commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-08-17 11:58:34
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.3399 (New)
Package is "krb5"
Mon Aug 17 11:58:34 2020 rev:149 rq:824487 version:1.18.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-07-21
16:42:56.444104837 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.3399/krb5-mini.changes 2020-08-17
11:58:36.178467648 +0200
@@ -1,0 +2,5 @@
+Tue Jul 7 17:38:11 UTC 2020 - Andreas Schwab
+
+- Don't fail if %{_lto_cflags} is empty
+
+---
krb5.changes: same change
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.yRFqMo/_old 2020-08-17 11:58:37.870468591 +0200
+++ /var/tmp/diff_new_pack.yRFqMo/_new 2020-08-17 11:58:37.870468591 +0200
@@ -198,8 +198,10 @@
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+%if "%{_lto_cflags}" != ""
# Don't add the lto flags to the public link flags.
sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
+%endif
%find_lang mit-krb5
++ krb5.spec ++
--- /var/tmp/diff_new_pack.yRFqMo/_old 2020-08-17 11:58:37.894468605 +0200
+++ /var/tmp/diff_new_pack.yRFqMo/_new 2020-08-17 11:58:37.898468607 +0200
@@ -276,8 +276,10 @@
# manually remove test plugin since configure doesn't support disabling it at
build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+%if "%{_lto_cflags}" != ""
# Don't add the lto flags to the public link flags.
sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
+%endif
%find_lang mit-krb5
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-07-21 16:42:53
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.3592 (New)
Package is "krb5"
Tue Jul 21 16:42:53 2020 rev:148 rq:814662 version:1.18.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-06-11
14:42:34.984976844 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.3592/krb5-mini.changes 2020-07-21
16:42:56.444104837 +0200
@@ -1,0 +2,6 @@
+Fri Jun 12 08:38:23 UTC 2020 - Dominique Leuenberger
+
+- Do not mangle libexecdir, bindir, sbindir and datadir: there is
+ no reasonable justification to step out of the defaults.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2020-06-11
14:42:35.808980018 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.3592/krb5.changes 2020-07-21
16:42:57.256101917 +0200
@@ -1,0 +2,10 @@
+Fri Jun 12 08:38:23 UTC 2020 - Dominique Leuenberger
+
+- Do not mangle libexecdir, bindir, sbindir and datadir: there is
+ no reasonable justification to step out of the defaults.
+ + No longer install csh/sh profiles into /etc/profiles.d: as we
+not install to default paths, there is no need to further
+inject paths into $PATH; also, now sbin binaries are only in
+path for admin users.
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.7kbJMy/_old 2020-07-21 16:42:59.440094066 +0200
+++ /var/tmp/diff_new_pack.7kbJMy/_new 2020-07-21 16:42:59.444094052 +0200
@@ -102,14 +102,9 @@
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing
-D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
---prefix=%{_prefix}/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
---libexecdir=%{_prefix}/lib/mit/sbin \
---bindir=%{_prefix}/lib/mit/bin \
---sbindir=%{_prefix}/lib/mit/sbin \
---datadir=%{_prefix}/lib/mit/share \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
@@ -136,7 +131,7 @@
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/ from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
-sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g'
%{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g'
%{buildroot}%{_bindir}/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
@@ -145,7 +140,6 @@
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
-mkdir -p %{buildroot}%{_sysconfdir}/profile.d/
mkdir -p %{buildroot}%{_localstatedir}/log/krb5
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
@@ -153,8 +147,6 @@
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
-install -m 644 %{vendorFiles}/krb5.csh.profile
%{buildroot}%{_sysconfdir}/profile.d/krb5.csh
-install -m 644 %{vendorFiles}/krb5.sh.profile
%{buildroot}%{_sysconfdir}/profile.d/krb5.sh
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
@@ -173,7 +165,7 @@
chmod 0755 ${lib}
done
# and binaries too
-chmod 0755 %{buildroot}%{_prefix}/lib/mit/bin/ksu
+chmod 0755 %{buildroot}%{_bindir}/ksu
# install systemd files
mkdir -p %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
@@ -193,16 +185,13 @@
ln -s service %{buildroot}%{_sbindir}/rckadmind
ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
ln -s service %{buildroot}%{_sbindir}/rckpropd
-# create links for kinit and klist, because of the java ones
-ln -sf ../..%{_prefix}/lib/mit/bin/kinit %{buildroot}%{_bindir}/kinit
-ln -sf ../..%{_prefix}/lib/mit/bin/klist %{buildroot}%{_bindir}/klist
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
# cleanup
rm -f %{buildroot}%{_mandir}/man1/tmac.doc*
rm -f %{_mandir}/man1/tmac.doc*
-rm -rf %{buildroot}%{_prefix}/lib/mit/share/examples
+rm -rf %{buildroot}%{_datadir}/examples
# manually remove otp, spake and test plugin for
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-06-11 14:42:08
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.3606 (New)
Package is "krb5"
Thu Jun 11 14:42:08 2020 rev:147 rq:812027 version:1.18.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-05-19
14:43:17.975405699 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.3606/krb5-mini.changes 2020-06-11
14:42:34.984976844 +0200
@@ -1,0 +2,24 @@
+Fri May 29 08:38:37 UTC 2020 - Samuel Cabrero
+
+- Update to 1.18.2
+ * Fix a SPNEGO regression where an acceptor using the default credential
+would improperly filter mechanisms, causing a negotiation failure.
+ * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
+principal's first key has a single-DES enctype.
+ * Add stub functions to allow old versions of OpenSSL libcrypto to link
+against libkrb5.
+ * Fix a NegoEx bug where the client name and delegated credential might
+not be reported.
+
+---
+Thu May 28 15:21:46 UTC 2020 - Samuel Cabrero
+
+- Update logrotate script, call systemd to reload the services
+ instead of init-scripts. (boo#1169357)
+
+---
+Tue May 26 15:36:25 UTC 2020 - Christophe Giboudeaux
+
+- Don't add the lto flags to the public link options. (boo#1172038)
+
+---
krb5.changes: same change
Old:
krb5-1.18.1.tar.gz
krb5-1.18.1.tar.gz.asc
New:
krb5-1.18.2.tar.gz
krb5-1.18.2.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.aGS6fY/_old 2020-06-11 14:42:37.140985149 +0200
+++ /var/tmp/diff_new_pack.aGS6fY/_new 2020-06-11 14:42:37.140985149 +0200
@@ -24,7 +24,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5-mini
-Version:1.18.1
+Version:1.18.2
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -209,6 +209,9 @@
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+# Don't add the lto flags to the public link flags.
+sed -i "s/%{_lto_cflags}//" %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+
%find_lang mit-krb5
#
++ krb5.spec ++
--- /var/tmp/diff_new_pack.aGS6fY/_old 2020-06-11 14:42:37.160985226 +0200
+++ /var/tmp/diff_new_pack.aGS6fY/_new 2020-06-11 14:42:37.164985242 +0200
@@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5
-Version:1.18.1
+Version:1.18.2
Release:0
Summary:MIT Kerberos5 implementation
License:MIT
@@ -287,6 +287,9 @@
# manually remove test plugin since configure doesn't support disabling it at
build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+# Don't add the lto flags to the public link flags.
+sed -i "s/%{_lto_cflags}//" %{buildroot}%{_prefix}/lib/mit/bin/krb5-config
+
%find_lang mit-krb5
%post -p /sbin/ldconfig
++ krb5-1.18.1.tar.gz -> krb5-1.18.2.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.18.1.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new.3606/krb5-1.18.2.tar.gz differ: char 5,
line 1
++ vendor-files.tar.bz2 ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/vendor-files/krb5-server.logrotate
new/vendor-files/krb5-server.logrotate
--- old/vendor-files/krb5-server.logrotate 2007-06-11 15:00:55.0
+0200
+++ new/vendor-files/krb5-server.logrotate 2020-05-28 17:20:49.936990316
+0200
@@ -8,7 +8,7 @@
copytruncate
size=+1024k
postrotate
- /etc/init.d/kadmind reload
+systemctl reload kadmind.service
endscript
}
@@ -22,7 +22,7 @@
copytruncate
size=+1024k
postrotate
- /etc/init.d/krb5kdc reload
+systemctl reload krb5kdc.service
endscript
}
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-05-19 14:43:09
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.2738 (New)
Package is "krb5"
Tue May 19 14:43:09 2020 rev:146 rq:805750 version:1.18.1
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-05-09
19:48:11.476301665 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.2738/krb5-mini.changes 2020-05-19
14:43:17.975405699 +0200
@@ -1,0 +2,18 @@
+Mon May 4 09:24:21 UTC 2020 - Samuel Cabrero
+
+- Upgrade to 1.18.1
+ * Fix a crash when qualifying short hostnames when the system has
+no primary DNS domain.
+ * Fix a regression when an application imports "service@" as a GSS
+host-based name for its acceptor credential handle.
+ * Fix KDC enforcement of auth indicators when they are modified by
+the KDB module.
+ * Fix removal of require_auth string attributes when the LDAP KDB
+module is used.
+ * Fix a compile error when building with musl libc on Linux.
+ * Fix a compile error when building with gcc 4.x.
+ * Change the KDC constrained delegation precedence order for consistency
+with Windows KDCs.
+- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
+
+---
krb5.changes: same change
Old:
0009-Fix-null-dereference-qualifying-short-hostnames.patch
krb5-1.18.tar.gz
krb5-1.18.tar.gz.asc
New:
krb5-1.18.1.tar.gz
krb5-1.18.1.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.v7U3PK/_old 2020-05-19 14:43:21.243412682 +0200
+++ /var/tmp/diff_new_pack.v7U3PK/_new 2020-05-19 14:43:21.247412690 +0200
@@ -24,7 +24,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5-mini
-Version:1.18
+Version:1.18.1
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -44,7 +44,6 @@
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
-Patch9: 0009-Fix-null-dereference-qualifying-short-hostnames.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
++ krb5.spec ++
--- /var/tmp/diff_new_pack.v7U3PK/_old 2020-05-19 14:43:21.271412741 +0200
+++ /var/tmp/diff_new_pack.v7U3PK/_new 2020-05-19 14:43:21.275412750 +0200
@@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5
-Version:1.18
+Version:1.18.1
Release:0
Summary:MIT Kerberos5 implementation
License:MIT
@@ -42,7 +42,6 @@
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
-Patch9: 0009-Fix-null-dereference-qualifying-short-hostnames.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
++ krb5-1.18.tar.gz -> krb5-1.18.1.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.18.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new.2738/krb5-1.18.1.tar.gz differ: char 5,
line 1
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-05-09 19:48:07
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.2738 (New)
Package is "krb5"
Sat May 9 19:48:07 2020 rev:145 rq:798844 version:1.18
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-04-04
12:04:13.018565513 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.2738/krb5-mini.changes 2020-05-09
19:48:11.476301665 +0200
@@ -1,0 +2,7 @@
+Wed Apr 29 08:06:31 UTC 2020 - Dominique Leuenberger
+
+- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
+ notation: libexecdir is likely changing away from /usr/lib to
+ /usr/libexec.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2020-04-04
12:04:15.210567821 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.2738/krb5.changes 2020-05-09
19:48:11.732302214 +0200
@@ -1,0 +2,7 @@
+Wed Apr 29 08:04:32 UTC 2020 - Dominique Leuenberger
+
+- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
+ notation: libexecdir is likely changing away from /usr/lib to
+ /usr/libexec.
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.aJTeCi/_old 2020-05-09 19:48:12.596304069 +0200
+++ /var/tmp/diff_new_pack.aJTeCi/_new 2020-05-09 19:48:12.600304078 +0200
@@ -159,8 +159,8 @@
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
-install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d/
-install -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/tmpfiles.d/krb5.conf
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
@@ -301,7 +301,7 @@
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
-%{_libexecdir}/tmpfiles.d/krb5.conf
+%{_tmpfilesdir}/krb5.conf
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5
++ krb5.spec ++
--- /var/tmp/diff_new_pack.aJTeCi/_old 2020-05-09 19:48:12.628304138 +0200
+++ /var/tmp/diff_new_pack.aJTeCi/_new 2020-05-09 19:48:12.628304138 +0200
@@ -225,8 +225,8 @@
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
-install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d/
-install -m 644 %{SOURCE7} %{buildroot}%{_prefix}/lib/tmpfiles.d/krb5.conf
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
@@ -373,7 +373,7 @@
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
-%{_libexecdir}/tmpfiles.d/krb5.conf
+%{_tmpfilesdir}/krb5.conf
%dir %{krb5docdir}
%dir %{_prefix}/lib/mit
%dir %{_prefix}/lib/mit/sbin
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-04-04 12:04:03
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.3248 (New)
Package is "krb5"
Sat Apr 4 12:04:03 2020 rev:144 rq:789700 version:1.18
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-02-28
15:19:02.473612162 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new.3248/krb5-mini.changes 2020-04-04
12:04:13.018565513 +0200
@@ -1,0 +2,7 @@
+Wed Mar 25 09:20:38 UTC 2020 - Samuel Cabrero
+
+- Fix segfault in k5_primary_domain; (bsc#1167620);
+- Added patches:
+ * 0009-Fix-null-dereference-qualifying-short-hostnames.patch
+
+---
krb5.changes: same change
New:
0009-Fix-null-dereference-qualifying-short-hostnames.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.cTGCyz/_old 2020-04-04 12:04:18.982571793 +0200
+++ /var/tmp/diff_new_pack.cTGCyz/_new 2020-04-04 12:04:18.982571793 +0200
@@ -44,6 +44,7 @@
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
+Patch9: 0009-Fix-null-dereference-qualifying-short-hostnames.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
++ krb5.spec ++
--- /var/tmp/diff_new_pack.cTGCyz/_old 2020-04-04 12:04:19.006571818 +0200
+++ /var/tmp/diff_new_pack.cTGCyz/_new 2020-04-04 12:04:19.006571818 +0200
@@ -42,6 +42,7 @@
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
+Patch9: 0009-Fix-null-dereference-qualifying-short-hostnames.patch
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
@@ -154,14 +155,7 @@
%prep
%setup -q -n %{srcRoot}
%setup -q -a 3 -T -D -n %{srcRoot}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
+%autopatch -p1
%build
# needs to be re-generated
++ 0009-Fix-null-dereference-qualifying-short-hostnames.patch ++
>From 96d0ee0760a1c7cf735d04fbddf095a4c01ef190 Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Tue, 3 Mar 2020 12:27:02 -0500
Subject: [PATCH] Fix null dereference qualifying short hostnames
Fix the dnsglue.c PRIMARY_DOMAIN macro not to call strdup() with a
null pointer if no DNS search path is configured.
ticket: 8881
tags: pullup
target_version: 1.18-next
(cherry picked from commit cd82bf377e7fad2409c76bf8b241920692f34fda)
---
src/lib/krb5/os/dnsglue.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
index e35ca9d76..0cd213fdd 100644
--- a/src/lib/krb5/os/dnsglue.c
+++ b/src/lib/krb5/os/dnsglue.c
@@ -91,7 +91,7 @@ static int initparse(struct krb5int_dns_state *);
#define DECLARE_HANDLE(h) struct __res_state h
#define INIT_HANDLE(h) (memset(, 0, sizeof(h)), res_ninit() == 0)
#define SEARCH(h, n, c, t, a, l) res_nsearch(, n, c, t, a, l)
-#define PRIMARY_DOMAIN(h) strdup(h.dnsrch[0])
+#define PRIMARY_DOMAIN(h) ((h.dnsrch[0] == NULL) ? NULL : strdup(h.dnsrch[0]))
#if HAVE_RES_NDESTROY
#define DESTROY_HANDLE(h) res_ndestroy()
#else
@@ -104,7 +104,8 @@ static int initparse(struct krb5int_dns_state *);
#define DECLARE_HANDLE(h)
#define INIT_HANDLE(h) (res_init() == 0)
#define SEARCH(h, n, c, t, a, l) res_search(n, c, t, a, l)
-#define PRIMARY_DOMAIN(h) strdup(_res.defdname)
+#define PRIMARY_DOMAIN(h) \
+((_res.defdname == NULL) ? NULL : strdup(_res.defdname))
#define DESTROY_HANDLE(h)
#endif
--
2.25.1
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2020-02-28 15:18:59
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.26092 (New)
Package is "krb5"
Fri Feb 28 15:18:59 2020 rev:143 rq:779310 version:1.18
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2019-12-16
17:26:16.679962336 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new.26092/krb5-mini.changes
2020-02-28 15:19:02.473612162 +0100
@@ -1,0 +2,69 @@
+Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal
+
+- Remove cruft to support distributions older than SLE 12
+- Use macros where applicable
+- Switch to pkgconfig style dependencies
+
+---
+Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero
+
+- Upgrade to 1.18
+ Administrator experience:
+* Remove support for single-DES encryption types.
+* Change the replay cache format to be more efficient and robust.
+ Replay cache filenames using the new format end with ".rcache2"
+ by default.
+* setuid programs will automatically ignore environment variables
+ that normally affect krb5 API functions, even if the caller does
+ not use krb5_init_secure_context().
+* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
+ credential forwarding during GSSAPI authentication unless the KDC
+ sets the ok-as-delegate bit in the service ticket.
+* Use the permitted_enctypes krb5.conf setting as the default value
+ for default_tkt_enctypes and default_tgs_enctypes.
+ Developer experience:
+* Implement krb5_cc_remove_cred() for all credential cache types.
+* Add the krb5_pac_get_client_info() API to get the client account
+ name from a PAC.
+ Protocol evolution:
+* Add KDC support for S4U2Self requests where the user is identified
+ by X.509 certificate. (Requires support for certificate lookup from
+ a third-party KDB module.)
+* Remove support for an old ("draft 9") variant of PKINIT.
+* Add support for Microsoft NegoEx. (Requires one or more third-party
+ GSS modules implementing NegoEx mechanisms.)
+ User experience:
+* Add support for "dns_canonicalize_hostname=fallback", causing
+ host-based principal names to be tried first without DNS
+ canonicalization, and again with DNS canonicalization if the
+ un-canonicalized server is not found.
+* Expand single-component hostnames in host-based principal names
+ when DNS canonicalization is not used, adding the system's first DNS
+ search path as a suffix. Add a "qualify_shortname" krb5.conf relation
+ to override this suffix or disable expansion.
+* Honor the transited-policy-checked ticket flag on application servers,
+ eliminating the requirement to configure capaths on servers in some
+ scenarios.
+ Code quality:
+* The libkrb5 serialization code (used to export and import krb5 GSS
+ security contexts) has been simplified and made type-safe.
+* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
+ messages has been revised to conform to current coding practices.
+* The test suite has been modified to work with macOS System Integrity
+ Protection enabled.
+* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
+ can always be tested.
+- Updated patches:
+ * 0002-krb5-1.9-manpaths.patch
+ * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+ * 0005-krb5-1.6.3-ktutil-manpage.patch
+ * 0006-krb5-1.12-api.patch
+- Renamed patches:
+ * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
+ * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
+ * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
+ * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
+- Deleted patches:
+ * 0007-krb5-1.12-ksu-path.patch
+
+---
krb5.changes: same change
Old:
0001-krb5-1.12-pam.patch
0003-krb5-1.12-buildconf.patch
0007-krb5-1.12-ksu-path.patch
0008-krb5-1.12-selinux-label.patch
0009-krb5-1.9-debuginfo.patch
krb5-1.17.1.tar.gz
krb5-1.17.1.tar.gz.asc
New:
0001-ksu-pam-integration.patch
0003-Adjust-build-configuration.patch
0007-SELinux-integration.patch
0008-krb5-1.9-debuginfo.patch
krb5-1.18.tar.gz
krb5-1.18.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.mUCqXL/_old 2020-02-28 15:19:04.101615476 +0100
+++ /var/tmp/diff_new_pack.mUCqXL/_new 2020-02-28 15:19:04.105615484 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c)
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2019-12-16 17:26:13
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.4691 (New)
Package is "krb5"
Mon Dec 16 17:26:13 2019 rev:142 rq:756043 version:1.17.1
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2019-08-15
12:25:52.454599098 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.4691/krb5-mini.changes 2019-12-16
17:26:16.679962336 +0100
@@ -1,0 +2,8 @@
+Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero
+
+- Upgrade to 1.17.1
+ * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
+ * Fix a bug preventing time skew correction from working when a KCM
+credential cache is used.
