de - fix execute arbitrary code (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) [#302377] ------------------------------------------------------------------- Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the session key enctype of a returned credential for the final service is among the enctypes explicitly selected by the application, and retry with old_use_conf_ktypes if it is not. * If mkstemp() is available, the new ccache file gets created but the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. ------------------------------------------------------------------- Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release ------------------------------------------------------------------- Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de - change requires to libcom_err-devel ------------------------------------------------------------------- Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree * rd_req_decoded needs to deal with referral realms * fix buffer overflow in kadmind (MITKRB5-SA-2007-005 - CVE-2007-2798) [#278689] * fix kadmind code execution bug (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) [#271191] ------------------------------------------------------------------- Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de - fix unstripped-binary-or-object rpmlint warning ------------------------------------------------------------------- Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de - fixing rpmlint warnings and errors: * merged logrotate scripts kadmin and krb5kdc into a single file krb5-server. * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. adapted krb5.spec and README.ConvertHeimdalMIT accordingly. * added surpression filter for "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" (see [#147912]). * set default runlevel of init scripts in chkconfig line to 3 and 5 ------------------------------------------------------------------- Wed May 9 15:30:53 CEST 2007 - mc@suse.de - fix uninitialized salt length - add extra check for keytab file ------------------------------------------------------------------- Thu May 3 12:11:29 CEST 2007 - mc@suse.de - adding krb5-1.6.1-post.dif * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes ------------------------------------------------------------------- Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de - update to final 1.6.1 version ------------------------------------------------------------------- Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de - add plugin directories to main package ------------------------------------------------------------------- Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch ------------------------------------------------------------------- Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de - update krb5-1.6-post.dif * fix kadmind stack overflow in krb5_klog_syslog (MITKRB5-SA-2007-002 - CVE-2007-0957) [#253548] * fix double free attack in the RPC library (MITKRB5-SA-2007-003 - CVE-2007-1216) [#252487] * fix krb5 telnetd login injection (MIT-SA-2007-001 - CVE-2007-0956) #247765 ------------------------------------------------------------------- Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de - add ncurses-devel and bison to BuildRequires - rework some patches ------------------------------------------------------------------- Mon Mar 5 11:01:20 CET 2007 - mc@suse.de - move SuSEFirewall service definitions to /etc/sysconfig/SuSEfirewall2.d/services ------------------------------------------------------------------- Thu Feb 22 11:13:48 CET 2007 - mc@suse.de - add firewall definition to krb5-server, FATE #300687 ------------------------------------------------------------------- Mon Feb 19 13:59:43 CET 2007 - mc@suse.de - update krb5-1.6-post.dif - move some applications into the right package ------------------------------------------------------------------- Fri Feb 9 13:31:22 CET 2007 - mc@suse.de - update krb5-1.6-post.dif ------------------------------------------------------------------- Mon Jan 29 11:27:23 CET 2007 - mc@suse.de - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif are now upstream. Remove patches. - fix leak in krb5_kt_resolve and krb5_kt_wresolve ------------------------------------------------------------------- Tue Jan 23 17:21:12 CET 2007 - mc@suse.de - fix "local variable used before set" in ftp.c [#237684] ------------------------------------------------------------------- Mon Jan 22 16:39:27 CET 2007 - mc@suse.de - krb5-devel should require keyutils-devel ------------------------------------------------------------------- Mon Jan 22 12:19:49 CET 2007 - mc@suse.de - update to version 1.6 * Major changes in 1.6 include * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. - remove obsolete patches ------------------------------------------------------------------- Wed Jan 10 11:16:30 CET 2007 - mc@suse.de - fix for kadmind (via RPC library) calls uninitialized function pointer (CVE-2006-6143)(Bug #225990) krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif - fix for kadmind (via GSS-API mechglue) frees uninitialized pointers (CVE-2006-6144)(Bug #225992) krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif ------------------------------------------------------------------- Tue Jan 2 14:53:33 CET 2007 - mc@suse.de - Fix Requires in krb5-devel [Bug #231008] ------------------------------------------------------------------- Mon Nov 6 11:49:39 CET 2006 - mc@suse.de - fix "local variable used before set" [#217692] - fix strncat warning ------------------------------------------------------------------- Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de - add a default kadm5.dict file - require $network on daemon start ------------------------------------------------------------------- Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de - fix function call with too few arguments [#203837] ------------------------------------------------------------------- Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif * trunk-fix-uninitialized-vars.dif ------------------------------------------------------------------- Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de - krb5 setuid return check fixes krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif [#182351] ------------------------------------------------------------------- Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de - remove update-messages ------------------------------------------------------------------- Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de - add check for krb5_prop in services to kpropd init script. [#192446] ------------------------------------------------------------------- Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de - update to version 1.5 * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be loaded at run-time. * multi-mechanism GSS-API implementation ("mechglue"), donated by Sun Microsystems * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems - remove obsolete patches and add some new ------------------------------------------------------------------- Fri May 26 14:50:00 CEST 2006 - ro@suse.de - libcom is not in e2fsck-devel but in its own package now, change Requires accordingly. ------------------------------------------------------------------- Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de - add all daemons to %stop_on_removal and %restart_on_update - add reload to kpropd init script - add force-reload to all init scripts ------------------------------------------------------------------- Mon Mar 13 18:20:36 CET 2006 - mc@suse.de - add libgssapi_krb5.so link to main package [#147912] ------------------------------------------------------------------- Fri Feb 3 18:17:01 CET 2006 - mc@suse.de - fix logging section for kadmind in convert script ------------------------------------------------------------------- Wed Jan 25 21:30:24 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Fri Jan 13 14:44:24 CET 2006 - mc@suse.de - change the logging defaults ------------------------------------------------------------------- Wed Jan 11 12:59:08 CET 2006 - mc@suse.de - add tools and README for heimdal => MIT update ------------------------------------------------------------------- Mon Jan 9 14:41:07 CET 2006 - mc@suse.de - fix build problems, define _GNU_SOURCE (krb5-1.4.3-set_gnu_source.dif ) ------------------------------------------------------------------- Tue Jan 3 16:00:13 CET 2006 - mc@suse.de - added "make %{?jobs:-j%jobs}" ------------------------------------------------------------------- Fri Nov 18 12:12:01 CET 2005 - mc@suse.de - update to version 1.4.3 * some memmory leaks fixed * fix for "AS_REP padata has wrong enctype" * fix for "AS_REP padata missing PA-ETYPE-INFO" * ... and more ------------------------------------------------------------------- Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de - don't build as root ------------------------------------------------------------------- Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de - update to version 1.4.2 - remove some obsolet patches ------------------------------------------------------------------- Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de - build with --disable-static ------------------------------------------------------------------- Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de - remove devel-static subpackage ------------------------------------------------------------------- Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de - better patch for princ_comp problem ------------------------------------------------------------------- Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de - update to version 1.4.1 - remove obsolet patches - krb5-1.4-gcc4.dif - krb5-1.4-reduce-namespace-polution.dif - krb5-1.4-VUL-0-telnet.dif ------------------------------------------------------------------- Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de - fixed krb5 KDC heap corruption by random free [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] - fixed krb5 double free() [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] - fix krb5 NULL pointer reference while comparing principals [#91600] ------------------------------------------------------------------- Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de - fix uninitialized variables - compile with -fPIE/ link with -pie ------------------------------------------------------------------- Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de - fixed wrong xinetd files [#77149] ------------------------------------------------------------------- Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de - removed krb5-1.4-fix-error_tables.dif patch obsoleted by libcom_err locking patches ------------------------------------------------------------------- Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de - fixed missing descriptions in init files [#76164, #76165, #76166, #76169] ------------------------------------------------------------------- Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de - enhance $PATH via /etc/profile.d/ [#74018] - remove the "links to important programs" ------------------------------------------------------------------- Fri Mar 18 11:09:43 CET 2005 - mc@suse.de - fixed not running converter script [#72854] ------------------------------------------------------------------- Thu Mar 17 14:15:17 CET 2005 - mc@suse.de - Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer Overflow - Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer Overflow [#73618] ------------------------------------------------------------------- Wed Mar 16 13:10:18 CET 2005 - mc@suse.de - fixed wrong PreReqs [#73020] ------------------------------------------------------------------- Tue Mar 15 19:54:58 CET 2005 - mc@suse.de - add a simple krb5.conf converter [#72854] ------------------------------------------------------------------- Mon Mar 14 17:08:59 CET 2005 - mc@suse.de - fixed: rckrb5kdc restart gives wrong status with non-running service [#72446] ------------------------------------------------------------------- Thu Mar 10 10:48:07 CET 2005 - mc@suse.de - add requires: e2fsprogs-devel to krb5-devel package [#71732] ------------------------------------------------------------------- Fri Feb 25 17:35:37 CET 2005 - mc@suse.de - fix double free [#66534] krb5-1.4-fix-error_tables.dif ------------------------------------------------------------------- Fri Feb 11 14:01:32 CET 2005 - mc@suse.de - change mode for shared libraries to 755 ------------------------------------------------------------------- Fri Feb 4 16:48:16 CET 2005 - mc@suse.de - remove spx.c from tarball because of legal risk - add README.Source which tell the user about this action. - add a check for spx.c in the spec-file - use rich-text for update-messages [#50250] ------------------------------------------------------------------- Tue Feb 1 12:13:45 CET 2005 - mc@suse.de - add krb5-1.4-reduce-namespace-polution.dif reduce namespace polution in gssapi.h [#50356] ------------------------------------------------------------------- Fri Jan 28 13:25:42 CET 2005 - mc@suse.de - update to version 1.4 - Add implementation of the RPCSEC_GSS authentication flavor to the RPC library. - Thread safety for krb5 libraries. - Merged Athena telnetd changes for creating a new option for requiring encryption. - The kadmind4 backwards-compatibility admin server and the v5passwdd backwards-compatibility password-changing server have been removed. - Yarrow code now uses AES. - Merged Athena changes to allow ftpd to require encrypted passwords. - Incorporate gss_krb5_set_allowable_enctypes() and gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. - remove obsolet patches ------------------------------------------------------------------- Mon Jan 17 11:34:52 CET 2005 - mc@suse.de - add proofreaded update-messages ------------------------------------------------------------------- Fri Jan 14 14:38:25 CET 2005 - mc@suse.de - remove Conflicts: and add Provides: - add some insserv stuff ------------------------------------------------------------------- Thu Jan 13 11:54:01 CET 2005 - mc@suse.de - move vendor files to vendor-files.tar.bz2 - add obsoletes: heimdal - add %pre and %post sections to detect update from heimdal and backup invalid configuration files - add update-messages for heimdal update ------------------------------------------------------------------- Mon Jan 10 12:18:02 CET 2005 - mc@suse.de - update to version 1.3.6 - fix for: heap buffer overflow in libkadm5srv [CAN-2004-1189 / MITKRB5-SA-2004-004] ------------------------------------------------------------------- Tue Dec 14 15:30:23 CET 2004 - mc@suse.de - build doc subpackage in an own specfile - removed unnecessary neededforbuild requirements ------------------------------------------------------------------- Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de - fix build with gcc 4 ------------------------------------------------------------------- Mon Nov 15 17:25:56 CET 2004 - mc@suse.de - added Conflicts with heimdal* - rename some manpages to avoid conflicts ------------------------------------------------------------------- Thu Nov 4 18:03:11 CET 2004 - mc@suse.de - new init scripts - fix logrotate scripts - add some 64Bit fixes - add default krb5.conf, kdc.conf and kadm5.acl ------------------------------------------------------------------- Wed Nov 3 18:52:07 CET 2004 - mc@suse.de - add e2fsprogs to NFB - use system-et and system-ss - fix includes of com_err.h ------------------------------------------------------------------- Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de - Initital checkin