commit: e0ba60b7305896a86a5f2021e743e1aae9cd834d Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Dec 29 08:46:34 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Dec 29 08:46:43 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0ba60b7
www-apache/mod_auth_kerb: add Debian patch metadata Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/mod_auth_kerb-5.4-api-change-krb5.patch | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch index d0421a0eb6ea..fb402de44a8d 100644 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch +++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch @@ -1,5 +1,27 @@ https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch https://bugs.gentoo.org/830208 + +From: Sam Hartman <[email protected]> +Date: Mon, 23 Nov 2020 09:30:22 -0500 +Subject: Always use NONE replay cache type + +It's 2020. Any MIT Kerberos in the wild supports the none replay +cache type. The previous code used an internal function to detect +that replay cache type; that function is no longer available. +Instead, assume it is present. + +An alternative would be to enable the default replay cache. It was +originally disabled because of problems between Microsoft +authenticators and 2004-era MIT Kerberos 1.3. That's probably a good +idea. It probably closes off security attacks, although analyzing the +impact of replays in cases where neither channel binding nor +per-message services are used is difficult. I believe that a replay +cache is not strictly necessary in the common configuration where +mod-auth-kerb is used over a TLS-protected connection where the client +properly verifies the TLS certificate presented by the server prior to +sending a GSS token. + +I have elected not to enable replay cache to affect a minimal change. --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -2061,28 +2061,6 @@