+
+---
krb5.changes: same change
Old:
krb5-1.17.tar.gz
krb5-1.17.tar.gz.asc
New:
krb5-1.17.1.tar.gz
krb5-1.17.1.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.fP9xno/_old 2019-12-16 17:26:17.635961954 +0100
+++ /var/tmp/diff_new_pack.fP9xno/_new 2019-12-16 17:26:17.635961954 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
-Version:1.17
+Version:1.17.1
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.fP9xno/_old 2019-12-16 17:26:17.663961942 +0100
+++ /var/tmp/diff_new_pack.fP9xno/_new 2019-12-16 17:26:17.663961942 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
%endif
Name: krb5
-Version:1.17
+Version:1.17.1
Release:0
Summary:MIT Kerberos5 implementation
License:MIT
++ krb5-1.17.tar.gz -> krb5-1.17.1.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.17.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new.4691/krb5-1.17.1.tar.gz differ: char 5,
line 1
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2019-08-15 12:25:50 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.9556 (New) Package is "krb5" Thu Aug 15 12:25:50 2019 rev:141 rq:721101 version:1.17 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2019-08-05 10:28:49.483456042 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new.9556/krb5-mini.changes 2019-08-15 12:25:52.454599098 +0200 @@ -1,0 +2,6 @@ +Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero + +- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); + (bsc#1144047); + +--- krb5.changes: same change Other differences: -- krb5.spec: same change ++ ksu-pam.d ++ --- /var/tmp/diff_new_pack.tV1qtn/_old 2019-08-15 12:25:53.550598825 +0200 +++ /var/tmp/diff_new_pack.tV1qtn/_new 2019-08-15 12:25:53.550598825 +0200 @@ -4,5 +4,6 @@ account sufficient pam_rootok.so account includecommon-account password includecommon-password +session optional pam_keyinit.so force revoke session includecommon-session session optional pam_xauth.so
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2019-08-05 10:28:48
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.4126 (New)
Package is "krb5"
Mon Aug 5 10:28:48 2019 rev:140 rq:718535 version:1.17
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2019-02-19
13:54:59.724720977 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new.4126/krb5-mini.changes 2019-08-05
10:28:49.483456042 +0200
@@ -1,0 +2,8 @@
+Wed Jul 24 09:57:59 UTC 2019 - matthias.gerst...@suse.com
+
+- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
+ firewalld, see [1].
+
+ [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2019-05-16
21:55:27.094903926 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new.4126/krb5.changes 2019-08-05
10:28:49.563456033 +0200
@@ -1,0 +2,8 @@
+Wed Jul 24 09:57:44 UTC 2019 - matthias.gerst...@suse.com
+
+- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
+ firewalld, see [1].
+
+ [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.57G1z2/_old 2019-08-05 10:28:50.603455916 +0200
+++ /var/tmp/diff_new_pack.57G1z2/_new 2019-08-05 10:28:50.607455916 +0200
@@ -164,7 +164,6 @@
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
-mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
@@ -173,8 +172,6 @@
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 644 %{vendorFiles}/krb5.csh.profile
%{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile
%{buildroot}/etc/profile.d/krb5.sh
-install -m 644 %{vendorFiles}/SuSEFirewall.kdc
%{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
-install -m 644 %{vendorFiles}/SuSEFirewall.kadmind
%{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
@@ -327,7 +324,6 @@
%dir %{_sysconfdir}/krb5.conf.d
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
-%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
++ krb5.spec ++
--- /var/tmp/diff_new_pack.57G1z2/_old 2019-08-05 10:28:50.651455911 +0200
+++ /var/tmp/diff_new_pack.57G1z2/_new 2019-08-05 10:28:50.659455910 +0200
@@ -240,7 +240,6 @@
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
-mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
@@ -249,8 +248,6 @@
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 644 %{vendorFiles}/krb5.csh.profile
%{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile
%{buildroot}/etc/profile.d/krb5.sh
-install -m 644 %{vendorFiles}/SuSEFirewall.kdc
%{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
-install -m 644 %{vendorFiles}/SuSEFirewall.kadmind
%{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
@@ -448,7 +445,6 @@
%ghost %attr(0600,root,root) %config(noreplace)
%{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
%ghost %attr(0600,root,root) %config(noreplace)
%{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
%ghost %attr(0600,root,root) %config(noreplace)
%{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
-%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
/usr/sbin/rc*
/usr/lib/mit/sbin/kadmin.local
++ vendor-files.tar.bz2 ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/vendor-files/SuSEFirewall.kadmind
new/vendor-files/SuSEFirewall.kadmind
--- old/vendor-files/SuSEFirewall.kadmind 2007-02-22 11:09:33.0
+0100
+++
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2019-05-16 21:55:25
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new.5148 (New)
Package is "krb5"
Thu May 16 21:55:25 2019 rev:139 rq:701544 version:1.17
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2019-02-19
13:54:59.764720948 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new.5148/krb5.changes 2019-05-16
21:55:27.094903926 +0200
@@ -1,0 +2,6 @@
+Tue May 7 10:08:00 UTC 2019 - Samuel Cabrero
+
+- Move LDAP schema files from /usr/share/doc/packages/krb5 to
+ /usr/share/kerberos/ldap; (bsc#1134217);
+
+---
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.3IIwgm/_old 2019-05-16 21:55:30.266902567 +0200
+++ /var/tmp/diff_new_pack.3IIwgm/_new 2019-05-16 21:55:30.318902545 +0200
@@ -315,8 +315,9 @@
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
-install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%{buildroot}/%{krb5docdir}/kerberos.schema
-install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%{buildroot}/%{krb5docdir}/kerberos.ldif
+install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap
+install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema
+install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif
# link pam-config for su to ksu
mkdir -p %{buildroot}/etc/pam.d/
install -m 644 %{S:6} %{buildroot}/etc/pam.d/ksu
@@ -519,9 +520,10 @@
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
-%dir %{krb5docdir}
-%doc %{krb5docdir}/kerberos.schema
-%doc %{krb5docdir}/kerberos.ldif
+%dir %{_datadir}/kerberos
+%dir %{_datadir}/kerberos/ldap
+%config %{_datadir}/kerberos/ldap/kerberos.schema
+%config %{_datadir}/kerberos/ldap/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/kldap.so
/usr/lib/mit/sbin/kdb5_ldap_util
%{_libdir}/libkdb_ldap*
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2019-02-19 13:54:57 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.28833 (New) Package is "krb5" Tue Feb 19 13:54:57 2019 rev:138 rq:674895 version:1.17 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2018-10-29 14:56:48.197705382 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.28833/krb5-mini.changes 2019-02-19 13:54:59.724720977 +0100 @@ -1,0 +2,71 @@ +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +--- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped +Database library (LMDB) has been added. The LMDB KDB module should +be more performant and more robust than the DB2 module, and may +become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific +principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, +salt, and string-to-key parameters from the KDC for a client +principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise +principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the +log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should +perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This +mechanism protects against password dictionary attacks without +requiring any additional infrastructure such as certificates. SPAKE +is enabled by default on clients, but must be manually enabled on +the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can +protect against scenarios where an attacker uses temporary access to +a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid +spurious error messages about replays when a response packet is +dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a +third-party KDB module such as Samba's. The client code for +cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information +from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache +within a collection by client principal name. + * The Kerberos man page has been restored, and documents the +environment variables that affect programs using the Kerberos +library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it +easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work +with more recent versions of Visual Studio. A large volume of +unused Windows-specific code has been removed. Visual Studio 2013 +or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to +0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +--- @@ -1800 +1870,0 @@ - --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2018-10-29 14:56:48.217705458 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.28833/krb5.changes 2019-02-19 13:54:59.764720948 +0100 @@ -1,0 +2,71 @@ +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +--- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2018-10-29 14:13:32
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Mon Oct 29 14:13:32 2018 rev:137 rq:642079 version:1.16.1
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2018-05-10
15:44:07.592860018 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2018-10-29
14:56:48.197705382 +0100
@@ -1,0 +2,15 @@
+Tue Oct 9 20:13:24 UTC 2018 - James McDonough
+
+- Upgrade to 1.16.1
+ * kdc client cert matching on client principal entry
+ * Allow ktutil addent command to ignore key version and use
+non-default salt string.
+ * add kpropd pidfile support
+ * enable "encrypted_challenge_indicator" realm option on tickets
+obtained using FAST encrypted challenge pre-authentication.
+ * dates through 2106 accepted
+ * KDC support for trivially renewable tickets
+ * stop caching referral and alternate cross-realm TGTs to prevent
+duplicate credential cache entries
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2018-06-27
10:15:47.472327307 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2018-10-29
14:56:48.217705458 +0100
@@ -1,0 +2,15 @@
+Tue Oct 9 20:00:21 UTC 2018 - James McDonough
+
+- Upgrade to 1.16.1
+ * kdc client cert matching on client principal entry
+ * Allow ktutil addent command to ignore key version and use
+non-default salt string.
+ * add kpropd pidfile support
+ * enable "encrypted_challenge_indicator" realm option on tickets
+obtained using FAST encrypted challenge pre-authentication.
+ * dates through 2106 accepted
+ * KDC support for trivially renewable tickets
+ * stop caching referral and alternate cross-realm TGTs to prevent
+duplicate credential cache entries
+
+---
Old:
krb5-1.15.3.tar.gz
krb5-1.15.3.tar.gz.asc
New:
krb5-1.16.1.tar.gz
krb5-1.16.1.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.5vcaIG/_old 2018-10-29 14:56:48.729707399 +0100
+++ /var/tmp/diff_new_pack.5vcaIG/_new 2018-10-29 14:56:48.729707399 +0100
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -21,7 +21,7 @@
%define _fillupdir /var/adm/fillup-templates
%endif
-%define srcRoot krb5-1.15.3
+%define srcRoot krb5-1.16.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -34,7 +34,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.3
+Version:1.16.1
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -52,8 +52,8 @@
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
-Source0:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz
-Source1:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz.asc
+Source0:
https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
+Source1:
https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
Source2:krb5.keyring
Source3:vendor-files.tar.bz2
Source4:baselibs.conf
++ krb5.spec ++
--- /var/tmp/diff_new_pack.5vcaIG/_old 2018-10-29 14:56:48.741707444 +0100
+++ /var/tmp/diff_new_pack.5vcaIG/_new 2018-10-29 14:56:48.745707459 +0100
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.3
+Version:1.16.1
Release:0
Summary:MIT Kerberos5 implementation
License:MIT
@@ -46,8 +46,8 @@
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
-Source0:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz
-Source1:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz.asc
+Source0:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2018-06-27 10:15:42
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Wed Jun 27 10:15:42 2018 rev:136 rq:617494 version:1.15.3
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2018-05-10
15:44:08.932810911 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2018-06-27
10:15:47.472327307 +0200
@@ -1,0 +2,6 @@
+Mon Jun 18 11:02:57 UTC 2018 - mc...@suse.com
+
+- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package
+ so it is avaiable for krb5-client as well.
+
+---
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.Mpk3WQ/_old 2018-06-27 10:15:48.716282055 +0200
+++ /var/tmp/diff_new_pack.Mpk3WQ/_new 2018-06-27 10:15:48.720281909 +0200
@@ -396,6 +396,7 @@
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libkrad.so.*
+%{_libdir}/krb5/plugins/tls/*.so
%files server
%defattr(-,root,root)
@@ -439,7 +440,6 @@
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
-%{_libdir}/krb5/plugins/tls/*.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2018-05-10 15:43:54
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Thu May 10 15:43:54 2018 rev:135 rq:604020 version:1.15.3
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2018-05-02
12:16:48.887699478 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2018-05-10
15:44:07.592860018 +0200
@@ -1,0 +2,17 @@
+Fri May 4 09:48:36 UTC 2018 - mich...@stroeder.com
+
+- Upgrade to 1.15.3
+ * Fix flaws in LDAP DN checking, including a null dereference KDC
+crash which could be triggered by kadmin clients with administrative
+privileges [CVE-2018-5729, CVE-2018-5730].
+ * Fix a KDC PKINIT memory leak.
+ * Fix a small KDC memory leak on transited or authdata errors when
+processing TGS requests.
+ * Fix a null dereference when the KDC sends a large TGS reply.
+ * Fix "kdestroy -A" with the KCM credential cache type.
+ * Fix the handling of capaths "." values.
+ * Fix handling of repeated subsection specifications in profile files
+(such as when multiple included files specify relations in the same
+subsection).
+
+---
krb5.changes: same change
Old:
krb5-1.15.2.tar.gz
krb5-1.15.2.tar.gz.asc
New:
krb5-1.15.3.tar.gz
krb5-1.15.3.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.SnRY0S/_old 2018-05-10 15:44:10.052769865 +0200
+++ /var/tmp/diff_new_pack.SnRY0S/_new 2018-05-10 15:44:10.052769865 +0200
@@ -21,7 +21,7 @@
%define _fillupdir /var/adm/fillup-templates
%endif
-%define srcRoot krb5-1.15.2
+%define srcRoot krb5-1.15.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -34,7 +34,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.2
+Version:1.15.3
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.SnRY0S/_old 2018-05-10 15:44:10.080768839 +0200
+++ /var/tmp/diff_new_pack.SnRY0S/_new 2018-05-10 15:44:10.084768692 +0200
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.2
+Version:1.15.3
Release:0
Summary:MIT Kerberos5 implementation
License:MIT
++ krb5-1.15.2.tar.gz -> krb5-1.15.3.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.15.2.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.15.3.tar.gz differ: char 5, line 1
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2018-05-02 12:16:43
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Wed May 2 12:16:43 2018 rev:134 rq:602715 version:1.15.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-11-30
12:31:34.216071356 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2018-05-02
12:16:48.887699478 +0200
@@ -1,0 +2,5 @@
+Wed Apr 25 21:56:35 UTC 2018 - luizl...@gmail.com
+
+- Added support for /etc/krb5.conf.d/ for configuration snippets
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-11-30
12:31:34.752051864 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2018-05-02
12:16:49.815665620 +0200
@@ -1,0 +2,5 @@
+Wed Apr 25 21:54:39 UTC 2018 - luizl...@gmail.com
+
+- Added support for /etc/krb5.conf.d/ for configuration snippets
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.R7uSyY/_old 2018-05-02 12:16:50.747631617 +0200
+++ /var/tmp/diff_new_pack.R7uSyY/_new 2018-05-02 12:16:50.751631471 +0200
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -166,7 +166,7 @@
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
%{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
-mkdir -p %{buildroot}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
@@ -323,6 +323,7 @@
%dir /usr/lib/mit/bin
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
+%dir %{_sysconfdir}/krb5.conf.d
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
++ krb5.spec ++
--- /var/tmp/diff_new_pack.R7uSyY/_old 2018-05-02 12:16:50.779630450 +0200
+++ /var/tmp/diff_new_pack.R7uSyY/_new 2018-05-02 12:16:50.783630304 +0200
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -233,7 +233,7 @@
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
%{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
-mkdir -p %{buildroot}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
@@ -385,6 +385,7 @@
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
+%dir %{_sysconfdir}/krb5.conf.d
%attr(0644,root,root) %config /etc/profile.d/krb5*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
++ vendor-files.tar.bz2 ++
53486 lines of diff (skipped)
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-11-30 12:31:32
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Thu Nov 30 12:31:32 2017 rev:133 rq:544747 version:1.15.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-10-05
11:48:08.170502633 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-11-30
12:31:34.216071356 +0100
@@ -1,0 +2,6 @@
+Thu Nov 23 13:38:33 UTC 2017 - rbr...@suse.com
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-11-11
14:14:29.522446343 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-11-30
12:31:34.752051864 +0100
@@ -1,0 +2,6 @@
+Thu Nov 23 13:38:38 UTC 2017 - rbr...@suse.com
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.xkJVP0/_old 2017-11-30 12:31:36.747979280 +0100
+++ /var/tmp/diff_new_pack.xkJVP0/_new 2017-11-30 12:31:36.751979135 +0100
@@ -16,6 +16,11 @@
#
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+ %define _fillupdir /var/adm/fillup-templates
+%endif
+
%define srcRoot krb5-1.15.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -199,9 +204,9 @@
install -m 755 %{vendorFiles}/kpropd.init
%{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
-mkdir -p $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates
-install -m 644 %{vendorFiles}/sysconfig.kadmind
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
-install -m 644 %{vendorFiles}/sysconfig.krb5kdc
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
+mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
+install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate
%{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@@ -324,7 +329,7 @@
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
-%{_var}/adm/fillup-templates/sysconfig.*
+%{_fillupdir}/sysconfig.*
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
++ krb5.spec ++
--- /var/tmp/diff_new_pack.xkJVP0/_old 2017-11-30 12:31:36.783977971 +0100
+++ /var/tmp/diff_new_pack.xkJVP0/_new 2017-11-30 12:31:36.783977971 +0100
@@ -16,6 +16,11 @@
#
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+ %define _fillupdir /var/adm/fillup-templates
+%endif
+
Name: krb5
Url:https://web.mit.edu/kerberos/www/
BuildRequires: autoconf
@@ -266,9 +271,9 @@
install -m 755 %{vendorFiles}/kpropd.init
%{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
-mkdir -p $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates
-install -m 644 %{vendorFiles}/sysconfig.kadmind
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
-install -m 644 %{vendorFiles}/sysconfig.krb5kdc
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
+mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
+install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate
%{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@@ -419,7 +424,7 @@
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
-%{_var}/adm/fillup-templates/sysconfig.*
+%{_fillupdir}/sysconfig.*
/usr/sbin/rc*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-11-11 14:14:21
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Sat Nov 11 14:14:21 2017 rev:132 rq:539257 version:1.15.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-10-05
11:48:09.442323666 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-11-11
14:14:29.522446343 +0100
@@ -1,0 +2,8 @@
+Mon Nov 6 10:23:00 UTC 2017 - h...@suse.com
+
+- Remove build dependency doxygen, python-Cheetah, python-Sphinx,
+ python-libxml2, python-lxml, most of which are python 2 programs.
+ Consequently remove -doc subpackage. Users are encouraged to use
+ online documentation. (bsc#1066461)
+
+---
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.qWwp2x/_old 2017-11-11 14:14:31.678367320 +0100
+++ /var/tmp/diff_new_pack.qWwp2x/_new 2017-11-11 14:14:31.682367173 +0100
@@ -31,15 +31,10 @@
License:MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
-BuildRequires: doxygen
BuildRequires: libopenssl-devel
BuildRequires: libverto-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
-BuildRequires: python-Cheetah
-BuildRequires: python-Sphinx
-BuildRequires: python-libxml2
-BuildRequires: python-lxml
BuildRequires: pkgconfig(systemd)
# bug437293
%ifarch ppc64
@@ -210,11 +205,6 @@
make %{?_smp_mflags}
-cd doc
-make %{?_smp_mflags} substhtml
-cp -a html_subst ../../html
-cd ..
-
# Copy kadmin manual page into kadmin.local's due to the split between client
and server package
cp man/kadmin.man man/kadmin.local.8
@@ -522,8 +512,4 @@
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
-%files doc
-%defattr(-,root,root)
-%doc html doc/README
-
%changelog
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-10-05 11:48:05
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Thu Oct 5 11:48:05 2017 rev:131 rq:530615 version:1.15.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-10-01
16:58:39.393365341 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-10-05
11:48:08.170502633 +0200
@@ -1,0 +2,5 @@
+Mon Oct 2 22:53:28 UTC 2017 - jeng...@inai.de
+
+- Update package descriptions.
+
+---
krb5.changes: same change
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.Lb5r8X/_old 2017-10-05 11:48:10.298203228 +0200
+++ /var/tmp/diff_new_pack.Lb5r8X/_new 2017-10-05 11:48:10.302202666 +0200
@@ -67,13 +67,13 @@
%description
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of clear text passwords.
The package delivers MIT Kerberos with reduced features and minimal
dependencies
%package devel
-Summary:MIT Kerberos5 - Include Files and Libraries
+Summary:Development files for MIT Kerberos5 (openSUSE mini variant)
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: keyutils-devel
@@ -88,7 +88,7 @@
%description devel
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
++ krb5.spec ++
--- /var/tmp/diff_new_pack.Lb5r8X/_old 2017-10-05 11:48:10.334198164 +0200
+++ /var/tmp/diff_new_pack.Lb5r8X/_new 2017-10-05 11:48:10.334198164 +0200
@@ -27,7 +27,7 @@
BuildRequires: ncurses-devel
Version:1.15.2
Release:0
-Summary:MIT Kerberos5 Implementation--Libraries
+Summary:MIT Kerberos5 implementation
License:MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
@@ -66,22 +66,22 @@
%description
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of clear text passwords.
%package client
Conflicts: krb5-mini
-Summary:MIT Kerberos5 implementation - client programs
+Summary:Client programs of the MIT Kerberos5 implementation
Group: Productivity/Networking/Security
%description client
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
%package server
-Summary:MIT Kerberos5 implementation - server
+Summary:Server program of the MIT Kerberos5 implementation
Group: Productivity/Networking/Security
Requires: cron
Requires: libverto-libev1
@@ -96,51 +96,51 @@
%description server
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
%package plugin-kdb-ldap
-Summary:MIT Kerberos5 Implementation--LDAP Database Plugin
+Summary:LDAP database plugin for MIT Kerberos5
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
%description plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
+which can improve network security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
%package plugin-preauth-pkinit
-Summary:MIT Kerberos5 Implementation--PKINIT preauth Plugin
+Summary:PKINIT preauthentication plugin for MIT Kerberos5
Group: Productivity/Networking/Security
%description plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-10-01 16:58:35
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Sun Oct 1 16:58:35 2017 rev:130 rq:528906 version:1.15.2
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-08-21
11:32:26.856948324 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-10-01
16:58:39.393365341 +0200
@@ -1,0 +2,15 @@
+Mon Sep 25 19:45:05 UTC 2017 - mich...@stroeder.com
+
+- Upgrade to 1.15.2
+ * Fix a KDC denial of service vulnerability caused by unset status
+strings [CVE-2017-11368]
+ * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
+ * Fix kadm5 setkey operation with LDAP KDB module
+ * Use a ten-second timeout after successful connection for HTTPS KDC
+requests, as we do for TCP requests
+ * Fix client null dereference when KDC offers encrypted challenge
+without FAST
+ * Ignore dotfiles when processing profile includedir directive
+ * Improve documentation
+
+---
krb5.changes: same change
Old:
krb5-1.15.1.tar.gz
krb5-1.15.1.tar.gz.asc
New:
krb5-1.15.2.tar.gz
krb5-1.15.2.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.gIAzp8/_old 2017-10-01 16:58:40.545203301 +0200
+++ /var/tmp/diff_new_pack.gIAzp8/_new 2017-10-01 16:58:40.549202738 +0200
@@ -16,7 +16,7 @@
#
-%define srcRoot krb5-1.15.1
+%define srcRoot krb5-1.15.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -29,7 +29,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.1
+Version:1.15.2
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.gIAzp8/_old 2017-10-01 16:58:40.573199362 +0200
+++ /var/tmp/diff_new_pack.gIAzp8/_new 2017-10-01 16:58:40.573199362 +0200
@@ -25,7 +25,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15.1
+Version:1.15.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5-1.15.1.tar.gz -> krb5-1.15.2.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.15.1.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.15.2.tar.gz differ: char 5, line 1
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2017-08-21 11:32:24 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is "krb5" Mon Aug 21 11:32:24 2017 rev:129 rq:517510 version:1.15.1 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-06-15 11:19:29.476465290 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-08-21 11:32:26.856948324 +0200 @@ -1,0 +2,7 @@ +Fri Aug 18 08:27:26 UTC 2017 - h...@suse.com + +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) + +--- --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-06-15 11:19:29.512460205 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-08-21 11:32:27.192901077 +0200 @@ -1,0 +2,13 @@ +Fri Aug 18 08:27:26 UTC 2017 - h...@suse.com + +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) + +--- +Fri Aug 11 09:08:58 UTC 2017 - h...@suse.com + +- Prevent kadmind.service startup failure caused by absence of + LDAP service. (bsc#903543) + +--- Other differences: -- krb5.spec: same change ++ vendor-files.tar.bz2 ++ 53477 lines of diff (skipped)
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2017-06-15 11:19:29 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is "krb5" Thu Jun 15 11:19:29 2017 rev:128 rq:501409 version:1.15.1 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-04-29 10:47:07.898414023 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-06-15 11:19:29.476465290 +0200 @@ -1,0 +2,25 @@ +Tue Jun 6 13:36:34 UTC 2017 - h...@suse.com + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#918595 owned by vark...@suse.com: VUL-0: CVE-2014-5355 + krb5: denial of service in krb5_read_message +- bug#912002 owned by vark...@suse.com: VUL-0 + CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: + krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token +- bug#910458 owned by vark...@suse.com: VUL-1 + CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries +- bug#928978 owned by vark...@suse.com: VUL-0 + CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading + to requires_preauth bypass +- bug#910457 owned by vark...@suse.com: VUL-1 + CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy + name as a password policy name +- bug#991088 owned by h...@suse.com: VUL-1 + CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted +- bug#992853 owned by h...@suse.com: krb5: bogus prerequires +- [fate#320326](https://fate.suse.com/320326) +- bug#982313 owned by pgaj...@suse.com: Doxygen unable to resolve reference + from \cite + +--- krb5.changes: same change Other differences: -- krb5.spec: same change
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-04-29 10:47:05
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Sat Apr 29 10:47:05 2017 rev:127 rq:486278 version:1.15.1
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-03-29
13:20:34.930303215 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-04-29
10:47:07.898414023 +0200
@@ -1,0 +2,5 @@
+Thu Apr 6 13:00:26 CEST 2017 - ku...@suse.de
+
+- Remove wrong PreRequires
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-03-29
13:20:35.086281157 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-04-29
10:47:08.746294239 +0200
@@ -1,0 +2,5 @@
+Thu Apr 6 12:58:53 CEST 2017 - ku...@suse.de
+
+- Remove wrong PreRequires from krb5
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.hfVJKZ/_old 2017-04-29 10:47:10.022113998 +0200
+++ /var/tmp/diff_new_pack.hfVJKZ/_new 2017-04-29 10:47:10.022113998 +0200
@@ -63,7 +63,6 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
%description
++ krb5.spec ++
--- /var/tmp/diff_new_pack.hfVJKZ/_old 2017-04-29 10:47:10.050110042 +0200
+++ /var/tmp/diff_new_pack.hfVJKZ/_new 2017-04-29 10:47:10.054109477 +0200
@@ -63,8 +63,6 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-PreReq: mktemp, grep, /bin/touch, coreutils
-PreReq: %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-03-29 13:20:32
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Wed Mar 29 13:20:32 2017 rev:126 rq:478948 version:1.15.1
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2017-01-25
22:32:44.769183615 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-03-29
13:20:34.930303215 +0200
@@ -1,0 +2,25 @@
+Thu Mar 9 20:58:42 UTC 2017 - mich...@stroeder.com
+
+- use HTTPS project and source URLs
+
+---
+Thu Mar 9 16:31:41 UTC 2017 - meiss...@suse.com
+
+- use source urls.
+- krb5.keyring: Added Greg Hudson
+
+---
+Sat Mar 4 21:29:34 UTC 2017 - mich...@stroeder.com
+
+- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch
+- Upgrade to 1.15.1
+ * Allow KDB modules to determine how the e_data field of principal
+fields is freed
+ * Fix udp_preference_limit when the KDC location is configured with
+SRV records
+ * Fix KDC and kadmind startup on some IPv4-only systems
+ * Fix the processing of PKINIT certificate matching rules which have
+two components and no explicit relation
+ * Improve documentation
+
+---
krb5.changes: same change
Old:
krb5-1.15-fix_kdb_free_principal_e_data.patch
krb5-1.15.tar.gz
krb5-1.15.tar.gz.asc
New:
krb5-1.15.1.tar.gz
krb5-1.15.1.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.HpCTLK/_old 2017-03-29 13:20:37.145989870 +0200
+++ /var/tmp/diff_new_pack.HpCTLK/_new 2017-03-29 13:20:37.145989870 +0200
@@ -16,12 +16,12 @@
#
-%define srcRoot krb5-1.15
+%define srcRoot krb5-1.15.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
-Url:http://web.mit.edu/kerberos/www/
+Url:https://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
@@ -29,7 +29,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15
+Version:1.15.1
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -47,9 +47,8 @@
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
-# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
-Source0:krb5-%{version}.tar.gz
-Source1:krb5-%{version}.tar.gz.asc
+Source0:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz
+Source1:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz.asc
Source2:krb5.keyring
Source3:vendor-files.tar.bz2
Source4:baselibs.conf
@@ -63,8 +62,6 @@
Patch11:krb5-1.12-ksu-path.patch
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
-# http://krbdev.mit.edu/rt/Ticket/Display.html?id=8538
-Patch14:krb5-1.15-fix_kdb_free_principal_e_data.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -108,7 +105,6 @@
%patch11 -p1
%patch12 -p1
%patch13 -p1
-%patch14 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.HpCTLK/_old 2017-03-29 13:20:37.173985911 +0200
+++ /var/tmp/diff_new_pack.HpCTLK/_new 2017-03-29 13:20:37.177985345 +0200
@@ -17,7 +17,7 @@
Name: krb5
-Url:http://web.mit.edu/kerberos/www/
+Url:https://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
@@ -25,7 +25,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.15
+Version:1.15.1
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -46,9 +46,8 @@
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
-# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
-Source0:krb5-%{version}.tar.gz
-Source1:krb5-%{version}.tar.gz.asc
+Source0:
https://web.mit.edu/kerberos/dist/krb5/1.15/krb5-%{version}.tar.gz
+Source1:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-02-08 12:11:00
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2017-01-25
22:32:44.853170906 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-02-08
12:11:01.383846763 +0100
@@ -1,0 +2,5 @@
+Fri Jan 27 14:50:39 UTC 2017 - bwiedem...@suse.com
+
+- remove useless environment.pickle to make build-compare happy
+
+---
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.aaG9ss/_old 2017-02-08 12:11:03.203590243 +0100
+++ /var/tmp/diff_new_pack.aaG9ss/_new 2017-02-08 12:11:03.207589679 +0100
@@ -321,7 +321,7 @@
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
-rm -f /usr/share/man/man1/tmac.doc*
+rm -f /usr/share/man/man1/tmac.doc* html/.doctrees/environment.pickle
rm -rf %{buildroot}/usr/lib/mit/share/examples
# manually remove test plugin since configure doesn't support disabling it at
build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2017-01-25 22:32:44
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-12-11
13:21:31.468971608 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2017-01-25
22:32:44.769183615 +0100
@@ -1,0 +2,7 @@
+Thu Jan 19 16:01:27 UTC 2017 - a...@cryptomilk.org
+
+- Introduce patch
+ krb5-1.15-fix_kdb_free_principal_e_data.patch
+ to fix freeing of e_data in the kdb principal
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-12-11
13:21:31.708937623 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2017-01-25
22:32:44.853170906 +0100
@@ -1,0 +2,7 @@
+Thu Jan 19 15:59:38 UTC 2017 - a...@cryptomilk.org
+
+- Introduce patch
+ krb5-1.15-fix_kdb_free_principal_e_data.patch
+ to fix freeing of e_data in the kdb principal
+
+---
New:
krb5-1.15-fix_kdb_free_principal_e_data.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.PteGJl/_old 2017-01-25 22:32:45.984999627 +0100
+++ /var/tmp/diff_new_pack.PteGJl/_new 2017-01-25 22:32:45.988999022 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -63,6 +63,8 @@
Patch11:krb5-1.12-ksu-path.patch
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
+# http://krbdev.mit.edu/rt/Ticket/Display.html?id=8538
+Patch14:krb5-1.15-fix_kdb_free_principal_e_data.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -106,6 +108,7 @@
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.PteGJl/_old 2017-01-25 22:32:46.024993575 +0100
+++ /var/tmp/diff_new_pack.PteGJl/_new 2017-01-25 22:32:46.032992365 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -63,6 +63,8 @@
Patch11:krb5-1.12-ksu-path.patch
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
+# http://krbdev.mit.edu/rt/Ticket/Display.html?id=8538
+Patch14:krb5-1.15-fix_kdb_free_principal_e_data.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -177,6 +179,7 @@
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
%build
# needs to be re-generated
++ krb5-1.15-fix_kdb_free_principal_e_data.patch ++
>From 28ca91cd71ea64c62419e996c38031bdae01f908 Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Wed, 18 Jan 2017 11:40:49 -0500
Subject: [PATCH 1/2] Explicitly copy KDB vtable fields
In preparation for bumping the kdb_vftabl minor version, use explicit
field assignments when copying the module vtable to the internal copy,
so that we can conditionalize assignments for minor versions greater
than 0.
ticket: 8538
---
src/lib/kdb/kdb5.c | 81 +++---
1 file changed, 59 insertions(+), 22 deletions(-)
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index a3139a7dce..ee41272312 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -283,24 +283,63 @@ clean_n_exit:
}
static void
-kdb_setup_opt_functions(db_library lib)
-{
-if (lib->vftabl.fetch_master_key == NULL)
-lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey;
-if (lib->vftabl.fetch_master_key_list == NULL)
-lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list;
-if (lib->vftabl.store_master_key_list == NULL)
-lib->vftabl.store_master_key_list = krb5_def_store_mkey_list;
-if (lib->vftabl.dbe_search_enctype == NULL)
-lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype;
-if (lib->vftabl.change_pwd == NULL)
-lib->vftabl.change_pwd = krb5_dbe_def_cpw;
-if
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-11-28 15:02:59
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-08-05
18:11:30.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-11-28
15:03:00.0 +0100
@@ -1,0 +2,6 @@
+Mon Nov 14 08:36:06 UTC 2016 - christof.ha...@rzg.mpg.de
+
+- add pam configuration file required for ksu
+ just use a copy of "su" one from Tumbleweed
+
+---
New:
ksu-pam.d
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.gMwZlS/_old 2016-11-28 15:03:02.0 +0100
+++ /var/tmp/diff_new_pack.gMwZlS/_new 2016-11-28 15:03:02.0 +0100
@@ -53,6 +53,7 @@
Source3:vendor-files.tar.bz2
Source4:baselibs.conf
Source5:krb5-rpmlintrc
+Source6:ksu-pam.d
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
@@ -315,6 +316,10 @@
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644
%{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%{buildroot}/%{krb5docdir}/kerberos.ldif
+# link pam-config for su to ksu
+mkdir -p %{buildroot}/etc/pam.d/
+install -m 644 %{S:6} %{buildroot}/etc/pam.d/ksu
+
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
@@ -462,6 +467,7 @@
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
+%attr(0644,root,root) %config(noreplace) /etc/pam.d/ksu
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
++ ksu-pam.d ++
#%PAM-1.0
auth sufficient pam_rootok.so
auth includecommon-auth
account sufficient pam_rootok.so
account includecommon-account
password includecommon-password
session includecommon-session
session optional pam_xauth.so
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-08-05 18:11:29
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-07-12
23:44:11.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-08-05
18:11:30.0 +0200
@@ -0,0 +1,12 @@
+---
+Fri Jul 22 08:45:19 UTC 2016 - mich...@stroeder.com
+
+- Upgrade from 1.14.2 to 1.14.3:
+ * Improve some error messages
+ * Improve documentation
+ * Allow a principal with nonexistent policy to bypass the minimum
+password lifetime check, consistent with other aspects of
+nonexistent policies
+ * Fix a rare KDC denial of service vulnerability when anonymous client
+principals are restricted to obtaining TGTs only [CVE-2016-3120]
+
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-07-12
23:44:11.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-08-05
18:11:30.0 +0200
@@ -1,0 +2,12 @@
+Fri Jul 22 08:45:19 UTC 2016 - mich...@stroeder.com
+
+- Upgrade from 1.14.2 to 1.14.3:
+ * Improve some error messages
+ * Improve documentation
+ * Allow a principal with nonexistent policy to bypass the minimum
+password lifetime check, consistent with other aspects of
+nonexistent policies
+ * Fix a rare KDC denial of service vulnerability when anonymous client
+principals are restricted to obtaining TGTs only [CVE-2016-3120]
+
+---
Old:
krb5-1.14.2.tar.gz
New:
krb5-1.14.3.tar.gz
krb5-1.14.3.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.rvGsKV/_old 2016-08-05 18:11:32.0 +0200
+++ /var/tmp/diff_new_pack.rvGsKV/_new 2016-08-05 18:11:32.0 +0200
@@ -16,7 +16,7 @@
#
-%define srcRoot krb5-1.14.2
+%define srcRoot krb5-1.14.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -29,7 +29,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14.2
+Version:1.14.3
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -48,10 +48,11 @@
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
-Source: krb5-%{version}.tar.gz
-Source43: krb5.keyring
-Source1:vendor-files.tar.bz2
-Source2:baselibs.conf
+Source0:krb5-%{version}.tar.gz
+Source1:krb5-%{version}.tar.gz.asc
+Source2:krb5.keyring
+Source3:vendor-files.tar.bz2
+Source4:baselibs.conf
Source5:krb5-rpmlintrc
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
@@ -97,7 +98,7 @@
%prep
%setup -q -n %{srcRoot}
-%setup -a 1 -T -D -n %{srcRoot}
+%setup -a 3 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch3 -p1
@@ -140,7 +141,8 @@
--with-system-et \
--with-system-ss \
--with-system-verto
-%{__make} %{?_smp_mflags}
+
+make %{?_smp_mflags}
# Copy kadmin manual page into kadmin.local's due to the split between client
and server package
cp man/kadmin.man man/kadmin.local.8
++ krb5.spec ++
--- /var/tmp/diff_new_pack.rvGsKV/_old 2016-08-05 18:11:32.0 +0200
+++ /var/tmp/diff_new_pack.rvGsKV/_new 2016-08-05 18:11:32.0 +0200
@@ -25,7 +25,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14.2
+Version:1.14.3
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -47,10 +47,11 @@
%endif
Conflicts: krb5-mini
# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
-Source: krb5-%{version}.tar.gz
-Source43: krb5.keyring
-Source1:vendor-files.tar.bz2
-Source2:baselibs.conf
+Source0:krb5-%{version}.tar.gz
+Source1:krb5-%{version}.tar.gz.asc
+Source2:krb5.keyring
+Source3:vendor-files.tar.bz2
+Source4:baselibs.conf
Source5:krb5-rpmlintrc
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
@@ -167,7 +168,7 @@
%prep
%setup -q -n %{srcRoot}
-%setup -a 1 -T -D -n %{srcRoot}
+%setup -a 3 -T -D -n %{srcRoot}
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-07-12 23:44:09
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-05-02
10:43:56.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-07-12
23:44:11.0 +0200
@@ -0,0 +1,7 @@
+--
+Tue May 10 12:41:14 UTC 2016 - h...@suse.com
+
+- Remove source file ccapi/common/win/OldCC/autolock.hxx
+ that is not needed and does not carry an acceptable license.
+ (bsc#968111)
+
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-05-02
10:43:56.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-07-12
23:44:11.0 +0200
@@ -1,0 +2,21 @@
+Sat Jul 2 11:38:54 UTC 2016 - idon...@suse.com
+
+- Remove comments breaking post scripts.
+
+---
+Thu Jun 30 13:34:29 UTC 2016 - fcro...@suse.com
+
+- Do no use systemd_requires macros in main package, it adds
+ unneeded dependencies which pulls systemd into minimal chroot.
+- Only call %insserv_prereq when building for pre-systemd
+ distributions.
+- Optimise some %post/%postun when only /sbin/ldconfig is called.
+
+--
+Tue May 10 12:41:14 UTC 2016 - h...@suse.com
+
+- Remove source file ccapi/common/win/OldCC/autolock.hxx
+ that is not needed and does not carry an acceptable license.
+ (bsc#968111)
+
+---
Old:
krb5-1.14.2.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.hlkMhe/_old 2016-07-12 23:44:12.0 +0200
+++ /var/tmp/diff_new_pack.hlkMhe/_new 2016-07-12 23:44:12.0 +0200
@@ -49,7 +49,6 @@
Conflicts: krb5-plugin-preauth-otp
# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
Source: krb5-%{version}.tar.gz
-Source42: krb5-%version.tar.gz.asc
Source43: krb5.keyring
Source1:vendor-files.tar.bz2
Source2:baselibs.conf
++ krb5.spec ++
--- /var/tmp/diff_new_pack.hlkMhe/_old 2016-07-12 23:44:12.0 +0200
+++ /var/tmp/diff_new_pack.hlkMhe/_new 2016-07-12 23:44:12.0 +0200
@@ -41,7 +41,6 @@
BuildRequires: python-libxml2
BuildRequires: python-lxml
BuildRequires: pkgconfig(systemd)
-%{?systemd_requires}
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@@ -49,7 +48,6 @@
Conflicts: krb5-mini
# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
Source: krb5-%{version}.tar.gz
-Source42: krb5-%version.tar.gz.asc
Source43: krb5.keyring
Source1:vendor-files.tar.bz2
Source2:baselibs.conf
@@ -92,8 +90,12 @@
Requires: libverto-libev1
Requires: logrotate
Requires: perl-Date-Calc
+%if 0%{?suse_version} >= 1210
%{?systemd_requires}
-PreReq: %insserv_prereq %fillup_prereq
+%else
+PreReq: %insserv_prereq
+%endif
+PreReq: %fillup_prereq
%description server
Kerberos V5 is a trusted-third-party network authentication system,
@@ -319,18 +321,9 @@
%find_lang mit-krb5
-#
-# krb5 pre/post/postun
-#
-
%post -p /sbin/ldconfig
-%postun
-/sbin/ldconfig
-
-#
-# krb5-server preun/postun/pre/post
-#
+%postun -p /sbin/ldconfig
%preun server
%service_del_preun krb5kdc.service kadmind.service kpropd.service
@@ -347,18 +340,9 @@
%pre server
%service_add_pre krb5kdc.service kadmind.service kpropd.service
-#
-# krb5-plugin-kdb-ldap post/postun
-#
-
%post plugin-kdb-ldap -p /sbin/ldconfig
-%postun plugin-kdb-ldap
-/sbin/ldconfig
-
-
-# files sections
-
+%postun plugin-kdb-ldap -p /sbin/ldconfig
%files devel
%defattr(-,root,root)
++ krb5-1.14.2.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.14.2.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.14.2.tar.gz differ: char 5, line 1
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-05-02 10:43:55
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-04-06
11:50:35.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-05-02
10:43:56.0 +0200
@@ -1,0 +2,12 @@
+Thu Apr 28 20:27:37 UTC 2016 - mich...@stroeder.com
+
+- removed obsolete patches:
+ * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ * krb5-mechglue_inqure_attrs.patch
+- Upgrade from 1.14.1 to 1.14.2:
+ * Fix a moderate-severity vulnerability in the LDAP KDC back end that
+could be exploited by a privileged kadmin user [CVE-2016-3119]
+ * Improve documentation
+ * Fix some interactions with GSSAPI interposer mechanisms
+
+---
krb5.changes: same change
Old:
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
krb5-1.14.1.tar.gz
krb5-1.14.1.tar.gz.asc
krb5-mechglue_inqure_attrs.patch
New:
krb5-1.14.2.tar.gz
krb5-1.14.2.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.l8c72Z/_old 2016-05-02 10:43:58.0 +0200
+++ /var/tmp/diff_new_pack.l8c72Z/_new 2016-05-02 10:43:58.0 +0200
@@ -16,7 +16,7 @@
#
-%define srcRoot krb5-1.14.1
+%define srcRoot krb5-1.14.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -29,7 +29,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14.1
+Version:1.14.2
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -65,7 +65,6 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch15:krb5-fix_interposer.patch
-Patch16:krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -111,7 +110,6 @@
%patch12 -p1
%patch13 -p0
%patch15 -p1
-%patch16 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.l8c72Z/_old 2016-05-02 10:43:58.0 +0200
+++ /var/tmp/diff_new_pack.l8c72Z/_new 2016-05-02 10:43:58.0 +0200
@@ -25,7 +25,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14.1
+Version:1.14.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -65,8 +65,6 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch15:krb5-fix_interposer.patch
-Patch16:krb5-mechglue_inqure_attrs.patch
-Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -179,8 +177,6 @@
%patch12 -p1
%patch13 -p0
%patch15 -p1
-%patch16 -p1
-%patch107 -p1
%build
# needs to be re-generated
++ krb5-1.14.1.tar.gz -> krb5-1.14.2.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.14.1.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.14.2.tar.gz differ: char 5, line 1
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-04-06 11:50:34
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-02-25
21:52:25.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-04-06
11:50:35.0 +0200
@@ -1,0 +2,17 @@
+Fri Apr 1 07:45:13 UTC 2016 - h...@suse.com
+
+- Upgrade from 1.14 to 1.14.1:
+ * Remove expired patches:
+0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+krbdev.mit.edu-8301.patch
+ * Replace source archives:
+krb5-1.14.tar.gz ->
+krb5-1.14.1.tar.gz
+krb5-1.14.tar.gz.asc ->
+krb5-1.14.1.tar.gz.asc
+ * Adjust line numbers in:
+krb5-fix_interposer.patch
+
+---
krb5.changes: same change
Old:
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
krb5-1.14.tar.gz
krb5-1.14.tar.gz.asc
krbdev.mit.edu-8301.patch
New:
krb5-1.14.1.tar.gz
krb5-1.14.1.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.sJh1ni/_old 2016-04-06 11:50:37.0 +0200
+++ /var/tmp/diff_new_pack.sJh1ni/_new 2016-04-06 11:50:37.0 +0200
@@ -16,7 +16,7 @@
#
-%define srcRoot krb5-1.14
+%define srcRoot krb5-1.14.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -29,7 +29,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14
+Version:1.14.1
Release:0
Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
@@ -64,8 +64,6 @@
Patch11:krb5-1.12-ksu-path.patch
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
-# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
-Patch14:krbdev.mit.edu-8301.patch
Patch15:krb5-fix_interposer.patch
Patch16:krb5-mechglue_inqure_attrs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -112,7 +110,6 @@
%patch11 -p1
%patch12 -p1
%patch13 -p0
-%patch14 -p1
%patch15 -p1
%patch16 -p1
++ krb5.spec ++
--- /var/tmp/diff_new_pack.sJh1ni/_old 2016-04-06 11:50:37.0 +0200
+++ /var/tmp/diff_new_pack.sJh1ni/_new 2016-04-06 11:50:37.0 +0200
@@ -16,10 +16,6 @@
#
-%define srcRoot krb5-1.14
-%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
-%define krb5docdir %{_defaultdocdir}/krb5
-
Name: krb5
Url:http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
@@ -29,7 +25,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.14
+Version:1.14.1
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -68,13 +64,8 @@
Patch11:krb5-1.12-ksu-path.patch
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
-# see http://krbdev.mit.edu/rt/Ticket/Display.html?id=8301
-Patch14:krbdev.mit.edu-8301.patch
Patch15:krb5-fix_interposer.patch
Patch16:krb5-mechglue_inqure_attrs.patch
-Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
-Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
-Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
@@ -170,6 +161,10 @@
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
+%define srcRoot krb5-%{version}
+%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
+%define krb5docdir %{_defaultdocdir}/krb5
+
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
@@ -183,12 +178,8 @@
%patch11 -p1
%patch12 -p1
%patch13 -p0
-%patch14 -p1
%patch15 -p1
%patch16 -p1
-%patch104 -p1
-%patch105 -p1
-%patch106 -p1
%patch107 -p1
%build
++ krb5-1.14.tar.gz -> krb5-1.14.1.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.14.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.14.1.tar.gz differ: char 5, line 1
++ krb5-fix_interposer.patch
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-03-29 09:53:21
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-02-25
21:52:26.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-03-29
09:53:26.0 +0200
@@ -1,0 +2,7 @@
+Wed Mar 23 13:02:48 UTC 2016 - h...@suse.com
+
+- Introduce patch
+ 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ to fix CVE-2016-3119 (bsc#971942)
+
+---
New:
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.QoJbbI/_old 2016-03-29 09:53:28.0 +0200
+++ /var/tmp/diff_new_pack.QoJbbI/_new 2016-03-29 09:53:28.0 +0200
@@ -75,6 +75,7 @@
Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+Patch107: 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -188,6 +189,7 @@
%patch104 -p1
%patch105 -p1
%patch106 -p1
+%patch107 -p1
%build
# needs to be re-generated
++ 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch ++
>From 08c642c09c38a9c6454ab43a9b53b2a89b9eef99 Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Mon, 14 Mar 2016 17:26:34 -0400
Subject: [PATCH] Fix LDAP null deref on empty arg [CVE-2016-3119]
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array. Check for this case
and avoid dereferencing a null pointer.
CVE-2016-3119:
In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
ticket: 8383 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
Line numbers are slightly adjusted by Howard Guo to fit into
this older version of Kerberos.
diff -rupN krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
--- krb5-1.14/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
2016-03-23 14:00:44.669126353 +0100
+++ krb5-1.14-patched/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
2016-03-23 14:01:45.993680720 +0100
@@ -267,6 +267,7 @@ process_db_args(krb5_context context, ch
if (db_args) {
for (i=0; db_args[i]; ++i) {
arg = strtok_r(db_args[i], "=", _val);
+arg = (arg != NULL) ? arg : "";
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
dptr = >tktpolicydn;
} else {
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-02-25 21:52:19
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2016-01-13
22:44:01.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-02-25
21:52:25.0 +0100
@@ -1,0 +2,8 @@
+Thu Feb 11 15:07:26 UTC 2016 - h...@suse.com
+
+- Remove krb5 pieces from spec file.
+ Hence remove pre_checkin.sh
+- Remove expired macros and other minor clena-ups in spec file.
+- Change package description to explain what "mini" means.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-02-12
11:20:58.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-02-25
21:52:26.0 +0100
@@ -1,0 +2,7 @@
+Thu Feb 11 15:06:31 UTC 2016 - h...@suse.com
+
+- Remove krb5-mini pieces from spec file.
+ Hence remove pre_checkin.sh
+- Remove expired macros and other minor clean-ups in spec file.
+
+---
Old:
pre_checkin.sh
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.IzQOJO/_old 2016-02-25 21:52:29.0 +0100
+++ /var/tmp/diff_new_pack.IzQOJO/_new 2016-02-25 21:52:29.0 +0100
@@ -16,7 +16,6 @@
#
-%define build_mini 1
%define srcRoot krb5-1.14
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -32,39 +31,22 @@
BuildRequires: ncurses-devel
Version:1.14
Release:0
-Summary:MIT Kerberos5 Implementation--Libraries
+Summary:MIT Kerberos5 implementation and libraries with minimal
dependencies
License:MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libverto-devel
-%if ! 0%{?build_mini}
-BuildRequires: doxygen
-BuildRequires: libopenssl-devel
-BuildRequires: openldap2-devel
-BuildRequires: pam-devel
-BuildRequires: python-Cheetah
-BuildRequires: python-Sphinx
-BuildRequires: python-libxml2
-BuildRequires: python-lxml
-%if 0%{?suse_version} >= 1210
-BuildRequires: pkgconfig(systemd)
-%{?systemd_requires}
-%else
-PreReq: %insserv_prereq
-%endif
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
-%else # -mini
Conflicts: krb5
Conflicts: krb5-client
Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
-%endif
# both tar.gz and .tar.gz.asc extracted from the
http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
Source: krb5-%{version}.tar.gz
Source42: krb5-%version.tar.gz.asc
@@ -94,76 +76,8 @@
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
-
-%if ! %{build_mini}
-
-%package client
-Conflicts: krb5-mini
-Summary:MIT Kerberos5 implementation - client programs
-Group: Productivity/Networking/Security
-
-%description client
-Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
-practice of cleartext passwords. This package includes some required
-client programs, like kinit, kadmin, ...
-
-%package server
-Summary:MIT Kerberos5 implementation - server
-Group: Productivity/Networking/Security
-Requires: cron
-Requires: libverto-libev1
-Requires: logrotate
-Requires: perl-Date-Calc
-%{?systemd_requires}
-PreReq: %insserv_prereq %fillup_prereq
-
-%description server
-Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
-practice of cleartext passwords. This package includes the kdc, kadmind
-and more.
-
-%package plugin-kdb-ldap
-Summary:MIT Kerberos5 Implementation--LDAP Database Plugin
-Group: Productivity/Networking/Security
-Requires: krb5-server = %{version}
-
-%description plugin-kdb-ldap
-Kerberos V5 is a trusted-third-party network authentication system,
-which can improve your network's security by eliminating the insecure
-practice of clear text passwords. This package contains the LDAP
-database plugin.
-
-%package plugin-preauth-pkinit
-Summary:MIT Kerberos5 Implementation--PKINIT preauth Plugin
-Group:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2016-02-12 11:20:54
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2016-01-13
22:44:01.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2016-02-12
11:20:58.0 +0100
@@ -1,0 +2,13 @@
+Tue Feb 2 08:41:13 UTC 2016 - h...@suse.com
+
+- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null
character
+ with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+ (bsc#963968)
+- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal
name in request
+ with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+ (bsc#963975)
+- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when
KADM5_POLICY is set in the mask
+ with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+ (bsc#963964)
+
+---
New:
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.lBxCDu/_old 2016-02-12 11:20:59.0 +0100
+++ /var/tmp/diff_new_pack.lBxCDu/_new 2016-02-12 11:20:59.0 +0100
@@ -86,6 +86,9 @@
Patch14:krbdev.mit.edu-8301.patch
Patch15:krb5-fix_interposer.patch
Patch16:krb5-mechglue_inqure_attrs.patch
+Patch104: 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+Patch105: 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+Patch106: 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -206,6 +209,9 @@
%patch14 -p1
%patch15 -p1
%patch16 -p1
+%patch104 -p1
+%patch105 -p1
+%patch106 -p1
%build
# needs to be re-generated
++ 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch ++
>From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Fri, 8 Jan 2016 12:45:25 -0500
Subject: [PATCH] Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2bef858..ba67084 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
return FALSE;
}
}
- return (xdr_opaque(xdrs, *objp, size));
+ if (!xdr_opaque(xdrs, *objp, size))
+ return FALSE;
+ /* Check that the unmarshalled bytes are a C string. */
+ if ((*objp)[size - 1] != '\0')
+ return FALSE;
+ if (memchr(*objp, '\0', size - 1) != NULL)
+ return FALSE;
+ return TRUE;
case XDR_ENCODE:
if (size != 0)
--
2.7.0
++ 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch ++
>From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Fri, 8 Jan 2016 13:16:54 -0500
Subject: [PATCH] Fix leaks in kadmin server stubs [CVE-2015-8631]
In each kadmind server stub, initialize the client_name and
server_name variables, and release them in the cleanup handler. Many
of the stubs will otherwise leak the client and server name if
krb5_unparse_name() fails. Also make sure to free the prime_arg
variables in rename_principal_2_svc(), or we can leak the first one if
unparsing the second one fails. Discovered by Simo Sorce.
CVE-2015-8631:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to leak memory by supplying a null principal name in a request
which uses one. Repeating these requests will eventually cause
kadmind to exhaust all available memory.
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2016-01-13 22:43:58 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is "krb5" Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-12-13 09:38:30.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2016-01-13 22:44:01.0 +0100 @@ -1,0 +2,119 @@ +Mon Jan 11 12:33:54 UTC 2016 - idon...@suse.com + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +--- +Tue Dec 8 20:40:26 UTC 2015 - mich...@stroeder.com + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + +Major changes in 1.14 (2015-11-20) +== + +Administrator experience: + +* Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. +* Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. +* Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. +* Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. +* Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. +* Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. +* Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. +* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. +* Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. +* Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + +Code quality: + +* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] +* Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + +Developer experience: + +* Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. +* Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) +* Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. +* Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. +* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. +* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. +* Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2015-12-13 09:38:29
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-06-03
08:22:13.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-12-13
09:38:30.0 +0100
@@ -1,0 +2,20 @@
+Mon Dec 7 08:04:45 UTC 2015 - mich...@stroeder.com
+
+- Udapte to 1.13.3
+
+Major changes in 1.13.3 (2015-12-04)
+
+
+This is a bug fix release. The krb5-1.13 release series is in
+maintenance, and for new deployments, installers should prefer the
+krb5-1.14 release series or later.
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+* Allow an iprop slave to receive full resyncs from KDCs running
+ krb5-1.10 or earlier.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2015-11-15
12:45:44.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-12-13
09:38:30.0 +0100
@@ -1,0 +2,25 @@
+Mon Dec 7 08:04:45 UTC 2015 - mich...@stroeder.com
+
+- Udapte to 1.13.3
+- removed patches for security fixes now in upstream source:
+ 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+
+Major changes in 1.13.3 (2015-12-04)
+
+
+This is a bug fix release. The krb5-1.13 release series is in
+maintenance, and for new deployments, installers should prefer the
+krb5-1.14 release series or later.
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+* Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+* Allow an iprop slave to receive full resyncs from KDCs running
+ krb5-1.10 or earlier.
+
+---
Old:
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
krb5-1.13.2.tar.gz
krb5-1.13.2.tar.gz.asc
New:
krb5-1.13.3.tar.gz
krb5-1.13.3.tar.gz.asc
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.fNv1Y6/_old 2015-12-13 09:38:32.0 +0100
+++ /var/tmp/diff_new_pack.fNv1Y6/_new 2015-12-13 09:38:32.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.13.2
+%define srcRoot krb5-1.13.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.13.2
+Version:1.13.3
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.fNv1Y6/_old 2015-12-13 09:38:32.0 +0100
+++ /var/tmp/diff_new_pack.fNv1Y6/_new 2015-12-13 09:38:32.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.13.2
+%define srcRoot krb5-1.13.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.13.2
+Version:1.13.3
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -83,10 +83,6 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch100: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
-Patch101: 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
-Patch102: 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
-Patch103: 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -205,10 +201,6 @@
%patch12 -p1
%patch13 -p0
%patch14 -p1
-%patch100 -p1
-%patch101
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2015-11-15 12:45:42
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2015-11-04
15:30:38.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-11-15
12:45:44.0 +0100
@@ -1,0 +2,7 @@
+Tue Nov 10 14:57:01 UTC 2015 - h...@suse.com
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+ to fix a memory corruption regression introduced by resolution of
+ CVE-2015-2698. bsc#954204
+
+---
New:
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.JMVTxM/_old 2015-11-15 12:45:46.0 +0100
+++ /var/tmp/diff_new_pack.JMVTxM/_new 2015-11-15 12:45:46.0 +0100
@@ -86,6 +86,7 @@
Patch100: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
Patch101: 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
Patch102: 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+Patch103: 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -207,6 +208,7 @@
%patch100 -p1
%patch101 -p1
%patch102 -p1
+%patch103 -p1
%build
# needs to be re-generated
++ 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch ++
>From 3db8dfec1ef50ddd78d6ba9503185995876a39fd Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Sun, 1 Nov 2015 22:45:21 -0500
Subject: [PATCH] Fix IAKERB context export/import [CVE-2015-2698]
The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.
Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.
CVE-2015-2698:
In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
ticket: 8273 (new)
target_version: 1.14
tags: pullup
Line numbers are slightly adjusted by Howard Guo .
diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c
krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c
--- krb5-1.12.1/src/lib/gssapi/krb5/gssapi_krb5.c 2015-11-10
15:37:32.209657599 +0100
+++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapi_krb5.c 2015-11-10
15:38:52.106323672 +0100
@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanis
NULL,
#else
iakerb_gss_export_sec_context,
-NULL,
+iakerb_gss_import_sec_context,
#endif
krb5_gss_inquire_cred_by_mech,
krb5_gss_inquire_names_for_mech,
diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h
krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h
--- krb5-1.12.1/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-11-10
15:37:32.209657599 +0100
+++ krb5-1.12.1-patched/src/lib/gssapi/krb5/gssapiP_krb5.h 2015-11-10
15:38:52.106323672 +0100
@@ -1393,6 +1393,11 @@ OM_uint32 KRB5_CALLCONV
iakerb_gss_export_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
gss_buffer_t interprocess_token);
+
+OM_uint32 KRB5_CALLCONV
+iakerb_gss_import_sec_context(OM_uint32 *minor_status,
+ const gss_buffer_t interprocess_token,
+ gss_ctx_id_t *context_handle);
#endif /* LEAN_CLIENT */
OM_uint32 KRB5_CALLCONV
diff -rupN krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c
krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c
--- krb5-1.12.1/src/lib/gssapi/krb5/iakerb.c2015-11-10 15:37:32.209657599
+0100
+++ krb5-1.12.1-patched/src/lib/gssapi/krb5/iakerb.c2015-11-10
15:41:43.431752632 +0100
@@ -1061,7 +1061,7 @@ iakerb_gss_export_sec_context(OM_uint32
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2015-11-04 15:30:36
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is "krb5"
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2015-06-03
08:22:13.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-11-04
15:30:38.0 +0100
@@ -1,0 +2,11 @@
+Wed Oct 28 13:54:39 UTC 2015 - h...@suse.com
+
+- Make kadmin.local man page available without having to install krb5-client.
bsc#948011
+- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ to fix build_principal memory bug [CVE-2015-2697] bsc#952190
+- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
+- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
+
+---
New:
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.cADNAQ/_old 2015-11-04 15:30:39.0 +0100
+++ /var/tmp/diff_new_pack.cADNAQ/_new 2015-11-04 15:30:39.0 +0100
@@ -83,6 +83,9 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
+Patch100: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+Patch101: 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+Patch102: 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -201,6 +204,9 @@
%patch12 -p1
%patch13 -p0
%patch14 -p1
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
%build
# needs to be re-generated
@@ -247,6 +253,9 @@
cd ..
%endif
+# Copy kadmin manual page into kadmin.local's due to the split between client
and server package
+cp man/kadmin.man man/kadmin.local.8
+
%install
# Where per-user keytabs live by default.
++ 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch ++
>From f0c094a1b745d91ef2f9a4eae2149aac026a5789 Mon Sep 17 00:00:00 2001
From: Greg Hudson
Date: Fri, 25 Sep 2015 12:51:47 -0400
Subject: [PATCH] Fix build_principal memory bug [CVE-2015-2697]
In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not
affected.
CVE-2015-2697:
In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.
CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
ticket: 8252 (new)
target_version: 1.14
tags: pullup
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
index ab6fed8..8604268 100644
--- a/src/lib/krb5/krb/bld_princ.c
+++ b/src/lib/krb5/krb/bld_princ.c
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal
princ,
data = malloc(size * sizeof(krb5_data));
if (!data) { retval = ENOMEM; }
-if (!retval) {
-r = strdup(realm);
-if (!r) { retval = ENOMEM; }
-}
+if (!retval)
+r = k5memdup0(realm, rlen, );
while (!retval && (component = va_arg(ap, char *))) {
if (count == size) {
--
2.6.2
++ 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch ++
729 lines (skipped)
++ 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch ++
>From b51b33f2bc5d1497ddf5bd107f791c101695000d Mon Sep 17 00:00:00 2001
From: Nicolas Williams
Date: Mon, 14 Sep 2015 12:27:52 -0400
Subject: [PATCH] Fix SPNEGO context aliasing bugs [CVE-2015-2695]
The SPNEGO mechanism currently replaces its
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2015-06-03 08:22:12
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-05-29
11:44:24.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-06-03
08:22:13.0 +0200
@@ -1,0 +2,6 @@
+Mon Jun 1 07:38:15 UTC 2015 - h...@suse.com
+
+- Let server depend on libev (module of libverto). This was the
+ embedded implementation before the seperation of libverto from krb.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2015-05-29
11:44:24.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-06-03
08:22:13.0 +0200
@@ -1,0 +2,6 @@
+Mon Jun 1 07:31:52 UTC 2015 - h...@suse.com
+
+- Let server depend on libev (module of libverto). This was the
+ preferred implementation before the seperation of libverto from krb.
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.SFSMcq/_old 2015-06-03 08:22:14.0 +0200
+++ /var/tmp/diff_new_pack.SFSMcq/_new 2015-06-03 08:22:14.0 +0200
@@ -109,6 +109,7 @@
Summary:MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
+Requires: libverto-libev1
Requires: logrotate
Requires: perl-Date-Calc
%{?systemd_requires}
krb5.spec: same change
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2015-05-29 11:44:23 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-02-22 17:23:32.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-05-29 11:44:24.0 +0200 @@ -1,0 +2,59 @@ +Thu May 28 08:01:00 UTC 2015 - dims...@opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +--- +Wed May 27 10:59:13 UTC 2015 - dims...@opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +--- +Fri May 22 09:27:11 UTC 2015 - meiss...@suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +--- +Tue May 12 07:48:18 UTC 2015 - mich...@stroeder.com + +- update to krb5 1.13.2 + +- DES transition +== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables weak enctypes, which defaults to false +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) + + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues with some less-used kadm5.acl functionality. + +* Improve documentation. + +--- +Thu Apr 23 14:13:03 UTC 2015 - h...@suse.com + +- Use externally built libverto + +--- @@ -16,0 +76 @@ + @@ -18 +78 @@ -Tue Jan 6 07:20:54 UTC 2015 - m...@suse.com +Tue Jan 6 07:12:29 UTC 2015 - m...@suse.com @@ -52,0 +113,12 @@ +--- +Thu Sep 25 12:48:32 UTC 2014 - dd...@suse.com + +- Work around replay cache creation race; (bnc#898439). + krb5-1.13-work-around-replay-cache-creation-race.patch + +--- +Tue Sep 23 13:25:33 UTC 2014 - vark...@suse.com + +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- added patches: + * bnc#897874-CVE-2014-5351.diff --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2015-02-22 17:23:32.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-05-29 11:44:24.0 +0200 @@ -1,0 +2,59 @@ +Thu May 28 08:01:00 UTC 2015 - dims...@opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +--- +Wed May 27 10:59:13 UTC 2015 - dims...@opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +--- +Fri May 22 09:27:11 UTC 2015 - meiss...@suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +--- +Tue May 12 07:48:18 UTC 2015 - mich...@stroeder.com + +- update to krb5 1.13.2 + +- DES transition +== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables weak enctypes, which defaults to false +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) + + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2015-02-22 17:23:32
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-01-08
23:01:08.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-02-22
17:23:32.0 +0100
@@ -1,0 +2,16 @@
+Wed Feb 18 11:48:46 UTC 2015 - mich...@stroeder.com
+
+- update to krb5 1.13.1
+
+Major changes in 1.13.1 (2015-02-11)
+
+
+This is a bug fix release.
+
+* Fix multiple vulnerabilities in the LDAP KDC back end.
+ [CVE-2014-5354] [CVE-2014-5353]
+
+* Fix multiple kadmind vulnerabilities, some of which are based in the
+ gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
+ CVE-2014-9422 CVE-2014-9423]
+---
krb5.changes: same change
Old:
krb5-1.13.tar.gz
New:
krb5-1.13.1.tar.gz
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.xXxEzB/_old 2015-02-22 17:23:34.0 +0100
+++ /var/tmp/diff_new_pack.xXxEzB/_new 2015-02-22 17:23:34.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.13
+%define srcRoot krb5-1.13.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.13
+Version:1.13.1
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.xXxEzB/_old 2015-02-22 17:23:34.0 +0100
+++ /var/tmp/diff_new_pack.xXxEzB/_new 2015-02-22 17:23:34.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.13
+%define srcRoot krb5-1.13.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.13
+Version:1.13.1
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5-1.13.tar.gz - krb5-1.13.1.tar.gz ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.13.tar.gz
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.13.1.tar.gz differ: char 5, line 1
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2015-01-08 23:01:05 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-09-03 20:09:20.0 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-01-08 23:01:08.0 +0100 @@ -1,0 +2,36 @@ +Tue Jan 6 07:20:54 UTC 2015 - m...@suse.com + +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the +MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves +can act as intermediates between an upstream master and other downstream +slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf +files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using +SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the keepold option +to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host +is running a Heimdal kcm daemon, caches served by the daemon can be +accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use KCM: as the default cache type, +unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, +which would allow the KDC and kadmind to continue accessing the database +during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch + +--- --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-10-05 20:27:21.0 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-01-08 23:01:08.0 +0100 @@ -1,0 +2,36 @@ +Tue Jan 6 07:12:29 UTC 2015 - m...@suse.com + +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the +MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves +can act as intermediates between an upstream master and other downstream +slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf +files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using +SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the keepold option +to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host +is running a Heimdal kcm daemon, caches served by the daemon can be +accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use KCM: as the default cache type, +unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, +which would allow the KDC and kadmind to continue accessing the database +during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch + +--- Old: bnc#897874-CVE-2014-5351.diff krb5-1.10-kpasswd_tcp.patch krb5-1.10-ksu-access.patch krb5-1.12-doxygen.patch krb5-1.12.2.tar.gz krb5-1.13-work-around-replay-cache-creation-race.patch krb5-1.9-kprop-mktemp.patch New: krb5-1.13.tar.gz Other differences: -- ++ krb5-mini.spec ++ --- /var/tmp/diff_new_pack.MFJ7W8/_old 2015-01-08 23:01:10.0 +0100 +++ /var/tmp/diff_new_pack.MFJ7W8/_new 2015-01-08 23:01:10.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH,
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-10-05 20:27:19
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-09-28
19:56:39.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-10-05
20:27:21.0 +0200
@@ -1,0 +2,6 @@
+Thu Sep 25 12:48:32 UTC 2014 - dd...@suse.com
+
+- Work around replay cache creation race; (bnc#898439).
+ krb5-1.13-work-around-replay-cache-creation-race.patch
+
+---
New:
krb5-1.13-work-around-replay-cache-creation-race.patch
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.5WykFm/_old 2014-10-05 20:27:23.0 +0200
+++ /var/tmp/diff_new_pack.5WykFm/_new 2014-10-05 20:27:23.0 +0200
@@ -84,6 +84,7 @@
Patch14:krb5-kvno-230379.patch
Patch20:krb5-1.12-doxygen.patch
Patch21:bnc#897874-CVE-2014-5351.diff
+Patch22:krb5-1.13-work-around-replay-cache-creation-race.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -205,6 +206,7 @@
%patch14 -p1
%patch20 -p1
%patch21 -p1
+%patch22 -p1
%build
# needs to be re-generated
++ krb5-1.13-work-around-replay-cache-creation-race.patch ++
From 99e08376c14240e2141c6fa9289fafab8245c754 Mon Sep 17 00:00:00 2001
From: Greg Hudson ghud...@mit.edu
Date: Wed, 17 Sep 2014 10:45:28 -0400
Subject: [PATCH] Work around replay cache creation race
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
(cherry picked from commit c61e8c0c6ad5fda8d23dd896c4aed0ac5b470020)
ticket: 3498
version_fixed: 1.13
status: resolved
---
src/lib/krb5/rcache/rc_io.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index 7e3b7e9..b9859fe 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -158,7 +158,7 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d,
char **fn)
{
krb5_int16 rc_vno = htons(KRB5_RC_VNO);
krb5_error_code retval = 0;
-int do_not_unlink = 0;
+int flags, do_not_unlink = 0;
char *dir;
size_t dirlen;
@@ -166,9 +166,13 @@ krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d,
char **fn)
if (fn *fn) {
if (asprintf(d-fn, %s%s%s, dir, PATH_SEPARATOR, *fn) 0)
return KRB5_RC_IO_MALLOC;
-unlink(d-fn);
-d-fd = THREEPARAMOPEN(d-fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL |
- O_BINARY, 0600);
+d-fd = -1;
+do {
+if (unlink(d-fn) == -1 errno != ENOENT)
+break;
+flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY;
+d-fd = THREEPARAMOPEN(d-fn, flags, 0600);
+} while (d-fd == -1 errno == EEXIST);
} else {
retval = krb5_rc_io_mkstemp(context, d, dir);
if (retval)
--
1.8.4.5
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-09-28 19:56:34
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-09-03
20:09:20.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-09-28
19:56:39.0 +0200
@@ -1,0 +2,6 @@
+Tue Sep 23 13:25:33 UTC 2014 - vark...@suse.com
+
+- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the
keys for a service principal
+- added patches:
+ * bnc#897874-CVE-2014-5351.diff
+---
New:
bnc#897874-CVE-2014-5351.diff
Other differences:
--
++ krb5.spec ++
--- /var/tmp/diff_new_pack.AjAvvf/_old 2014-09-28 19:56:41.0 +0200
+++ /var/tmp/diff_new_pack.AjAvvf/_new 2014-09-28 19:56:41.0 +0200
@@ -83,6 +83,7 @@
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
Patch20:krb5-1.12-doxygen.patch
+Patch21:bnc#897874-CVE-2014-5351.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -203,6 +204,7 @@
%patch13 -p0
%patch14 -p1
%patch20 -p1
+%patch21 -p1
%build
# needs to be re-generated
++ bnc#897874-CVE-2014-5351.diff ++
diff --git a/src/lib/kadm5/srv/svr_principal.c
b/src/lib/kadm5/srv/svr_principal.c
index 5d358bd..d4e74cc 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
*passptr = NULL;
}
+/* Return the number of keys with the newest kvno. Assumes that all key data
+ * with the newest kvno are at the front of the key data array. */
+static int
+count_new_keys(int n_key_data, krb5_key_data *key_data)
+{
+int n;
+
+for (n = 1; n n_key_data; n++) {
+if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
+return n;
+}
+return n_key_data;
+}
+
kadm5_ret_t
kadm5_create_principal(void *server_handle,
kadm5_principal_ent_t entry, long mask,
@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_recpol;
-int ret, last_pwd;
+int ret, last_pwd, n_new_keys;
krb5_booleanhave_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
kdb-fail_auth_count = 0;
if (keyblocks) {
-ret = decrypt_key_data(handle-context,
- kdb-n_key_data, kdb-key_data,
+/* Return only the new keys added by krb5_dbe_crk. */
+n_new_keys = count_new_keys(kdb-n_key_data, kdb-key_data);
+ret = decrypt_key_data(handle-context, n_new_keys, kdb-key_data,
keyblocks, n_keys);
if (ret)
goto done;
--
1.8.5.2
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-09-03 18:21:36
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-08-20
17:53:42.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-09-03
20:09:20.0 +0200
@@ -1,0 +2,33 @@
+Sat Aug 30 22:29:28 UTC 2014 - andreas.stie...@gmx.de
+
+- krb5 5.12.2:
+ * Work around a gcc optimizer bug that could cause DB2 KDC
+database operations to spin in an infinite loop
+ * Fix a backward compatibility problem with the LDAP KDB schema
+that could prevent krb5-1.11 and later from decoding entries
+created by krb5-1.6.
+ * Avoid an infinite loop under some circumstances when the GSS
+mechglue loads a dynamic mechanism.
+ * Fix krb5kdc argument parsing so -w and -r options work
+togetherreliably.
+- Vulnerability fixes previously fixed in package via patches:
+ * Handle certain invalid RFC 1964 GSS tokens correctly to avoid
+invalid memory reference vulnerabilities. [CVE-2014-4341
+CVE-2014-4342]
+ * Fix memory management vulnerabilities in GSSAPI SPNEGO.
+[CVE-2014-4343 CVE-2014-4344]
+ * Fix buffer overflow vulnerability in LDAP KDB back end.
+[CVE-2014-4345]
+- updated patches:
+ * krb5-1.7-doublelog.patch for context change
+ * krb5-1.6.3-ktutil-manpage.dif, same
+- removed patches, in upstream:
+ * krb5-master-keyring-kdcsync.patch
+ * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+ * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+ * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+ * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
+- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
+ from upstream
+
+---
krb5.changes: same change
Old:
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
krb5-1.12.1.tar.gz
krb5-master-keyring-kdcsync.patch
New:
krb5-1.12-doxygen.patch
krb5-1.12.2.tar.gz
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.1diBgX/_old 2014-09-03 20:09:22.0 +0200
+++ /var/tmp/diff_new_pack.1diBgX/_new 2014-09-03 20:09:22.0 +0200
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.12.1
+%define srcRoot krb5-1.12.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.12.1
+Version:1.12.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -82,11 +82,7 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch15:krb5-master-keyring-kdcsync.patch
-Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
-Patch17:krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
-Patch18:krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
-Patch19:
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
+Patch20:krb5-1.12-doxygen.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -206,11 +202,7 @@
%patch12 -p1
%patch13 -p0
%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
+%patch20 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.1diBgX/_old 2014-09-03 20:09:22.0 +0200
+++ /var/tmp/diff_new_pack.1diBgX/_new 2014-09-03 20:09:22.0 +0200
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.12.1
+%define srcRoot krb5-1.12.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.12.1
+Version:1.12.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -82,11 +82,7 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch15:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-08-20 17:53:40
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-08-06
11:42:17.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-08-20
17:53:42.0 +0200
@@ -1,0 +2,7 @@
+Fri Aug 8 15:55:01 UTC 2014 - ckornac...@suse.com
+
+- buffer overrun in kadmind with LDAP backend
+ CVE-2014-4345 (bnc#891082)
+ krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
+
+---
krb5.changes: same change
New:
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.zcOpXr/_old 2014-08-20 17:53:44.0 +0200
+++ /var/tmp/diff_new_pack.zcOpXr/_new 2014-08-20 17:53:44.0 +0200
@@ -86,6 +86,7 @@
Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
Patch17:krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Patch18:krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+Patch19:
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -209,6 +210,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.zcOpXr/_old 2014-08-20 17:53:44.0 +0200
+++ /var/tmp/diff_new_pack.zcOpXr/_new 2014-08-20 17:53:44.0 +0200
@@ -86,6 +86,7 @@
Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
Patch17:krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Patch18:krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+Patch19:
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -209,6 +210,7 @@
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
%build
# needs to be re-generated
++
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch ++
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea..df5934c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int
n_key_data,
j++;
last = i + 1;
-currkvno = key_data[i].key_data_kvno;
+if (i n_key_data - 1)
+currkvno = key_data[i + 1].key_data_kvno;
}
}
ret[num_versions] = NULL;
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-08-06 11:42:15
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-07-27
08:25:45.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-08-06
11:42:17.0 +0200
@@ -1,0 +2,8 @@
+Mon Jul 28 09:22:06 UTC 2014 - ckornac...@suse.com
+
+- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
+ krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+ Fix null deref in SPNEGO acceptor [CVE-2014-4344]
+ krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+
+---
krb5.changes: same change
New:
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.0GDPhw/_old 2014-08-06 11:42:19.0 +0200
+++ /var/tmp/diff_new_pack.0GDPhw/_new 2014-08-06 11:42:19.0 +0200
@@ -84,6 +84,8 @@
Patch14:krb5-kvno-230379.patch
Patch15:krb5-master-keyring-kdcsync.patch
Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+Patch17:krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+Patch18:krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -205,6 +207,8 @@
%patch14 -p1
%patch15 -p1
%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.0GDPhw/_old 2014-08-06 11:42:19.0 +0200
+++ /var/tmp/diff_new_pack.0GDPhw/_new 2014-08-06 11:42:19.0 +0200
@@ -84,6 +84,8 @@
Patch14:krb5-kvno-230379.patch
Patch15:krb5-master-keyring-kdcsync.patch
Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+Patch17:krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
+Patch18:krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
@@ -205,6 +207,8 @@
%patch14 -p1
%patch15 -p1
%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%build
# needs to be re-generated
++ krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch ++
From f18ddf5d82de0ab7591a36e465bc24225776940f Mon Sep 17 00:00:00 2001
From: David Woodhouse david.woodho...@intel.com
Date: Tue, 15 Jul 2014 12:54:15 -0400
Subject: [PATCH] Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 (Verify acceptor's mech in SPNEGO initiator) the
pointer sc-internal_mech became an alias into sc-mech_set-elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections (https://;), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
CVSSv2 Vector:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-07-27 08:25:40
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-02-19
11:39:17.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-07-27
08:25:45.0 +0200
@@ -2 +2,19 @@
-Tue Feb 18 15:27:15 UTC 2014 - ckornac...@suse.com
+Sat Jul 19 12:38:21 UTC 2014 - p.drou...@gmail.com
+
+- Do not depend of insserv if systemd is used
+
+---
+Thu Jul 10 15:59:52 UTC 2014 - ckornac...@suse.com
+
+- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
+ krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+- start krb5kdc after slapd (bnc#886102)
+
+---
+Fri Jun 6 11:08:08 UTC 2014 - ckornac...@suse.com
+
+- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
+ similar functionality is provided by krb5-plugin-preauth-pkinit
+
+---
+Tue Feb 18 15:25:57 UTC 2014 - ckornac...@suse.com
@@ -7 +25 @@
-Tue Jan 21 14:28:05 UTC 2014 - ckornac...@suse.com
+Tue Jan 21 14:23:37 UTC 2014 - ckornac...@suse.com
@@ -28 +46 @@
-Mon Jan 13 15:40:18 UTC 2014 - ckornac...@suse.com
+Mon Jan 13 15:37:16 UTC 2014 - ckornac...@suse.com
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-02-19
11:39:17.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-07-27
08:25:45.0 +0200
@@ -1,0 +2,18 @@
+Sat Jul 19 12:38:21 UTC 2014 - p.drou...@gmail.com
+
+- Do not depend of insserv if systemd is used
+
+---
+Thu Jul 10 15:59:52 UTC 2014 - ckornac...@suse.com
+
+- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
+ krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
+- start krb5kdc after slapd (bnc#886102)
+
+---
+Fri Jun 6 11:08:08 UTC 2014 - ckornac...@suse.com
+
+- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
+ similar functionality is provided by krb5-plugin-preauth-pkinit
+
+---
New:
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.3rs6QU/_old 2014-07-27 08:25:46.0 +0200
+++ /var/tmp/diff_new_pack.3rs6QU/_new 2014-07-27 08:25:46.0 +0200
@@ -35,6 +35,7 @@
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
Group: Productivity/Networking/Security
+Obsoletes: krb5-plugin-preauth-pkinit-nss
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
@@ -47,6 +48,8 @@
%if 0%{?suse_version} = 1210
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
+%else
+PreReq: %insserv_prereq
%endif
# bug437293
%ifarch ppc64
@@ -80,9 +83,10 @@
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
Patch15:krb5-master-keyring-kdcsync.patch
+Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
-PreReq: %insserv_prereq %fillup_prereq
+PreReq: %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
@@ -200,6 +204,7 @@
%patch13 -p0
%patch14 -p1
%patch15 -p1
+%patch16 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.3rs6QU/_old 2014-07-27 08:25:46.0 +0200
+++ /var/tmp/diff_new_pack.3rs6QU/_new 2014-07-27 08:25:46.0 +0200
@@ -35,6 +35,7 @@
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
Group: Productivity/Networking/Security
+Obsoletes: krb5-plugin-preauth-pkinit-nss
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
@@ -47,6 +48,8 @@
%if 0%{?suse_version} = 1210
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
+%else
+PreReq: %insserv_prereq
%endif
# bug437293
%ifarch ppc64
@@ -80,9 +83,10 @@
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
Patch15:krb5-master-keyring-kdcsync.patch
+Patch16:krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
-PreReq: %insserv_prereq %fillup_prereq
+PreReq:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-02-19 11:39:16
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-01-29
07:15:28.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-02-19
11:39:17.0 +0100
@@ -1,0 +2,5 @@
+Tue Feb 18 15:27:15 UTC 2014 - ckornac...@suse.com
+
+- don't deliver SysV init files to systemd distributions
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-01-29
07:15:28.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-02-19
11:39:17.0 +0100
@@ -1,0 +2,5 @@
+Tue Feb 18 15:25:57 UTC 2014 - ckornac...@suse.com
+
+- don't deliver SysV init files to systemd distributions
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.5p67U2/_old 2014-02-19 11:39:18.0 +0100
+++ /var/tmp/diff_new_pack.5p67U2/_new 2014-02-19 11:39:18.0 +0100
@@ -46,6 +46,7 @@
BuildRequires: python-lxml
%if 0%{?suse_version} = 1210
BuildRequires: pkgconfig(systemd)
+%{?systemd_requires}
%endif
# bug437293
%ifarch ppc64
@@ -287,17 +288,18 @@
done
# and binaries too
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
-# install init scripts
-mkdir -p %{buildroot}%{_sysconfdir}/init.d
-install -m 755 %{vendorFiles}/kadmind.init
%{buildroot}%{_sysconfdir}/init.d/kadmind
-install -m 755 %{vendorFiles}/krb5kdc.init
%{buildroot}%{_sysconfdir}/init.d/krb5kdc
-install -m 755 %{vendorFiles}/kpropd.init
%{buildroot}%{_sysconfdir}/init.d/kpropd
# install systemd files
%if 0%{?suse_version} = 1210
mkdir -p %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
+%else
+# install init scripts
+mkdir -p %{buildroot}%{_sysconfdir}/init.d
+install -m 755 %{vendorFiles}/kadmind.init
%{buildroot}%{_sysconfdir}/init.d/kadmind
+install -m 755 %{vendorFiles}/krb5kdc.init
%{buildroot}%{_sysconfdir}/init.d/krb5kdc
+install -m 755 %{vendorFiles}/kpropd.init
%{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates
@@ -310,9 +312,21 @@
# create rc* links
mkdir -p %{buildroot}/usr/bin/
mkdir -p %{buildroot}/usr/sbin/
+%if 0%{?suse_version} = 1210
+%if 0%{?suse_version} 1220
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckadmind
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckrb5kdc
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckpropd
+%else
+ln -s /sbin/service %{buildroot}%{_sbindir}/rckadmind
+ln -s /sbin/service %{buildroot}%{_sbindir}/rckrb5kdc
+ln -s /sbin/service %{buildroot}%{_sbindir}/rcpropd
+%endif
+%else
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd
+%endif
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
@@ -487,11 +501,12 @@
%attr(0600,root,root) %config(noreplace)
%{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_var}/adm/fillup-templates/sysconfig.*
-%{_sysconfdir}/init.d/*
%if 0%{?suse_version} = 1210
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
+%else
+%{_sysconfdir}/init.d/*
%endif
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
@@ -580,13 +595,14 @@
%defattr(-,root,root)
%attr(0700,root,root) %dir /var/log/krb5
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
-%{_sysconfdir}/init.d/kadmind
-%{_sysconfdir}/init.d/krb5kdc
-%{_sysconfdir}/init.d/kpropd
%if 0%{?suse_version} = 1210
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
+%else
+%{_sysconfdir}/init.d/kadmind
+%{_sysconfdir}/init.d/krb5kdc
+%{_sysconfdir}/init.d/kpropd
%endif
%dir %{krb5docdir}
%dir /usr/lib/mit
++ krb5.spec ++
--- /var/tmp/diff_new_pack.5p67U2/_old 2014-02-19 11:39:18.0 +0100
+++ /var/tmp/diff_new_pack.5p67U2/_new 2014-02-19 11:39:18.0 +0100
@@ -46,6 +46,7 @@
BuildRequires: python-lxml
%if 0%{?suse_version} = 1210
BuildRequires: pkgconfig(systemd)
+%{?systemd_requires}
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2014-01-29 07:15:26
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2014-01-23
15:46:48.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-01-29
07:15:28.0 +0100
@@ -1,0 +2,21 @@
+Tue Jan 21 14:28:05 UTC 2014 - ckornac...@suse.com
+
+- update to version 1.12.1
+ * Make KDC log service principal names more consistently during
+some error conditions, instead of unknown server
+ * Fix several bugs related to building AES-NI support on less
+common configurations
+ * Fix several bugs related to keyring credential caches
+- upstream obsoletes:
+ krb5-1.12-copy_context.patch
+ krb5-1.12-enable-NX.patch
+ krb5-1.12-pic-aes-ni.patch
+ krb5-master-no-malloc0.patch
+ krb5-master-ignore-empty-unnecessary-final-token.patch
+ krb5-master-gss_oid_leak.patch
+ krb5-master-keytab_close.patch
+ krb5-master-spnego_error_messages.patch
+- Fix Get time offsets for all keyring ccaches
+ krb5-master-keyring-kdcsync.patch (RT#7820)
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2014-01-23
15:46:48.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-01-29
07:15:28.0 +0100
@@ -1,0 +2,21 @@
+Tue Jan 21 14:23:37 UTC 2014 - ckornac...@suse.com
+
+- update to version 1.12.1
+ * Make KDC log service principal names more consistently during
+some error conditions, instead of unknown server
+ * Fix several bugs related to building AES-NI support on less
+common configurations
+ * Fix several bugs related to keyring credential caches
+- upstream obsoletes:
+ krb5-1.12-copy_context.patch
+ krb5-1.12-enable-NX.patch
+ krb5-1.12-pic-aes-ni.patch
+ krb5-master-no-malloc0.patch
+ krb5-master-ignore-empty-unnecessary-final-token.patch
+ krb5-master-gss_oid_leak.patch
+ krb5-master-keytab_close.patch
+ krb5-master-spnego_error_messages.patch
+- Fix Get time offsets for all keyring ccaches
+ krb5-master-keyring-kdcsync.patch (RT#7820)
+
+---
Old:
krb5-1.12-copy_context.patch
krb5-1.12-enable-NX.patch
krb5-1.12-pic-aes-ni.patch
krb5-1.12.tar.gz
krb5-master-gss_oid_leak.patch
krb5-master-ignore-empty-unnecessary-final-token.patch
krb5-master-keytab_close.patch
krb5-master-no-malloc0.patch
krb5-master-spnego_error_messages.patch
New:
krb5-1.12.1.tar.gz
krb5-master-keyring-kdcsync.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.7GRjiI/_old 2014-01-29 07:15:29.0 +0100
+++ /var/tmp/diff_new_pack.7GRjiI/_new 2014-01-29 07:15:29.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.12
+%define srcRoot krb5-1.12.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.12
+Version:1.12.1
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -78,14 +78,7 @@
Patch12:krb5-1.12-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch15:krb5-1.12-copy_context.patch
-Patch16:krb5-1.12-enable-NX.patch
-Patch17:krb5-1.12-pic-aes-ni.patch
-Patch18:krb5-master-no-malloc0.patch
-Patch19:krb5-master-ignore-empty-unnecessary-final-token.patch
-Patch20:krb5-master-gss_oid_leak.patch
-Patch21:krb5-master-keytab_close.patch
-Patch22:krb5-master-spnego_error_messages.patch
+Patch15:krb5-master-keyring-kdcsync.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -206,13 +199,6 @@
%patch13 -p0
%patch14 -p1
%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
%build
# needs to be re-generated
++ krb5.spec ++
--- /var/tmp/diff_new_pack.7GRjiI/_old 2014-01-29 07:15:29.0 +0100
+++ /var/tmp/diff_new_pack.7GRjiI/_new 2014-01-29 07:15:29.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.12
+%define srcRoot krb5-1.12.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -30,7 +30,7 @@
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2014-01-17 16:40:41 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-11-28 07:27:34.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2014-01-23 15:46:48.0 +0100 @@ -2 +2,46 @@ -Fri Nov 15 13:35:09 UTC 2013 - ckornac...@suse.com +Mon Jan 13 15:40:18 UTC 2014 - ckornac...@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses +RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions +when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch - krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch - krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch - krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch - krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch - krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context +* krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks +* krb5-1.12-enable-NX.patch +* krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator +* krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS +* krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling +* krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token +* krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py +* krb5-master-spnego_error_messages.patch + +--- +Tue Dec 10 02:43:32 UTC 2013 - nfbr...@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +--- +Fri Nov 15 13:33:53 UTC 2013 - ckornac...@suse.com --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2013-11-28 07:27:34.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2014-01-23 15:46:48.0 +0100 @@ -1,0 +2,45 @@ +Mon Jan 13 15:37:16 UTC 2014 - ckornac...@suse.com + +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses +RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions +when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch - krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch - krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch - krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch - krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch - krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context +* krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks +* krb5-1.12-enable-NX.patch +* krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator +* krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS +* krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling +* krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token +* krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py +* krb5-master-spnego_error_messages.patch + +--- +Tue Dec 10 02:43:32 UTC 2013 - nfbr...@suse.com + +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. + +--- Old: krb5-1.10-buildconf.patch krb5-1.11-pam.patch krb5-1.11-selinux-label.patch krb5-1.11.4.tar.bz2 krb5-1.8-api.patch krb5-1.9-ksu-path.patch New: krb5-1.12-api.patch krb5-1.12-buildconf.patch krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-11-28 07:27:28
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-06-25
14:41:38.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-11-28
07:27:34.0 +0100
@@ -1,0 +2,10 @@
+Fri Nov 15 13:35:09 UTC 2013 - ckornac...@suse.com
+
+- update to version 1.11.4
+ - Fix a KDC null pointer dereference [CVE-2013-1417] that could
+affect realms with an uncommon configuration.
+ - Fix a KDC null pointer dereference [CVE-2013-1418] that could
+affect KDCs that serve multiple realms.
+ - Fix a number of bugs related to KDC master key rollover.
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2013-06-25
14:41:38.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2013-11-28
07:27:34.0 +0100
@@ -1,0 +2,10 @@
+Fri Nov 15 13:33:53 UTC 2013 - ckornac...@suse.com
+
+- update to version 1.11.4
+ - Fix a KDC null pointer dereference [CVE-2013-1417] that could
+affect realms with an uncommon configuration.
+ - Fix a KDC null pointer dereference [CVE-2013-1418] that could
+affect KDCs that serve multiple realms.
+ - Fix a number of bugs related to KDC master key rollover.
+
+---
Old:
krb5-1.11.3.tar.bz2
New:
krb5-1.11.4.tar.bz2
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.uz1IRs/_old 2013-11-28 07:27:35.0 +0100
+++ /var/tmp/diff_new_pack.uz1IRs/_new 2013-11-28 07:27:35.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.11.3
+%define srcRoot krb5-1.11.4
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -31,7 +31,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.11.3
+Version:1.11.4
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5.spec ++
--- /var/tmp/diff_new_pack.uz1IRs/_old 2013-11-28 07:27:35.0 +0100
+++ /var/tmp/diff_new_pack.uz1IRs/_new 2013-11-28 07:27:35.0 +0100
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.11.3
+%define srcRoot krb5-1.11.4
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -31,7 +31,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.11.3
+Version:1.11.4
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
++ krb5-1.11.3.tar.bz2 - krb5-1.11.4.tar.bz2 ++
/work/SRC/openSUSE:Factory/krb5/krb5-1.11.3.tar.bz2
/work/SRC/openSUSE:Factory/.krb5.new/krb5-1.11.4.tar.bz2 differ: char 11, line 1
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-06-11 06:34:35
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-06-05
11:53:16.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-06-11
09:32:43.0 +0200
@@ -1,0 +2,10 @@
+Sun Jun 9 14:14:48 UTC 2013 - m...@suse.com
+
+- update to version 1.11.3
+ - Fix a UDP ping-pong vulnerability in the kpasswd
+(password changing) service. [CVE-2002-2443]
+ - Improve interoperability with some Windows native PKINIT clients.
+- install translation files
+- remove outdated configure options
+
+---
krb5.changes: same change
Old:
krb5-1.11.2.tar.bz2
New:
krb5-1.11.3.tar.bz2
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.jr1G78/_old 2013-06-11 09:32:44.0 +0200
+++ /var/tmp/diff_new_pack.jr1G78/_new 2013-06-11 09:32:44.0 +0200
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.11.2
+%define srcRoot krb5-1.11.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -31,7 +31,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.11.2
+Version:1.11.3
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -193,8 +193,12 @@
rm -f src/lib/krb5/krb/deltat.c
cd src
./util/reconf
-CFLAGS=$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE
-fPIC \
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
+CC=%{__cc} \
+CFLAGS=$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing
-D_GNU_SOURCE -fPIC -fstack-protector-all \
+CPPFLAGS=-I%{_includedir}/et \
+SS_LIB=-lss \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
@@ -203,9 +207,9 @@
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
+--localedir=%{_datadir}/locale \
--enable-shared \
--disable-static \
---enable-kdc-replay-cache \
--enable-dns-for-realm \
--disable-rpath \
%if ! %{build_mini}
@@ -220,7 +224,7 @@
--with-selinux \
--with-system-et \
--with-system-ss
-make %{?jobs:-j%jobs}
+%{__make} %{?_smp_mflags}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
@@ -229,11 +233,19 @@
%endif
%install
+
+# Where per-user keytabs live by default.
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
+
cd src
make DESTDIR=%{buildroot} install
cd ..
-# Munge the krb5-config script to remove rpaths and CFLAGS.
-sed s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g src/krb5-config
$RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/anything from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g'
$RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
@@ -302,9 +314,9 @@
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
-#rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share/examples
-rm -rf %{buildroot}/usr/lib/mit/share/locale
+
+%find_lang mit-krb5
#
# krb5(-mini) pre/post/postun
@@ -391,7 +403,7 @@
%if %{build_mini}
-%files
+%files -f mit-krb5.lang
%defattr(-,root,root)
%dir %{krb5docdir}
# add directories
@@ -402,6 +414,8 @@
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
+%dir %{_localstatedir}/lib/kerberos/krb5
+%dir %{_localstatedir}/lib/kerberos/krb5/user
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
@@ -473,7 +487,7 @@
%{_mandir}/man8/*
%else
-%files
+%files -f mit-krb5.lang
%defattr(-,root,root)
%dir %{krb5docdir}
# add plugin directories
@@ -499,6 +513,7 @@
%files server
%defattr(-,root,root)
+%attr(0700,root,root) %dir /var/log/krb5
%config(noreplace)
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2013-06-05 11:53:15 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5 Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-05-03 13:37:04.0 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-06-05 11:53:16.0 +0200 @@ -1,0 +2,5 @@ +Tue May 28 17:08:01 UTC 2013 - m...@suse.com + +- cleanup systemd files (remove syslog.target) + +--- krb5.changes: same change Other differences: -- krb5.spec: same change ++ vendor-files.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/kadmind.service new/vendor-files/kadmind.service --- old/vendor-files/kadmind.service2013-03-22 10:33:12.0 +0100 +++ new/vendor-files/kadmind.service2013-05-28 19:06:50.0 +0200 @@ -1,6 +1,6 @@ [Unit] Description=Kerberos 5 Password-changing and Administration -After=syslog.target network.target +After=network.target ConditionPathExists=!/var/lib/kerberos/krb5kdc/kpropd.acl [Service] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/kpropd.service new/vendor-files/kpropd.service --- old/vendor-files/kpropd.service 2013-03-22 10:34:00.0 +0100 +++ new/vendor-files/kpropd.service 2013-05-28 19:07:00.0 +0200 @@ -1,6 +1,6 @@ [Unit] Description=Kerberos 5 Propagation -After=syslog.target network.target +After=network.target ConditionPathExists=/var/lib/kerberos/krb5kdc/kpropd.acl [Service] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/krb5kdc.service new/vendor-files/krb5kdc.service --- old/vendor-files/krb5kdc.service2013-03-22 10:33:41.0 +0100 +++ new/vendor-files/krb5kdc.service2013-05-28 19:07:13.0 +0200 @@ -1,6 +1,6 @@ [Unit] Description=Kerberos 5 KDC -After=syslog.target network.target +After=network.target [Service] Type=forking -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-05-03 13:37:02
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-04-05
09:26:20.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-05-03
13:37:04.0 +0200
@@ -1,0 +2,22 @@
+Fri May 3 09:43:47 CEST 2013 - m...@suse.de
+
+- let krb5-mini conflict with all main packages
+
+---
+Thu May 2 16:43:16 CEST 2013 - m...@suse.de
+
+- add conflicts between krb5-mini and krb5-server
+
+---
+Sun Apr 28 17:14:36 CEST 2013 - m...@suse.de
+
+- update to version 1.11.2
+ * Incremental propagation could erroneously act as if a slave's
+database were current after the slave received a full dump
+that failed to load.
+ * gss_import_sec_context incorrectly set internal state that
+identifies whether an imported context is from an interposer
+mechanism or from the underlying mechanism.
+- upstream fix obsolete krb5-lookup_etypes-leak.patch
+
+---
krb5.changes: same change
Old:
krb5-1.11.1.tar.bz2
krb5-lookup_etypes-leak.patch
New:
krb5-1.11.2.tar.bz2
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.m92BvP/_old 2013-05-03 13:37:07.0 +0200
+++ /var/tmp/diff_new_pack.m92BvP/_new 2013-05-03 13:37:07.0 +0200
@@ -17,7 +17,7 @@
%define build_mini 1
-%define srcRoot krb5-1.11.1
+%define srcRoot krb5-1.11.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -31,7 +31,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.11.1
+Version:1.11.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -55,6 +55,9 @@
%else # -mini
Conflicts: krb5
Conflicts: krb5-client
+Conflicts: krb5-server
+Conflicts: krb5-plugin-kdb-ldap
+Conflicts: krb5-plugin-preauth-pkinit
%endif
Source: krb5-%{version}.tar.bz2
Source1:vendor-files.tar.bz2
@@ -74,7 +77,6 @@
Patch12:krb5-1.11-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch15:krb5-lookup_etypes-leak.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -185,7 +187,6 @@
%patch12 -p1
%patch13 -p0
%patch14 -p1
-%patch15 -p1
%build
# needs to be re-generated
@@ -385,6 +386,7 @@
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
+%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
++ krb5.spec ++
--- /var/tmp/diff_new_pack.m92BvP/_old 2013-05-03 13:37:07.0 +0200
+++ /var/tmp/diff_new_pack.m92BvP/_new 2013-05-03 13:37:07.0 +0200
@@ -17,7 +17,7 @@
%define build_mini 0
-%define srcRoot krb5-1.11.1
+%define srcRoot krb5-1.11.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -31,7 +31,7 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-Version:1.11.1
+Version:1.11.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
License:MIT
@@ -55,6 +55,9 @@
%else # -mini
Conflicts: krb5
Conflicts: krb5-client
+Conflicts: krb5-server
+Conflicts: krb5-plugin-kdb-ldap
+Conflicts: krb5-plugin-preauth-pkinit
%endif
Source: krb5-%{version}.tar.bz2
Source1:vendor-files.tar.bz2
@@ -74,7 +77,6 @@
Patch12:krb5-1.11-selinux-label.patch
Patch13:krb5-1.9-debuginfo.patch
Patch14:krb5-kvno-230379.patch
-Patch15:krb5-lookup_etypes-leak.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -185,7 +187,6 @@
%patch12 -p1
%patch13 -p0
%patch14 -p1
-%patch15 -p1
%build
# needs to be re-generated
@@ -385,6 +386,7 @@
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
+%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
++ krb5-1.11.1.tar.bz2 - krb5-1.11.2.tar.bz2 ++
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-03-08 10:50:13
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2013-01-24
10:17:04.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-03-08
10:50:15.0 +0100
@@ -1,0 +2,19 @@
+Wed Mar 6 12:01:32 CET 2013 - m...@suse.de
+
+- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
+ CVE-2012-1016 (bnc#807556)
+ bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
+
+---
+Mon Mar 4 11:23:10 CET 2013 - m...@suse.de
+
+- fix PKINIT null pointer deref
+ CVE-2013-1415 (bnc#806715)
+ bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
+
+---
+Fri Jan 25 15:29:37 CET 2013 - m...@suse.de
+
+- package missing file (bnc#794784)
+
+---
@@ -5,0 +25,5 @@
+
+---
+Tue Oct 16 19:35:47 UTC 2012 - co...@suse.com
+
+- revert the -p usage in %postun to fix SLE build
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2013-01-29
14:11:44.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2013-03-08
10:50:15.0 +0100
@@ -1,0 +2,14 @@
+Wed Mar 6 12:01:32 CET 2013 - m...@suse.de
+
+- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
+ CVE-2012-1016 (bnc#807556)
+ bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
+
+---
+Mon Mar 4 11:23:10 CET 2013 - m...@suse.de
+
+- fix PKINIT null pointer deref
+ CVE-2013-1415 (bnc#806715)
+ bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
+
+---
New:
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.20oXSN/_old 2013-03-08 10:50:18.0 +0100
+++ /var/tmp/diff_new_pack.20oXSN/_new 2013-03-08 10:50:18.0 +0100
@@ -66,6 +66,8 @@
Patch20:krb5-1.10-gcc47.patch
Patch21:krb5-1.10-selinux-label.patch
Patch22:krb5-1.10-spin-loop.patch
+Patch23:bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
+Patch24:bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -161,6 +163,8 @@
%patch19 -p1
%patch20
%patch22 -p1
+%patch23 -p1
+%patch24 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
@@ -275,16 +279,16 @@
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
-rm -rf /usr/lib/mit/share
-rm -rf %{buildroot}/usr/lib/mit/share
-
+rm -rf %{buildroot}/usr/lib/mit/share/examples
+rm -rf %{buildroot}/usr/lib/mit/share/locale
#
# krb5(-mini) pre/post/postun
#
%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
%if ! %{build_mini}
@@ -326,7 +330,8 @@
%post plugin-kdb-ldap -p /sbin/ldconfig
-%postun plugin-kdb-ldap -p /sbin/ldconfig
+%postun plugin-kdb-ldap
+/sbin/ldconfig
%endif
@@ -339,6 +344,7 @@
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
+%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
@@ -354,6 +360,7 @@
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
+/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
++ krb5.spec ++
--- /var/tmp/diff_new_pack.20oXSN/_old 2013-03-08 10:50:18.0 +0100
+++ /var/tmp/diff_new_pack.20oXSN/_new 2013-03-08 10:50:18.0 +0100
@@ -66,6 +66,8 @@
Patch20:krb5-1.10-gcc47.patch
Patch21:krb5-1.10-selinux-label.patch
Patch22:krb5-1.10-spin-loop.patch
+Patch23:bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
+Patch24:bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch,
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-01-29 14:11:41
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
krb5-mini.changes: same change
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2013-01-24
10:17:04.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2013-01-29
14:11:44.0 +0100
@@ -1,0 +2,5 @@
+Fri Jan 25 15:29:37 CET 2013 - m...@suse.de
+
+- package missing file (bnc#794784)
+
+---
Other differences:
--
krb5-mini.spec: same change
++ krb5.spec ++
--- /var/tmp/diff_new_pack.RiA0f3/_old 2013-01-29 14:11:49.0 +0100
+++ /var/tmp/diff_new_pack.RiA0f3/_new 2013-01-29 14:11:49.0 +0100
@@ -275,9 +275,8 @@
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
-rm -rf /usr/lib/mit/share
-rm -rf %{buildroot}/usr/lib/mit/share
-
+rm -rf %{buildroot}/usr/lib/mit/share/examples
+rm -rf %{buildroot}/usr/lib/mit/share/locale
#
# krb5(-mini) pre/post/postun
#
@@ -341,6 +340,7 @@
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
+%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
@@ -356,6 +356,7 @@
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
+/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2013-01-24 10:17:03
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-10-18
21:52:58.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2013-01-24
10:17:04.0 +0100
@@ -1,0 +2,6 @@
+Tue Jan 22 13:55:52 UTC 2013 - lchiqui...@suse.com
+
+- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
+ (bnc#793336)
+
+---
krb5.changes: same change
New:
krb5-1.10-spin-loop.patch
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.gYdrxy/_old 2013-01-24 10:17:06.0 +0100
+++ /var/tmp/diff_new_pack.gYdrxy/_new 2013-01-24 10:17:06.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-doc
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.gYdrxy/_old 2013-01-24 10:17:06.0 +0100
+++ /var/tmp/diff_new_pack.gYdrxy/_new 2013-01-24 10:17:06.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -65,6 +65,7 @@
Patch19:krb5-1.9-ksu-path.patch
Patch20:krb5-1.10-gcc47.patch
Patch21:krb5-1.10-selinux-label.patch
+Patch22:krb5-1.10-spin-loop.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -159,6 +160,7 @@
%patch18 -p1
%patch19 -p1
%patch20
+%patch22 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
++ krb5.spec ++
--- /var/tmp/diff_new_pack.gYdrxy/_old 2013-01-24 10:17:06.0 +0100
+++ /var/tmp/diff_new_pack.gYdrxy/_new 2013-01-24 10:17:06.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -65,6 +65,7 @@
Patch19:krb5-1.9-ksu-path.patch
Patch20:krb5-1.10-gcc47.patch
Patch21:krb5-1.10-selinux-label.patch
+Patch22:krb5-1.10-spin-loop.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -159,6 +160,7 @@
%patch18 -p1
%patch19 -p1
%patch20
+%patch22 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
++ krb5-1.10-spin-loop.patch ++
commit 2b06a22f7fd8ec01fb27a7335125290b8ceb6f18
Author: Greg Hudson ghud...@mit.edu
Date: Thu Nov 29 01:58:13 2012 -0500
Fix spin-loop bug in k5_sendto_kdc
In the second part of the first pass over the server list, we passed
the wrong list pointer to service_fds, causing it to see only a subset
of the server entries corresponding to sel_state. This could cause
service_fds to spin if an event is reported on an fd not in the
subset.
ticket: 7454
target_version: 1.10.4
tags: pullup
Index: krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
===
--- krb5-1.10.2.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
@@ -1287,7 +1287,7 @@ k5_sendto(krb5_context context, const kr
continue;
if (maybe_send(context, state, sel_state, callback_info))
continue;
-done = service_fds(context, sel_state, 1, state, seltemp, msg_handler,
+done = service_fds(context, sel_state, 1, conns, seltemp, msg_handler,
msg_handler_data, winner);
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-10-18 21:52:56
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-10-16
07:07:01.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-10-18
21:52:58.0 +0200
@@ -1,0 +2,5 @@
+Tue Oct 16 12:05:00 UTC 2012 - co...@suse.com
+
+- buildrequire systemd by pkgconfig provide to get systemd-mini
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2012-10-16
07:07:01.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2012-10-18
21:52:58.0 +0200
@@ -1,0 +2,10 @@
+Tue Oct 16 19:35:47 UTC 2012 - co...@suse.com
+
+- revert the -p usage in %postun to fix SLE build
+
+---
+Tue Oct 16 12:05:00 UTC 2012 - co...@suse.com
+
+- buildrequire systemd by pkgconfig provide to get systemd-mini
+
+---
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.NtA997/_old 2012-10-18 21:53:00.0 +0200
+++ /var/tmp/diff_new_pack.NtA997/_new 2012-10-18 21:53:00.0 +0200
@@ -40,7 +40,7 @@
BuildRequires: openldap2-devel
BuildRequires: pam-devel
%if 0%{?suse_version} = 1210
-BuildRequires: systemd
+BuildRequires: pkgconfig(systemd)
%endif
# bug437293
%ifarch ppc64
++ krb5.spec ++
--- /var/tmp/diff_new_pack.NtA997/_old 2012-10-18 21:53:00.0 +0200
+++ /var/tmp/diff_new_pack.NtA997/_new 2012-10-18 21:53:00.0 +0200
@@ -40,7 +40,7 @@
BuildRequires: openldap2-devel
BuildRequires: pam-devel
%if 0%{?suse_version} = 1210
-BuildRequires: systemd
+BuildRequires: pkgconfig(systemd)
%endif
# bug437293
%ifarch ppc64
@@ -282,7 +282,8 @@
%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
%if ! %{build_mini}
@@ -324,7 +325,8 @@
%post plugin-kdb-ldap -p /sbin/ldconfig
-%postun plugin-kdb-ldap -p /sbin/ldconfig
+%postun plugin-kdb-ldap
+/sbin/ldconfig
%endif
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-10-16 07:06:59
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-10-06
08:19:21.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-10-16
07:07:01.0 +0200
@@ -1,0 +2,5 @@
+Sat Oct 13 16:50:59 UTC 2012 - co...@suse.com
+
+- do not require systemd in krb5-mini
+
+---
krb5.changes: same change
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.I7qXeO/_old 2012-10-16 07:07:04.0 +0200
+++ /var/tmp/diff_new_pack.I7qXeO/_new 2012-10-16 07:07:04.0 +0200
@@ -30,9 +30,6 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-%if 0%{?suse_version} = 1210
-BuildRequires: systemd
-%endif
Version:1.10.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
@@ -42,6 +39,9 @@
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
+%if 0%{?suse_version} = 1210
+BuildRequires: systemd
+%endif
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@@ -275,43 +275,16 @@
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
-#
-# krb5-mini-devel pre/post/postun
-#
-%if %{build_mini}
-%preun
-%if 0%{?suse_version} = 1210
-%service_del_preun krb5kdc.service kadmind.service kpropd.service
-%else
-%stop_on_removal krb5kdc kadmind kpropd
-%endif
-
-%postun
-/sbin/ldconfig
-%if 0%{?suse_version} = 1210
-%service_del_postun krb5kdc.service kadmind.service kpropd.service
-%else
-%restart_on_update krb5kdc kadmind kpropd
-%{insserv_cleanup}
-%endif
-
-%post
-/sbin/ldconfig
-%if 0%{?suse_version} = 1210
-%service_add_post krb5kdc.service kadmind.service kpropd.service
-%endif
-
-%else
#
-# krb5 pre/post/postun
+# krb5(-mini) pre/post/postun
#
-%post
-/sbin/ldconfig
+%post -p /sbin/ldconfig
-%postun
-/sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%if ! %{build_mini}
#
# krb5-server preun/postun/pre/post
@@ -349,11 +322,9 @@
# krb5-plugin-kdb-ldap post/postun
#
-%post plugin-kdb-ldap
-/sbin/ldconfig
+%post plugin-kdb-ldap -p /sbin/ldconfig
-%postun plugin-kdb-ldap
-/sbin/ldconfig
+%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
@@ -412,9 +383,6 @@
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_var}/adm/fillup-templates/sysconfig.*
%{_sysconfdir}/init.d/*
-%if 0%{?suse_version} = 1210
-%{_unitdir}/*.service
-%endif
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
@@ -426,9 +394,6 @@
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
-%if ! 0%{?build_mini}
-%{_libdir}/krb5/plugins/preauth/*
-%endif
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
++ krb5.spec ++
--- /var/tmp/diff_new_pack.I7qXeO/_old 2012-10-16 07:07:04.0 +0200
+++ /var/tmp/diff_new_pack.I7qXeO/_new 2012-10-16 07:07:04.0 +0200
@@ -30,9 +30,6 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
-%if 0%{?suse_version} = 1210
-BuildRequires: systemd
-%endif
Version:1.10.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
@@ -42,6 +39,9 @@
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
+%if 0%{?suse_version} = 1210
+BuildRequires: systemd
+%endif
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@@ -275,43 +275,16 @@
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
-#
-# krb5-mini-devel pre/post/postun
-#
-%if %{build_mini}
-%preun
-%if 0%{?suse_version} = 1210
-%service_del_preun krb5kdc.service kadmind.service kpropd.service
-%else
-%stop_on_removal krb5kdc kadmind kpropd
-%endif
-
-%postun
-/sbin/ldconfig
-%if 0%{?suse_version} = 1210
-%service_del_postun krb5kdc.service kadmind.service kpropd.service
-%else
-%restart_on_update krb5kdc kadmind kpropd
-%{insserv_cleanup}
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-10-06 08:19:14
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-06-13
17:07:35.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-10-06
08:19:21.0 +0200
@@ -1,0 +2,6 @@
+Fri Oct 5 15:50:38 CEST 2012 - m...@suse.de
+
+- add systemd service files for kadmind, krb5kdc and kpropd
+- add sysconfig templates for kadmind and krb5kdc
+
+---
krb5.changes: same change
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.r9DOkG/_old 2012-10-06 08:19:22.0 +0200
+++ /var/tmp/diff_new_pack.r9DOkG/_new 2012-10-06 08:19:22.0 +0200
@@ -30,6 +30,9 @@
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
+%if 0%{?suse_version} = 1210
+BuildRequires: systemd
+%endif
Version:1.10.2
Release:0
Summary:MIT Kerberos5 Implementation--Libraries
@@ -89,6 +92,7 @@
Requires: cron
Requires: logrotate
Requires: perl-Date-Calc
+%{?systemd_requires}
PreReq: %insserv_prereq %fillup_prereq
%description server
@@ -235,15 +239,27 @@
install -m 755 %{vendorFiles}/kadmind.init
%{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init
%{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init
%{buildroot}%{_sysconfdir}/init.d/kpropd
+# install systemd files
+%if 0%{?suse_version} = 1210
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
+%endif
+# install sysconfig templates
+mkdir -p $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates
+install -m 644 %{vendorFiles}/sysconfig.kadmind
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc
$RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate
%{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
# create rc* links
mkdir -p %{buildroot}/usr/bin/
-ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind
-ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc
-ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd
+mkdir -p %{buildroot}/usr/sbin/
+ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind
+ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc
+ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
@@ -265,39 +281,80 @@
%if %{build_mini}
%preun
+%if 0%{?suse_version} = 1210
+%service_del_preun krb5kdc.service kadmind.service kpropd.service
+%else
%stop_on_removal krb5kdc kadmind kpropd
+%endif
%postun
/sbin/ldconfig
+%if 0%{?suse_version} = 1210
+%service_del_postun krb5kdc.service kadmind.service kpropd.service
+%else
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
+%endif
+
+%post
+/sbin/ldconfig
+%if 0%{?suse_version} = 1210
+%service_add_post krb5kdc.service kadmind.service kpropd.service
+%endif
-%post -p /sbin/ldconfig
%else
#
# krb5 pre/post/postun
#
-%post -p /sbin/ldconfig
+%post
+/sbin/ldconfig
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
-%preun server
#
-# krb5-server preun/postun
+# krb5-server preun/postun/pre/post
#
+
+%preun server
+%if 0%{?suse_version} = 1210
+%service_del_preun krb5kdc.service kadmind.service kpropd.service
+%else
%stop_on_removal krb5kdc kadmind kpropd
+%endif
%postun server
+%if 0%{?suse_version} = 1210
+%service_del_postun krb5kdc.service kadmind.service kpropd.service
+%else
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
+%endif
+
+%post server
+%if 0%{?suse_version} = 1210
+%service_add_post krb5kdc.service kadmind.service kpropd.service
+%endif
+%{fillup_only -n kadmind}
+%{fillup_only -n krb5kdc}
+%{fillup_only -n kpropd}
+
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2012-09-04 01:33:28 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-doc.changes2012-06-10 21:52:56.0 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-doc.changes 2012-09-04 01:33:29.0 +0200 @@ -1,0 +2,5 @@ +Mon Sep 3 14:34:35 UTC 2012 - idon...@suse.com + +- Build depend on texinfo texlive-dvips to fix the build + +--- krb5.changes: same change Other differences: -- ++ krb5-doc.spec ++ --- /var/tmp/diff_new_pack.GvA4X3/_old 2012-09-04 01:33:32.0 +0200 +++ /var/tmp/diff_new_pack.GvA4X3/_new 2012-09-04 01:33:32.0 +0200 @@ -18,8 +18,8 @@ Name: krb5-doc BuildRequires: ghostscript-library -BuildRequires: latex2html -BuildRequires: texlive +BuildRequires: texinfo +BuildRequires: texlive-dvips Version:1.10.2 Release:0 %define srcRoot krb5-1.10.2 krb5.spec: same change -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-06-13 17:07:30
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-06-10
21:52:56.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-06-13
17:07:35.0 +0200
@@ -1,0 +2,5 @@
+Wed Jun 13 08:40:56 UTC 2012 - co...@suse.com
+
+- fix %files section for krb5-mini
+
+---
krb5.changes: same change
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.ODQMb1/_old 2012-06-13 17:07:37.0 +0200
+++ /var/tmp/diff_new_pack.ODQMb1/_new 2012-06-13 17:07:37.0 +0200
@@ -71,15 +71,6 @@
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%if ! %{build_mini}
%package client
@@ -92,15 +83,6 @@
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%package server
Summary:MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
@@ -115,15 +97,6 @@
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%package plugin-kdb-ldap
Summary:MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
@@ -135,15 +108,6 @@
practice of clear text passwords. This package contains the LDAP
database plugin.
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%package plugin-preauth-pkinit
Summary:MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
@@ -153,15 +117,6 @@
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%endif #! build_mini
%package devel
@@ -185,15 +140,6 @@
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
@@ -354,8 +300,6 @@
%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
-%clean
-rm -rf %{buildroot}
# files sections
@@ -420,7 +364,9 @@
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
+%if ! 0%{?build_mini}
%{_libdir}/krb5/plugins/preauth/*
+%endif
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
@@ -465,6 +411,7 @@
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
+%{_mandir}/man5/.k5identity.5*
%{_mandir}/man8/*
%else
++ krb5.spec ++
--- /var/tmp/diff_new_pack.ODQMb1/_old 2012-06-13 17:07:37.0 +0200
+++ /var/tmp/diff_new_pack.ODQMb1/_new 2012-06-13 17:07:37.0 +0200
@@ -71,15 +71,6 @@
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%if ! %{build_mini}
%package client
@@ -92,15 +83,6 @@
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
-
-
-Authors:
-
-The MIT Kerberos Team
-Sam Hartman hartm...@mit.edu
-Ken Raeburn raeb...@mit.edu
-Tom Yu t...@mit.edu
-
%package server
Summary:MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
@@ -115,15 +97,6 @@
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
-
-
-Authors:
-
-The MIT
commit krb5 for openSUSE:Factory
Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2012-06-10 20:20:57 Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) Package is krb5, Maintainer is m...@suse.com Changes: --- /work/SRC/openSUSE:Factory/krb5/krb5-doc.changes2011-09-23 02:07:15.0 +0200 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-doc.changes 2012-06-10 21:52:56.0 +0200 @@ -1,0 +2,5 @@ +Wed Jun 6 17:34:26 CEST 2012 - m...@suse.de + +- update to version 1.10.2 + +--- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-02-15 16:16:12.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-06-10 21:52:56.0 +0200 @@ -2 +2 @@ -Tue Jan 31 15:32:51 CET 2012 - meiss...@suse.de +Thu Jun 7 11:39:18 UTC 2012 - m...@suse.de @@ -4 +4,61 @@ -- fix License in krb5-mini +- fix gcc47 issues + +--- +Wed Jun 6 16:25:41 CEST 2012 - m...@suse.de + +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the create + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. + +--- +Sun Feb 26 22:23:15 UTC 2012 - stefan.bru...@rwth-aachen.de + +- add autoconf macro to devel subpackage + +--- +Tue Jan 31 15:33:05 CET 2012 - meiss...@suse.de + +- fix license in krb5-mini + +--- +Tue Dec 20 20:57:26 UTC 2011 - co...@suse.com + +- add autoconf as buildrequire to avoid implicit dependency --- /work/SRC/openSUSE:Factory/krb5/krb5.changes2012-03-01 07:25:14.0 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2012-06-10 21:52:56.0 +0200 @@ -1,0 +2,50 @@ +Thu Jun 7 11:39:18 UTC 2012 - m...@suse.de + +- fix gcc47 issues + +--- +Wed Jun 6 16:25:41 CEST 2012 - m...@suse.de + +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the create + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-03-01 07:25:10
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
krb5-mini.changes: same change
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2012-02-15
16:16:12.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2012-03-01
07:25:14.0 +0100
@@ -1,0 +2,5 @@
+Sun Feb 26 22:23:15 UTC 2012 - stefan.bru...@rwth-aachen.de
+
+- add autoconf macro to devel subpackage
+
+---
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.FJRq85/_old 2012-03-01 07:25:16.0 +0100
+++ /var/tmp/diff_new_pack.FJRq85/_new 2012-03-01 07:25:16.0 +0100
@@ -16,6 +16,7 @@
#
+
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: latex2html
++ krb5.spec ++
--- /var/tmp/diff_new_pack.FJRq85/_old 2012-03-01 07:25:16.0 +0100
+++ /var/tmp/diff_new_pack.FJRq85/_new 2012-03-01 07:25:16.0 +0100
@@ -282,6 +282,9 @@
cd ..
# Munge the krb5-config script to remove rpaths and CFLAGS.
sed s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g src/krb5-config
$RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
+# install autoconf macro
+mkdir -p %{buildroot}/%{_datadir}/aclocal
+install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir}
%{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
@@ -389,6 +392,7 @@
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
+%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
@@ -403,6 +407,7 @@
/usr/lib/mit/sbin/krb5-send-pr
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
+%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
%files
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-02-15 16:15:33
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2012-01-06
11:45:10.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-02-15
16:16:12.0 +0100
@@ -1,0 +2,5 @@
+Tue Jan 31 15:32:51 CET 2012 - meiss...@suse.de
+
+- fix License in krb5-mini
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2012-01-06
11:45:10.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2012-02-15
16:16:12.0 +0100
@@ -1,0 +2,5 @@
+Tue Jan 31 15:33:05 CET 2012 - meiss...@suse.de
+
+- fix license in krb5-mini
+
+---
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.Mglm7H/_old 2012-02-15 16:16:13.0 +0100
+++ /var/tmp/diff_new_pack.Mglm7H/_new 2012-02-15 16:16:13.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-doc
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.Mglm7H/_old 2012-02-15 16:16:13.0 +0100
+++ /var/tmp/diff_new_pack.Mglm7H/_new 2012-02-15 16:16:13.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,9 @@
BuildRequires: ncurses-devel
Version:1.9.1
Release:0
+Summary:MIT Kerberos5 Implementation--Libraries
+License:MIT
+Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
@@ -41,12 +44,6 @@
Obsoletes: krb5-64bit
%endif
#
-Summary:MIT Kerberos5 Implementation--Libraries
-License:MIT
-Group: Productivity/Networking/Security
-%else
-Summary:MIT Kerberos5 Implementation--Libraries
-Group: Productivity/Networking/Security
%endif
Source: krb5-1.9.1.tar.bz2
Source1:vendor-files.tar.bz2
++ krb5.spec ++
--- /var/tmp/diff_new_pack.Mglm7H/_old 2012-02-15 16:16:13.0 +0100
+++ /var/tmp/diff_new_pack.Mglm7H/_new 2012-02-15 16:16:13.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package krb5
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,9 @@
BuildRequires: ncurses-devel
Version:1.9.1
Release:0
+Summary:MIT Kerberos5 Implementation--Libraries
+License:MIT
+Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
@@ -41,12 +44,6 @@
Obsoletes: krb5-64bit
%endif
#
-Summary:MIT Kerberos5 Implementation--Libraries
-License:MIT
-Group: Productivity/Networking/Security
-%else
-Summary:MIT Kerberos5 Implementation--Libraries
-Group: Productivity/Networking/Security
%endif
Source: krb5-1.9.1.tar.bz2
Source1:vendor-files.tar.bz2
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2012-01-06 11:45:08
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2011-12-12
17:02:16.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2012-01-06
11:45:10.0 +0100
@@ -1,0 +2,5 @@
+Tue Dec 20 11:01:39 UTC 2011 - co...@suse.com
+
+- remove call to suse_update_config, very old work around
+
+---
@@ -12 +17 @@
- (RT#6951)
+ (RT#6951, bnc#731648)
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2011-12-12
17:02:16.0 +0100
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2012-01-06
11:45:10.0 +0100
@@ -1,0 +2,10 @@
+Tue Dec 20 20:57:26 UTC 2011 - co...@suse.com
+
+- add autoconf as buildrequire to avoid implicit dependency
+
+---
+Tue Dec 20 11:01:39 UTC 2011 - co...@suse.com
+
+- remove call to suse_update_config, very old work around
+
+---
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.bhKlfM/_old 2012-01-06 11:45:12.0 +0100
+++ /var/tmp/diff_new_pack.bhKlfM/_new 2012-01-06 11:45:12.0 +0100
@@ -15,18 +15,18 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# norootforbuild
-
Name: krb5-doc
-BuildRequires: ghostscript-library latex2html texlive
+BuildRequires: ghostscript-library
+BuildRequires: latex2html
+BuildRequires: texlive
Version:1.9.1
-Release:2
+Release:0
%define srcRoot krb5-1.9.1
Summary:MIT Kerberos5 Implementation--Documentation
-License:MIT License (or similar)
-Url:http://web.mit.edu/kerberos/www/
+License:MIT
Group: Documentation/Other
+Url:http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3:%{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.bhKlfM/_old 2012-01-06 11:45:12.0 +0100
+++ /var/tmp/diff_new_pack.bhKlfM/_new 2012-01-06 11:45:12.0 +0100
@@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
-# norootforbuild
%define build_mini 1
%define srcRoot krb5-1.9.1
@@ -23,15 +22,19 @@
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
-License:MIT License (or similar)
Url:http://web.mit.edu/kerberos/www/
-BuildRequires: bison libcom_err-devel ncurses-devel
-BuildRequires: keyutils keyutils-devel
+BuildRequires: autoconf
+BuildRequires: bison
+BuildRequires: keyutils
+BuildRequires: keyutils-devel
+BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
+BuildRequires: ncurses-devel
Version:1.9.1
-Release:21
+Release:0
%if ! 0%{?build_mini}
-BuildRequires: libopenssl-devel openldap2-devel
+BuildRequires: libopenssl-devel
+BuildRequires: openldap2-devel
BuildRequires: pam-devel
# bug437293
%ifarch ppc64
@@ -39,6 +42,7 @@
%endif
#
Summary:MIT Kerberos5 Implementation--Libraries
+License:MIT
Group: Productivity/Networking/Security
%else
Summary:MIT Kerberos5 Implementation--Libraries
@@ -97,7 +101,6 @@
%if ! %{build_mini}
%package client
-License:MIT License (or similar)
Summary:MIT Kerberos5 implementation - client programs
Group: Productivity/Networking/Security
@@ -117,7 +120,6 @@
Tom Yu t...@mit.edu
%package server
-License:MIT License (or similar)
Summary:MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: perl-Date-Calc
@@ -140,7 +142,6 @@
Tom Yu t...@mit.edu
%package plugin-kdb-ldap
-License:MIT License (or similar)
Summary:MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
@@ -161,7 +162,6 @@
Tom Yu t...@mit.edu
%package plugin-preauth-pkinit
-License:MIT License (or similar)
Summary:MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
@@ -182,7 +182,6 @@
%endif #! build_mini
%package devel
-License:MIT License (or similar)
Summary:MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq:
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory checked in
at 2011-12-12 16:57:09
Comparing /work/SRC/openSUSE:Factory/krb5 (Old)
and /work/SRC/openSUSE:Factory/.krb5.new (New)
Package is krb5, Maintainer is m...@suse.com
Changes:
--- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2011-10-19
14:09:04.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2011-12-12
17:02:16.0 +0100
@@ -1,0 +2,19 @@
+Mon Nov 21 11:24:12 CET 2011 - m...@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+ (MITKRB5-SA-2011-007, bnc#730393)
+ CVE-2011-1530
+
+---
+Mon Nov 21 11:11:54 CET 2011 - m...@suse.de
+
+- fix KDC HA feature introduced with implementing KDC poll
+ (RT#6951)
+
+---
+Fri Nov 18 08:35:52 UTC 2011 - rha...@suse.de
+
+- fix minor error messages for the IAKERB GSSAPI mechanism
+ (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
+
+---
--- /work/SRC/openSUSE:Factory/krb5/krb5.changes2011-10-19
14:09:04.0 +0200
+++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2011-12-12
17:02:16.0 +0100
@@ -1,0 +2,19 @@
+Mon Nov 21 11:24:12 CET 2011 - m...@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+ (MITKRB5-SA-2011-007, bnc#730393)
+ CVE-2011-1530
+
+---
+Mon Nov 21 11:11:54 CET 2011 - m...@suse.de
+
+- fix KDC HA feature introduced with implementing KDC poll
+ (RT#6951, bnc#731648)
+
+---
+Fri Nov 18 08:35:52 UTC 2011 - rha...@suse.de
+
+- fix minor error messages for the IAKERB GSSAPI mechanism
+ (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
+
+---
New:
krb5-1.9-MITKRB5-SA-2011-007.dif
krb5-1.9-gss_display_status-iakerb.patch
krb5-1.9.1-sendto_poll2.patch
krb5-1.9.1-sendto_poll3.patch
Other differences:
--
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.uCrGwX/_old 2011-12-12 17:02:21.0 +0100
+++ /var/tmp/diff_new_pack.uCrGwX/_new 2011-12-12 17:02:21.0 +0100
@@ -72,6 +72,10 @@
Patch25:krb5-trunk-gss_delete_sec.patch
Patch26:krb5-trunk-kadmin-oldproto.patch
Patch30:krb5-1.9-MITKRB5-SA-2011-006.dif
+Patch31:krb5-1.9-gss_display_status-iakerb.patch
+Patch32:krb5-1.9.1-sendto_poll2.patch
+Patch33:krb5-1.9.1-sendto_poll3.patch
+Patch34:krb5-1.9-MITKRB5-SA-2011-007.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -234,6 +238,10 @@
%patch25 -p1
%patch26
%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
++ krb5.spec ++
--- /var/tmp/diff_new_pack.uCrGwX/_old 2011-12-12 17:02:21.0 +0100
+++ /var/tmp/diff_new_pack.uCrGwX/_new 2011-12-12 17:02:21.0 +0100
@@ -72,6 +72,10 @@
Patch25:krb5-trunk-gss_delete_sec.patch
Patch26:krb5-trunk-kadmin-oldproto.patch
Patch30:krb5-1.9-MITKRB5-SA-2011-006.dif
+Patch31:krb5-1.9-gss_display_status-iakerb.patch
+Patch32:krb5-1.9.1-sendto_poll2.patch
+Patch33:krb5-1.9.1-sendto_poll3.patch
+Patch34:krb5-1.9-MITKRB5-SA-2011-007.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@@ -234,6 +238,10 @@
%patch25 -p1
%patch26
%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
++ krb5-1.9-MITKRB5-SA-2011-007.dif ++
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1))
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory
checked in at Wed Aug 24 13:36:04 CEST 2011.
--- krb5/krb5-mini.changes 2011-08-22 10:17:47.0 +0200
+++ /mounts/work_src_done/STABLE/krb5/krb5-mini.changes 2011-08-23
13:52:41.0 +0200
@@ -1,0 +2,5 @@
+Tue Aug 23 13:52:03 CEST 2011 - m...@suse.de
+
+- use --without-pam to build krb5-mini
+
+---
krb5.changes: same change
calling whatdependson for head-i586
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.dvRDXQ/_old 2011-08-24 11:39:04.0 +0200
+++ /var/tmp/diff_new_pack.dvRDXQ/_new 2011-08-24 11:39:04.0 +0200
@@ -21,7 +21,7 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version:1.9.1
-Release:1
+Release:2
%define srcRoot krb5-1.9.1
Summary:MIT Kerberos5 Implementation--Documentation
License:MIT License (or similar)
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.dvRDXQ/_old 2011-08-24 11:39:04.0 +0200
+++ /var/tmp/diff_new_pack.dvRDXQ/_new 2011-08-24 11:39:04.0 +0200
@@ -29,7 +29,7 @@
BuildRequires: keyutils keyutils-devel
BuildRequires: libselinux-devel
Version:1.9.1
-Release:1
+Release:2
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
BuildRequires: pam-devel
@@ -265,6 +265,7 @@
--with-selinux \
%else
--disable-pkinit \
+--without-pam \
%endif
--with-system-et \
--with-system-ss
++ krb5.spec ++
--- /var/tmp/diff_new_pack.dvRDXQ/_old 2011-08-24 11:39:04.0 +0200
+++ /var/tmp/diff_new_pack.dvRDXQ/_new 2011-08-24 11:39:04.0 +0200
@@ -29,7 +29,7 @@
BuildRequires: keyutils keyutils-devel
BuildRequires: libselinux-devel
Version:1.9.1
-Release:1
+Release:21
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
BuildRequires: pam-devel
@@ -265,6 +265,7 @@
--with-selinux \
%else
--disable-pkinit \
+--without-pam \
%endif
--with-system-et \
--with-system-ss
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit krb5 for openSUSE:Factory
Hello community,
here is the log from the commit of package krb5 for openSUSE:Factory
checked in at Mon Aug 22 15:22:24 CEST 2011.
--- krb5/krb5-doc.changes 2010-04-09 12:47:36.0 +0200
+++ /mounts/work_src_done/STABLE/krb5/krb5-doc.changes 2011-08-22
10:22:11.0 +0200
@@ -1,0 +2,5 @@
+Mon Aug 22 10:21:56 CEST 2011 - m...@suse.de
+
+- update to version 1.9.1
+
+---
--- krb5/krb5-mini.changes 2011-04-14 11:34:57.0 +0200
+++ /mounts/work_src_done/STABLE/krb5/krb5-mini.changes 2011-08-22
10:17:47.0 +0200
@@ -1,0 +2,19 @@
+Sun Aug 21 09:37:01 UTC 2011 - m...@novell.com
+
+- add patches from Fedora and upstream
+- fix init scripts (bnc#689006)
+
+---
+Fri Aug 19 15:48:35 UTC 2011 - m...@novell.com
+
+- update to version 1.9.1
+ * obsolete patches:
+MITKRB5-SA-2010-007-1.8.dif
+krb5-1.8-MITKRB5-SA-2010-006.dif
+krb5-1.8-MITKRB5-SA-2011-001.dif
+krb5-1.8-MITKRB5-SA-2011-002.dif
+krb5-1.8-MITKRB5-SA-2011-003.dif
+krb5-1.8-MITKRB5-SA-2011-004.dif
+krb5-1.4.3-enospc.dif
+ * replace krb5-1.6.1-compile_pie.dif
+---
krb5.changes: same change
calling whatdependson for head-i586
Old:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.4.3-enospc.dif
krb5-1.6.1-compile_pie.dif
krb5-1.6.3-fix-ipv6-query.dif
krb5-1.6.3-kprop-use-mkstemp.dif
krb5-1.7-manpaths.dif
krb5-1.7-manpaths.txt
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.8.3-rpmlintrc
krb5-1.8.3.tar.bz2
krb5-doc-1.8.3-rpmlintrc
New:
krb5-1.7-doublelog.patch
krb5-1.7-nodeplibs.patch
krb5-1.8-api.patch
krb5-1.8-manpaths.txt
krb5-1.8-pam.patch
krb5-1.9-buildconf.patch
krb5-1.9-canonicalize-fallback.patch
krb5-1.9-kprop-mktemp.patch
krb5-1.9-ksu-path.patch
krb5-1.9-manpaths.dif
krb5-1.9-paren.patch
krb5-1.9-selinux-label.patch
krb5-1.9.1-ai_addrconfig.patch
krb5-1.9.1-ai_addrconfig2.patch
krb5-1.9.1-sendto_poll.patch
krb5-1.9.1.tar.bz2
krb5-doc-rpmlintrc
krb5-klist_s.patch
krb5-pkinit-cms2.patch
krb5-rpmlintrc
krb5-trunk-chpw-err.patch
krb5-trunk-gss_delete_sec.patch
krb5-trunk-kadmin-oldproto.patch
Other differences:
--
++ krb5-doc.spec ++
--- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.0 +0200
+++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.0 +0200
@@ -20,15 +20,15 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
-Version:1.8.3
-Release:6
-%define srcRoot krb5-1.8.3
+Version:1.9.1
+Release:1
+%define srcRoot krb5-1.9.1
Summary:MIT Kerberos5 Implementation--Documentation
License:MIT License (or similar)
Url:http://web.mit.edu/kerberos/www/
Group: Documentation/Other
-Source: krb5-1.8.3.tar.bz2
-Source3:%{name}-%{version}-rpmlintrc
+Source: krb5-%{version}.tar.bz2
+Source3:%{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
++ krb5-mini.spec ++
--- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.0 +0200
+++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.0 +0200
@@ -18,7 +18,7 @@
# norootforbuild
%define build_mini 1
-%define srcRoot krb5-1.8.3
+%define srcRoot krb5-1.9.1
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@@ -27,10 +27,12 @@
Url:http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel
-Version:1.8.3
-Release:6
+BuildRequires: libselinux-devel
+Version:1.9.1
+Release:1
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
+BuildRequires: pam-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@@ -42,25 +44,33 @@
Summary:MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security
%endif
-Source: krb5-1.8.3.tar.bz2
+Source: krb5-1.9.1.tar.bz2
Source1:vendor-files.tar.bz2
Source2:baselibs.conf
-Source5:krb5-%{version}-rpmlintrc
-Source10: krb5-1.7-manpaths.txt
-Patch1: krb5-1.6.1-compile_pie.dif
-Patch2: krb5-1.6.3-kprop-use-mkstemp.dif
-Patch3: krb5-1.7-manpaths.dif
-Patch4: krb5-1.4.3-enospc.dif
+Source5:krb5-rpmlintrc
+Source10: krb5-1.8-manpaths.txt
+Patch1: krb5-1.9-buildconf.patch
+Patch3:
