File krb5-mini.changes of Package krb5-mini
1836
1
-------------------------------------------------------------------2
Wed Jan 30 12:32:33 UTC 2019 - Samuel Cabrero <scabrero@suse.de>3
4
- Upgrade to 1.16.35
* Fix a regression in the MEMORY credential cache type which could cause6
client programs to crash.7
* MEMORY credential caches will not be listed in the global collection,8
with the exception of the default credential cache if it is of type MEMORY.9
* Remove an incorrect assertion in the KDC which could be used to cause10
a crash [CVE-2018-20217].11
* Fix bugs with concurrent use of MEMORY ccache handles.12
* Fix a KDC crash when falling back between multiple OTP tokens configured13
for a principal entry.14
* Fix memory bugs when gss_add_cred() is used to create a new credential,15
and fix a bug where it ignores the desired_name.16
* Fix the behavior of gss_inquire_cred_by_mech() when the credential does17
not contain an element of the requested mechanism.18
* Make cross-realm S4U2Self requests work on the client when no19
default_realm is configured.20
* Add a kerberos(7) man page containing documentation of the environment21
variables that affect Kerberos programs.22
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required23
by transactional updates; (bsc#1100126);24
- Rename patches:25
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch26
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch27
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch28
* krb5-1.6.3-gssapi_improve_errormessages.dif to29
0004-krb5-1.6.3-gssapi_improve_errormessages.patch30
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch31
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch32
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch33
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch34
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch35
36
-------------------------------------------------------------------37
Tue Oct 9 20:13:24 UTC 2018 - James McDonough <jmcdonough@suse.com>38
39
- Upgrade to 1.16.140
* kdc client cert matching on client principal entry41
* Allow ktutil addent command to ignore key version and use42
non-default salt string.43
* add kpropd pidfile support44
* enable "encrypted_challenge_indicator" realm option on tickets45
obtained using FAST encrypted challenge pre-authentication.46
* dates through 2106 accepted47
* KDC support for trivially renewable tickets48
* stop caching referral and alternate cross-realm TGTs to prevent49
duplicate credential cache entries 50
51
-------------------------------------------------------------------52
Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com53
54
- Upgrade to 1.15.355
* Fix flaws in LDAP DN checking, including a null dereference KDC56
crash which could be triggered by kadmin clients with administrative57
privileges [CVE-2018-5729, CVE-2018-5730].58
* Fix a KDC PKINIT memory leak.59
* Fix a small KDC memory leak on transited or authdata errors when60
processing TGS requests.61
* Fix a null dereference when the KDC sends a large TGS reply.62
* Fix "kdestroy -A" with the KCM credential cache type.63
* Fix the handling of capaths "." values.64
* Fix handling of repeated subsection specifications in profile files65
(such as when multiple included files specify relations in the same66
subsection).67
68
-------------------------------------------------------------------69
Wed Apr 25 21:56:35 UTC 2018 - luizluca@gmail.com70
71
- Added support for /etc/krb5.conf.d/ for configuration snippets72
73
-------------------------------------------------------------------74
Thu Nov 23 13:38:33 UTC 2017 - rbrown@suse.com75
76
- Replace references to /var/adm/fillup-templates with new 77
%_fillupdir macro (boo#1069468)78
79
-------------------------------------------------------------------80
Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de81
82
- Update package descriptions.83
84
-------------------------------------------------------------------85
Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com86
87
- Upgrade to 1.15.288
* Fix a KDC denial of service vulnerability caused by unset status89
strings [CVE-2017-11368]90
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]91
* Fix kadm5 setkey operation with LDAP KDB module92
* Use a ten-second timeout after successful connection for HTTPS KDC93
requests, as we do for TCP requests94
* Fix client null dereference when KDC offers encrypted challenge95
without FAST96
* Ignore dotfiles when processing profile includedir directive97
* Improve documentation98
99
-------------------------------------------------------------------100
Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com101
102
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf103
in order to improve client security in handling service principle104
names. (bsc#1054028)105
106
-------------------------------------------------------------------107
Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com108
109
- There is no change made about the package itself, this is only110
copying over some changelog texts from SLE package:111
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355112
krb5: denial of service in krb5_read_message113
- bug#912002 owned by varkoly@suse.com: VUL-0114
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:115
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token116
- bug#910458 owned by varkoly@suse.com: VUL-1117
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries118
- bug#928978 owned by varkoly@suse.com: VUL-0119
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading120
to requires_preauth bypass121
- bug#910457 owned by varkoly@suse.com: VUL-1122
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy123
name as a password policy name124
- bug#991088 owned by hguo@suse.com: VUL-1125
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted126
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires127
- [fate#320326](https://fate.suse.com/320326)128
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference129
from \cite130
131
-------------------------------------------------------------------132
Thu Apr 6 13:00:26 CEST 2017 - kukuk@suse.de133
134
- Remove wrong PreRequires135
136
-------------------------------------------------------------------137
Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com138
139
- use HTTPS project and source URLs140
141
-------------------------------------------------------------------142
Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com143
144
- use source urls.145
- krb5.keyring: Added Greg Hudson146
147
-------------------------------------------------------------------148
Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com149
150
- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch151
- Upgrade to 1.15.1152
* Allow KDB modules to determine how the e_data field of principal153
fields is freed154
* Fix udp_preference_limit when the KDC location is configured with155
SRV records156
* Fix KDC and kadmind startup on some IPv4-only systems157
* Fix the processing of PKINIT certificate matching rules which have158
two components and no explicit relation159
* Improve documentation160
161
-------------------------------------------------------------------162
Thu Jan 19 16:01:27 UTC 2017 - asn@cryptomilk.org163
164
- Introduce patch165
krb5-1.15-fix_kdb_free_principal_e_data.patch166
to fix freeing of e_data in the kdb principal167
168
-------------------------------------------------------------------169
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com170
171
- Upgrade to 1.15172
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2173
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since174
file is not available in upstream source anymore175
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15176
- doc/CHANGES not available in 1.15 source anymore177
178
- Upgrade from 1.14.4 to 1.15 - major changes:179
Administrator experience:180
* Add support to kadmin for remote extraction of current keys without181
changing them (requires a special kadmin permission that is excluded182
from the wildcard permission), with the exception of highly183
protected keys.184
* Add a lockdown_keys principal attribute to prevent retrieval of the185
principal's keys (old or new) via the kadmin protocol. In newly186
created databases, this attribute is set on the krbtgt and kadmin187
principals.188
* Restore recursive dump capability for DB2 back end, so sites can189
more easily recover from database corruption resulting from power190
failure events.191
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,192
in addition to SRV records. URI records can convey TCP and UDP193
servers and master KDC status in a single DNS lookup, and can also194
point to HTTPS proxy servers.195
* Add support for password history to the LDAP back end.196
* Add support for principal renaming to the LDAP back end.197
* Use the getrandom system call on supported Linux kernels to avoid198
blocking problems when getting entropy from the operating system.199
* In the PKINIT client, use the correct DigestInfo encoding for PKCS200
#1 signatures, so that some especially strict smart cards will work.201
Code quality:202
* Clean up numerous compilation warnings.203
* Remove various infrequently built modules, including some preauth204
modules that were not built by default.205
Developer experience:206
* Add support for building with OpenSSL 1.1.207
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of208
authenticators in the replay cache. This helps sites that must209
build with FIPS 140 conformant libraries that lack MD5.210
Protocol evolution:211
* Add support for the AES-SHA2 enctypes, which allows sites to conform212
to Suite B crypto requirements.213
214
- Upgrade from 1.14.3 to 1.14.4 - major changes:215
* Fix some rare btree data corruption bugs216
* Fix numerous minor memory leaks217
* Improve portability (Linux-ppc64el, FreeBSD)218
* Improve some error messages219
* Improve documentation220
221
-------------------------------------------------------------------222
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com223
224
- Upgrade from 1.14.2 to 1.14.3:225
* Improve some error messages226
* Improve documentation227
* Allow a principal with nonexistent policy to bypass the minimum228
password lifetime check, consistent with other aspects of229
nonexistent policies230
* Fix a rare KDC denial of service vulnerability when anonymous client231
principals are restricted to obtaining TGTs only [CVE-2016-3120]232
233
------------------------------------------------------------------234
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com235
236
- Remove source file ccapi/common/win/OldCC/autolock.hxx237
that is not needed and does not carry an acceptable license.238
(bsc#968111)239
240
-------------------------------------------------------------------241
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com242
243
- removed obsolete patches:244
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch245
* krb5-mechglue_inqure_attrs.patch246
- Upgrade from 1.14.1 to 1.14.2:247
* Fix a moderate-severity vulnerability in the LDAP KDC back end that248
could be exploited by a privileged kadmin user [CVE-2016-3119]249
* Improve documentation250
* Fix some interactions with GSSAPI interposer mechanisms251
252
-------------------------------------------------------------------253
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com254
255
- Upgrade from 1.14 to 1.14.1:256
* Remove expired patches:257
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch258
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch259
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch260
krbdev.mit.edu-8301.patch261
* Replace source archives:262
krb5-1.14.tar.gz ->263
krb5-1.14.1.tar.gz264
krb5-1.14.tar.gz.asc ->265
krb5-1.14.1.tar.gz.asc266
* Adjust line numbers in:267
krb5-fix_interposer.patch268
269
-------------------------------------------------------------------270
Thu Feb 11 15:07:26 UTC 2016 - hguo@suse.com271
272
- Remove krb5 pieces from spec file.273
Hence remove pre_checkin.sh274
- Remove expired macros and other minor clena-ups in spec file.275
- Change package description to explain what "mini" means.276
277
-------------------------------------------------------------------278
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com279
280
- Add two patches from Fedora, fixing two crashes:281
* krb5-fix_interposer.patch282
* krb5-mechglue_inqure_attrs.patch283
284
-------------------------------------------------------------------285
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com286
287
- Update to 1.14288
- dropped krb5-kvno-230379.patch289
- added krbdev.mit.edu-8301.patch fixing wrong function call290
291
Major changes in 1.14 (2015-11-20)292
==================================293
294
Administrator experience:295
296
* Add a new kdb5_util tabdump command to provide reporting-friendly297
tabular dump formats (tab-separated or CSV) for the KDC database.298
Unlike the normal dump format, each output table has a fixed number299
of fields. Some tables include human-readable forms of data that300
are opaque in ordinary dump files. This format is also suitable for301
importing into relational databases for complex queries.302
* Add support to kadmin and kadmin.local for specifying a single303
command line following any global options, where the command304
arguments are split by the shell--for example, "kadmin getprinc305
principalname". Commands issued this way do not prompt for306
confirmation or display warning messages, and exit with non-zero307
status if the operation fails.308
* Accept the same principal flag names in kadmin as we do for the309
default_principal_flags kdc.conf variable, and vice versa. Also310
accept flag specifiers in the form that kadmin prints, as well as311
hexadecimal numbers.312
* Remove the triple-DES and RC4 encryption types from the default313
value of supported_enctypes, which determines the default key and314
salt types for new password-derived keys. By default, keys will315
only created only for AES128 and AES256. This mitigates some types316
of password guessing attacks.317
* Add support for directory names in the KRB5_CONFIG and318
KRB5_KDC_PROFILE environment variables.319
* Add support for authentication indicators, which are ticket320
annotations to indicate the strength of the initial authentication.321
Add support for the "require_auth" string attribute, which can be322
set on server principal entries to require an indicator when323
authenticating to the server.324
* Add support for key version numbers larger than 255 in keytab files,325
and for version numbers up to 65535 in KDC databases.326
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC327
during pre-authentication, corresponding to the client's most328
preferred encryption type.329
* Add support for server name identification (SNI) when proxying KDC330
requests over HTTPS.331
* Add support for the err_fmt profile parameter, which can be used to332
generate custom-formatted error messages.333
334
Code quality:335
336
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that337
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]338
[CVE-2015-2698]339
* Fix build_principal memory bug that could cause a KDC340
crash. [CVE-2015-2697]341
342
Developer experience:343
344
* Change gss_acquire_cred_with_password() to acquire credentials into345
a private memory credential cache. Applications can use346
gss_store_cred() to make the resulting credentials visible to other347
processes.348
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for349
IAKERB or for non-standard variants of the krb5 mechanism OID unless350
explicitly requested. (SPNEGO will still accept the Microsoft351
variant of the krb5 mechanism OID during negotiation.)352
* Change gss_accept_sec_context() not to accept tokens for IAKERB or353
for non-standard variants of the krb5 mechanism OID unless an354
acceptor credential is acquired for those mechanisms.355
* Change gss_acquire_cred() to immediately resolve credentials if the356
time_rec parameter is not NULL, so that a correct expiration time357
can be returned. Normally credential resolution is delayed until358
the target name is known.359
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,360
which can be used by plugin modules or applications to add prefixes361
to existing detailed error messages.362
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which363
implement the RFC 6113 PRF+ operation and key derivation using PRF+.364
* Add support for pre-authentication mechanisms which use multiple365
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error366
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth367
interface; these callbacks can be used to save marshalled state368
information in an encrypted cookie for the next request.369
* Add a client_key() callback to the kdcpreauth interface to retrieve370
the chosen client key, corresponding to the ETYPE-INFO2 entry sent371
by the KDC.372
* Add an add_auth_indicator() callback to the kdcpreauth interface,373
allowing pre-authentication modules to assert authentication374
indicators.375
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to376
suppress sending the confidentiality and integrity flags in GSS377
initiator tokens unless they are requested by the caller. These378
flags control the negotiated SASL security layer for the Microsoft379
GSS-SPNEGO SASL mechanism.380
* Make the FILE credential cache implementation less prone to381
corruption issues in multi-threaded programs, especially on382
platforms with support for open file description locks.383
384
Performance:385
386
* On slave KDCs, poll the master KDC immediately after processing a387
full resync, and do not require two full resyncs after the master388
KDC's log file is reset.389
390
User experience:391
392
* Make gss_accept_sec_context() accept tickets near their expiration393
but within clock skew tolerances, rather than rejecting them394
immediately after the server's view of the ticket expiration time.395
396
-------------------------------------------------------------------397
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com398
399
- Update to 1.13.3400
- removed patches for security fixes now in upstream source:401
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch402
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch403
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch404
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch405
406
Major changes in 1.13.3 (2015-12-04)407
====================================408
409
This is a bug fix release. The krb5-1.13 release series is in410
maintenance, and for new deployments, installers should prefer the411
krb5-1.14 release series or later.412
413
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that414
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]415
[CVE-2015-2698]416
* Fix build_principal memory bug that could cause a KDC417
crash. [CVE-2015-2697]418
* Allow an iprop slave to receive full resyncs from KDCs running419
krb5-1.10 or earlier.420
421
-------------------------------------------------------------------422
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com423
424
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch425
to fix a memory corruption regression introduced by resolution of426
CVE-2015-2698. bsc#954204427
428
-------------------------------------------------------------------429
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com430
431
- Make kadmin.local man page available without having to install krb5-client. bsc#948011432
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch433
to fix build_principal memory bug [CVE-2015-2697] bsc#952190434
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch435
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189436
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch437
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188438
439
-------------------------------------------------------------------440
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com441
442
- Let server depend on libev (module of libverto). This was the443
preferred implementation before the seperation of libverto from krb.444
445
-------------------------------------------------------------------446
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org447
448
- Drop libverto and libverto-libev Requires from the -server449
package: those package names don't exist and the shared libs450
are pulled in automatically.451
452
-------------------------------------------------------------------453
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org454
455
- Unconditionally buildrequire libverto-devel: krb5-mini also456
depends on it.457
458
-------------------------------------------------------------------459
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com460
461
- pre_checkin.sh aligned changes between krb5/krb5-mini462
- added krb5.keyring463
464
-------------------------------------------------------------------465
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com466
467
- update to krb5 1.13.2468
469
- DES transition470
==============471
472
The Data Encryption Standard (DES) is widely recognized as weak. The473
krb5-1.7 release contains measures to encourage sites to migrate away474
- From using single-DES cryptosystems. Among these is a configuration475
variable that enables "weak" enctypes, which defaults to "false"476
beginning with krb5-1.8.477
478
479
Major changes in 1.13.2 (2015-05-08)480
====================================481
482
This is a bug fix release.483
484
* Fix a minor vulnerability in krb5_read_message, which is primarily485
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]486
487
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.488
[CVE-2015-2694]489
490
* Fix some issues with the LDAP KDC database back end.491
492
* Fix an iteration-related memory leak in the DB2 KDC database back493
end.494
495
* Fix issues with some less-used kadm5.acl functionality.496
497
* Improve documentation.498
499
-------------------------------------------------------------------500
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com501
502
- Use externally built libverto503
504
-------------------------------------------------------------------505
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com506
507
- update to krb5 1.13.1508
509
Major changes in 1.13.1 (2015-02-11)510
====================================511
512
This is a bug fix release.513
514
* Fix multiple vulnerabilities in the LDAP KDC back end.515
[CVE-2014-5354] [CVE-2014-5353]516
517
* Fix multiple kadmind vulnerabilities, some of which are based in the518
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421519
CVE-2014-9422 CVE-2014-9423]520
521
-------------------------------------------------------------------522
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com523
524
- Update to krb5 1.13525
* Add support for accessing KDCs via an HTTPS proxy server using the526
MS-KKDCP protocol.527
* Add support for hierarchical incremental propagation, where slaves528
can act as intermediates between an upstream master and other downstream529
slaves.530
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf531
files in addition to /etc/gss/mech.532
* Add support to the LDAP KDB module for binding to the LDAP server using533
SASL.534
* The KDC listens for TCP connections by default.535
* Fix a minor key disclosure vulnerability where using the "keepold" option536
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]537
* Add client support for the Kerberos Cache Manager protocol. If the host538
is running a Heimdal kcm daemon, caches served by the daemon can be539
accessed with the KCM: cache type.540
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,541
unless overridden by command-line options or krb5-config values.542
* Add support for doing unlocked database dumps for the DB2 KDC back end,543
which would allow the KDC and kadmind to continue accessing the database544
during lengthy database dumps.545
- Removed patches, useless or upstreamed546
* krb5-1.9-kprop-mktemp.patch547
* krb5-1.10-ksu-access.patch548
* krb5-1.12-doxygen.patch549
* bnc#897874-CVE-2014-5351.diff550
* krb5-1.13-work-around-replay-cache-creation-race.patch551
* krb5-1.10-kpasswd_tcp.patch552
- Refreshed patches553
* krb5-1.12-pam.patch554
* krb5-1.12-selinux-label.patch555
* krb5-1.7-doublelog.patch556
557
-------------------------------------------------------------------558
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com559
560
- Work around replay cache creation race; (bnc#898439).561
krb5-1.13-work-around-replay-cache-creation-race.patch562
563
-------------------------------------------------------------------564
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com565
566
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 567
- added patches:568
* bnc#897874-CVE-2014-5351.diff569
-------------------------------------------------------------------570
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de571
572
- krb5 5.12.2:573
* Work around a gcc optimizer bug that could cause DB2 KDC574
database operations to spin in an infinite loop575
* Fix a backward compatibility problem with the LDAP KDB schema576
that could prevent krb5-1.11 and later from decoding entries577
created by krb5-1.6.578
* Avoid an infinite loop under some circumstances when the GSS579
mechglue loads a dynamic mechanism.580
* Fix krb5kdc argument parsing so "-w" and "-r" options work581
togetherreliably.582
- Vulnerability fixes previously fixed in package via patches:583
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid584
invalid memory reference vulnerabilities. [CVE-2014-4341585
CVE-2014-4342]586
* Fix memory management vulnerabilities in GSSAPI SPNEGO.587
[CVE-2014-4343 CVE-2014-4344]588
* Fix buffer overflow vulnerability in LDAP KDB back end.589
[CVE-2014-4345]590
- updated patches:591
* krb5-1.7-doublelog.patch for context change592
* krb5-1.6.3-ktutil-manpage.dif, same593
- removed patches, in upstream:594
* krb5-master-keyring-kdcsync.patch595
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch596
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch597
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch598
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch599
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch600
from upstream601
602
-------------------------------------------------------------------603
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com604
605
- buffer overrun in kadmind with LDAP backend606
CVE-2014-4345 (bnc#891082)607
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 608
609
-------------------------------------------------------------------610
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com611
612
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)613
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch614
Fix null deref in SPNEGO acceptor [CVE-2014-4344]615
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch616
617
-------------------------------------------------------------------618
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com619
620
- Do not depend of insserv if systemd is used 621
622
-------------------------------------------------------------------623
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com624
625
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)626
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch627
- start krb5kdc after slapd (bnc#886102)628
629
-------------------------------------------------------------------630
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com631
632
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)633
similar functionality is provided by krb5-plugin-preauth-pkinit634
635
-------------------------------------------------------------------636
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com637
638
- don't deliver SysV init files to systemd distributions639
640
-------------------------------------------------------------------641
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com642
643
- update to version 1.12.1644
* Make KDC log service principal names more consistently during645
some error conditions, instead of "<unknown server>"646
* Fix several bugs related to building AES-NI support on less647
common configurations648
* Fix several bugs related to keyring credential caches649
- upstream obsoletes:650
krb5-1.12-copy_context.patch651
krb5-1.12-enable-NX.patch652
krb5-1.12-pic-aes-ni.patch653
krb5-master-no-malloc0.patch654
krb5-master-ignore-empty-unnecessary-final-token.patch655
krb5-master-gss_oid_leak.patch656
krb5-master-keytab_close.patch657
krb5-master-spnego_error_messages.patch658
- Fix Get time offsets for all keyring ccaches659
krb5-master-keyring-kdcsync.patch (RT#7820)660
661
-------------------------------------------------------------------662
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com663
664
- update to version 1.12665
* Add GSSAPI extensions for constructing MIC tokens using IOV lists666
* Add a FAST OTP preauthentication module for the KDC which uses667
RADIUS to validate OTP token values.668
* The AES-based encryption types will use AES-NI instructions669
when possible for improved performance.670
- revert dependency on libcom_err-mini-devel since it's not yet671
available672
- update and rebase patches673
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch674
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch675
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch676
* krb5-1.8-api.patch -> krb5-1.12-api.patch677
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch678
* krb5-1.9-debuginfo.patch679
* krb5-1.9-kprop-mktemp.patch680
* krb5-kvno-230379.patch681
- added upstream patches682
- Fix krb5_copy_context683
* krb5-1.12-copy_context.patch684
- Mark AESNI files as not needing executable stacks685
* krb5-1.12-enable-NX.patch686
* krb5-1.12-pic-aes-ni.patch687
- Fix memory leak in SPNEGO initiator688
* krb5-master-gss_oid_leak.patch689
- Fix SPNEGO one-hop interop against old IIS690
* krb5-master-ignore-empty-unnecessary-final-token.patch691
- Fix GSS krb5 acceptor acquire_cred error handling 692
* krb5-master-keytab_close.patch693
- Avoid malloc(0) in SPNEGO get_input_token694
* krb5-master-no-malloc0.patch695
- Test SPNEGO error message in t_s4u.py696
* krb5-master-spnego_error_messages.patch697
698
-------------------------------------------------------------------699
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com700
701
- Reduce build dependencies for krb5-mini by removing702
doxygen and changing libcom_err-devel to703
libcom_err-mini-devel704
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.705
706
-------------------------------------------------------------------707
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com708
709
- update to version 1.11.4710
- Fix a KDC null pointer dereference [CVE-2013-1417] that could711
affect realms with an uncommon configuration.712
- Fix a KDC null pointer dereference [CVE-2013-1418] that could713
affect KDCs that serve multiple realms.714
- Fix a number of bugs related to KDC master key rollover.715
716
-------------------------------------------------------------------717
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com718
719
- install and enable systemd service files also in -mini package720
721
-------------------------------------------------------------------722
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org723
724
- remove fstack-protector-all from CFLAGS, just use the 725
lighter/fast version already present in %optflags726
727
- Use LFS_CFLAGS to build in 32 bit archs.728
729
-------------------------------------------------------------------730
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com731
732
- update to version 1.11.3733
- Fix a UDP ping-pong vulnerability in the kpasswd734
(password changing) service. [CVE-2002-2443]735
- Improve interoperability with some Windows native PKINIT clients.736
- install translation files737
- remove outdated configure options738
739
-------------------------------------------------------------------740
Tue May 28 17:08:01 UTC 2013 - mc@suse.com741
742
- cleanup systemd files (remove syslog.target)743
744
-------------------------------------------------------------------745
Fri May 3 09:43:47 CEST 2013 - mc@suse.de746
747
- let krb5-mini conflict with all main packages748
749
-------------------------------------------------------------------750
Thu May 2 16:43:16 CEST 2013 - mc@suse.de751
752
- add conflicts between krb5-mini and krb5-server753
754
-------------------------------------------------------------------755
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de756
757
- update to version 1.11.2758
* Incremental propagation could erroneously act as if a slave's759
database were current after the slave received a full dump760
that failed to load.761
* gss_import_sec_context incorrectly set internal state that762
identifies whether an imported context is from an interposer763
mechanism or from the underlying mechanism. 764
- upstream fix obsolete krb5-lookup_etypes-leak.patch765
766
-------------------------------------------------------------------767
Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de768
769
- add conflicts between krb5-mini-devel and krb5-devel770
771
-------------------------------------------------------------------772
Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de773
774
- add conflicts between krb5-mini and krb5 and krb5-client775
776
-------------------------------------------------------------------777
Wed Mar 27 11:36:00 CET 2013 - mc@suse.de778
779
- enable selinux and set openssl as crypto implementation780
781
-------------------------------------------------------------------782
Fri Mar 22 10:34:55 CET 2013 - mc@suse.de783
784
- fix path to executables in service files785
(bnc#810926)786
787
-------------------------------------------------------------------788
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de789
790
- update to version 1.11.1791
* Improve ASN.1 support code, making it table-driven for792
decoding as well as encoding793
* Refactor parts of KDC794
* Documentation consolidation795
* build docs in the main package796
* bugfixing797
- changes of patches:798
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:799
upstream800
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:801
upstream802
* krb5-1.10-gcc47.patch: upstream803
* krb5-1.10-selinux-label.patch replaced by804
krb5-1.11-selinux-label.patch805
* krb5-1.10-spin-loop.patch: upstream806
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream807
* krb5-1.8-pam.patch replaced by808
krb5-1.11-pam.patch809
810
-------------------------------------------------------------------811
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de812
813
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()814
CVE-2012-1016 (bnc#807556)815
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif816
817
-------------------------------------------------------------------818
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de819
820
- fix PKINIT null pointer deref821
CVE-2013-1415 (bnc#806715)822
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif823
824
-------------------------------------------------------------------825
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de826
827
- package missing file (bnc#794784)828
829
-------------------------------------------------------------------830
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com831
832
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc833
(bnc#793336)834
835
-------------------------------------------------------------------836
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com837
838
- revert the -p usage in %postun to fix SLE build839
840
-------------------------------------------------------------------841
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com842
843
- buildrequire systemd by pkgconfig provide to get systemd-mini844
845
-------------------------------------------------------------------846
Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com847
848
- do not require systemd in krb5-mini849
850
-------------------------------------------------------------------851
Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de852
853
- add systemd service files for kadmind, krb5kdc and kpropd854
- add sysconfig templates for kadmind and krb5kdc855
856
-------------------------------------------------------------------857
Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com858
859
- fix %files section for krb5-mini860
861
-------------------------------------------------------------------862
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de863
864
- fix gcc47 issues865
866
-------------------------------------------------------------------867
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de868
869
- update to version 1.10.2870
obsolte patches:871
* krb5-1.7-nodeplibs.patch872
* krb5-1.9.1-ai_addrconfig.patch873
* krb5-1.9.1-ai_addrconfig2.patch874
* krb5-1.9.1-sendto_poll.patch875
* krb5-1.9-canonicalize-fallback.patch876
* krb5-1.9-paren.patch877
* krb5-klist_s.patch878
* krb5-pkinit-cms2.patch879
* krb5-trunk-chpw-err.patch880
* krb5-trunk-gss_delete_sec.patch881
* krb5-trunk-kadmin-oldproto.patch882
* krb5-1.9-MITKRB5-SA-2011-006.dif883
* krb5-1.9-gss_display_status-iakerb.patch884
* krb5-1.9.1-sendto_poll2.patch885
* krb5-1.9.1-sendto_poll3.patch886
* krb5-1.9-MITKRB5-SA-2011-007.dif887
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain888
Controllers.889
- Update a workaround for a glibc bug that would cause DNS PTR queries890
to occur even when rdns = false.891
- Fix a kadmind denial of service issue (null pointer dereference),892
which could only be triggered by an administrator with the "create"893
privilege. [CVE-2012-1013]894
- Fix access controls for KDB string attributes [CVE-2012-1012]895
- Make the ASN.1 encoding of key version numbers interoperate with896
Windows Read-Only Domain Controllers897
- Avoid generating spurious password expiry warnings in cases where898
the KDC sends an account expiry time without a password expiry time899
- Make PKINIT work with FAST in the client library.900
- Add the DIR credential cache type, which can hold a collection of901
credential caches.902
- Enhance kinit, klist, and kdestroy to support credential cache903
collections if the cache type supports it.904
- Add the kswitch command, which changes the selected default cache905
within a collection.906
- Add heuristic support for choosing client credentials based on907
the service realm.908
- Add support for $HOME/.k5identity, which allows credential909
choice based on configured rules.910
911
-------------------------------------------------------------------912
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de913
914
- add autoconf macro to devel subpackage915
916
-------------------------------------------------------------------917
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de918
919
- fix license in krb5-mini920
921
-------------------------------------------------------------------922
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com923
924
- add autoconf as buildrequire to avoid implicit dependency925
926
-------------------------------------------------------------------927
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com928
929
- remove call to suse_update_config, very old work around930
931
-------------------------------------------------------------------932
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de933
934
- fix KDC null pointer dereference in TGS handling935
(MITKRB5-SA-2011-007, bnc#730393)936
CVE-2011-1530937
938
-------------------------------------------------------------------939
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de940
941
- fix KDC HA feature introduced with implementing KDC poll942
(RT#6951, bnc#731648)943
944
-------------------------------------------------------------------945
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de946
947
- fix minor error messages for the IAKERB GSSAPI mechanism948
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)949
950
-------------------------------------------------------------------951
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de952
953
- fix kdc remote denial of service954
(MITKRB5-SA-2011-006, bnc#719393)955
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529956
957
-------------------------------------------------------------------958
Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de959
960
- use --without-pam to build krb5-mini961
962
-------------------------------------------------------------------963
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com964
965
- add patches from Fedora and upstream 966
- fix init scripts (bnc#689006)967
968
-------------------------------------------------------------------969
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com970
971
- update to version 1.9.1972
* obsolete patches:973
MITKRB5-SA-2010-007-1.8.dif974
krb5-1.8-MITKRB5-SA-2010-006.dif975
krb5-1.8-MITKRB5-SA-2011-001.dif976
krb5-1.8-MITKRB5-SA-2011-002.dif977
krb5-1.8-MITKRB5-SA-2011-003.dif978
krb5-1.8-MITKRB5-SA-2011-004.dif979
krb5-1.4.3-enospc.dif980
* replace krb5-1.6.1-compile_pie.dif981
-------------------------------------------------------------------982
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de983
984
- fix kadmind invalid pointer free()985
(MITKRB5-SA-2011-004, bnc#687469)986
CVE-2011-0285987
988
-------------------------------------------------------------------989
Tue Mar 1 12:43:22 CET 2011 - mc@suse.de990
991
- Fix vulnerability to a double-free condition in KDC daemon992
(MITKRB5-SA-2011-003, bnc#671717)993
CVE-2011-0284994
995
-------------------------------------------------------------------996
Wed Jan 19 14:42:27 CET 2011 - mc@suse.de997
998
- Fix kpropd denial of service999
(MITKRB5-SA-2011-001, bnc#662665)1000
CVE-2010-40221001
- Fix KDC denial of service attacks with LDAP back end1002
(MITKRB5-SA-2011-002, bnc#663619)1003
CVE-2011-0281, CVE-2011-0282 1004
1005
-------------------------------------------------------------------1006
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de1007
1008
- Fix multiple checksum handling vulnerabilities 1009
(MITKRB5-SA-2010-007, bnc#650650)1010
CVE-2010-13241011
* krb5 GSS-API applications may accept unkeyed checksums1012
* krb5 application services may accept unkeyed PAC checksums1013
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums1014
CVE-2010-13231015
* krb5 clients may accept unkeyed SAM-2 challenge checksums1016
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys1017
CVE-2010-40201018
* krb5 may accept authdata checksums with low-entropy derived keys1019
CVE-2010-40211020
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery 1021
1022
-------------------------------------------------------------------1023
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de1024
1025
- fix csh profile (bnc#649856) 1026
1027
-------------------------------------------------------------------1028
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de1029
1030
- update to krb5-1.8.31031
* remove patches which are now upstrem1032
- krb5-1.7-MITKRB5-SA-2010-004.dif 1033
- krb5-1.8.1-gssapi-error-table.dif 1034
- krb5-MITKRB5-SA-2010-005.dif 1035
1036
-------------------------------------------------------------------1037
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de1038
1039
- change environment variable PATH directly for csh1040
(bnc#642080)1041
1042
-------------------------------------------------------------------1043
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de1044
1045
- fix a dereference of an uninitialized pointer while processing1046
authorization data. 1047
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)1048
1049
-------------------------------------------------------------------1050
Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com1051
1052
- add correct error table when initializing gss-krb5 (bnc#606584,1053
bnc#608295)1054
1055
-------------------------------------------------------------------1056
Wed May 19 14:27:19 CEST 2010 - mc@suse.de1057
1058
- fix GSS-API library null pointer dereference1059
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) 1060
1061
-------------------------------------------------------------------1062
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de1063
1064
- fix a double free vulnerability in the KDC 1065
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)1066
1067
-------------------------------------------------------------------1068
Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de1069
1070
- update to version 1.8.11071
* include krb5-1.8-POST.dif1072
* include MITKRB5-SA-2010-002 1073
1074
-------------------------------------------------------------------1075
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de1076
1077
- update krb5-1.8-POST.dif 1078
1079
-------------------------------------------------------------------1080
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de1081
1082
- fix a bug where an unauthenticated remote attacker could cause1083
a GSS-API application including the Kerberos administration1084
daemon (kadmind) to crash.1085
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 1086
1087
-------------------------------------------------------------------1088
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de1089
1090
- add post 1.8 fixes1091
* Add IPv6 support to changepw.c1092
* fix two problems in kadm5_get_principal mask handling 1093
* Ignore improperly encoded signedpath AD elements1094
* handle NT_SRV_INST in service principal referrals1095
* dereference options while checking 1096
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT1097
* Fix the kpasswd fallback from the ccache principal name1098
* Document the ticket_lifetime libdefaults setting1099
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 5121100
1101
-------------------------------------------------------------------1102
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de1103
1104
- update to version 1.81105
* Increase code quality 1106
* Move toward improved KDB interface1107
* Investigate and remedy repeatedly-reported performance 1108
bottlenecks.1109
* Reduce DNS dependence by implementing an interface that allows1110
client library to track whether a KDC supports service 1111
principal referrals.1112
* Disable DES by default 1113
* Account lockout for repeated login failures1114
* Bridge layer to allow Heimdal HDB modules to act as KDB 1115
backend modules1116
* FAST enhancements1117
* Microsoft Services for User (S4U) compatibility1118
* Anonymous PKINIT1119
- fix KDC denial of service1120
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)1121
- fix KDC denial of service in cross-realm referral processing1122
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)1123
- fix integer underflow in AES and RC4 decryption1124
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)1125
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl1126
1127
-------------------------------------------------------------------1128
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de1129
1130
- add baselibs.conf as a source1131
1132
-------------------------------------------------------------------1133
Fri Nov 13 16:51:37 CET 2009 - mc@suse.de1134
1135
- enhance '$PATH' only if the directories are available1136
and not empty (bnc#544949)1137
1138
-------------------------------------------------------------------1139
Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com1140
1141
- readd lost baselibs.conf1142
1143
-------------------------------------------------------------------1144
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de1145
1146
- update to final 1.7 release 1147
1148
-------------------------------------------------------------------1149
Wed May 13 11:30:42 CEST 2009 - mc@suse.de1150
1151
- update to version 1.7 Beta2 1152
* Incremental propagation support for the KDC database.1153
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation1154
framework that can protect the AS exchange from dictionary attack.1155
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which1156
allows a GSS application to request credential delegation only if1157
permitted by KDC policy.1158
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --1159
various vulnerabilities in SPNEGO and ASN.1 code.1160
1161
-------------------------------------------------------------------1162
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de1163
1164
- update to pre 1.7 version 1165
* Remove support for version 4 of the Kerberos protocol (krb4).1166
* New libdefaults configuration variable "allow_weak_crypto".1167
* Client library now follows client principal referrals, for1168
compatibility with Windows.1169
* KDC can issue realm referrals for service principals based on domain1170
names.1171
* Encryption algorithm negotiation (RFC 4537).1172
* In the replay cache, use a hash over the complete ciphertext to1173
avoid false-positive replay indications.1174
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is1175
similar to the equivalent SSPI functionality.1176
* DCE RPC, including three-leg GSS context setup and unencapsulated1177
GSS tokens.1178
* NTLM recognition support in GSS-API, to facilitate dropping in an1179
NTLM implementation.1180
* KDC support for principal aliases, if the back end supports them.1181
* Microsoft set/change password (RFC 3244) protocol in kadmind.1182
* Master key rollover support.1183
1184
-------------------------------------------------------------------1185
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de1186
1187
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit1188
1189
-------------------------------------------------------------------1190
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de1191
1192
- do not query IPv6 addresses if no IPv6 address exists on this host1193
[bnc#449143] 1194
1195
-------------------------------------------------------------------1196
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de1197
1198
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade1199
(bnc#437293)1200
1201
-------------------------------------------------------------------1202
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de1203
1204
- obsolete old -XXbit packages (bnc#437293)1205
1206
-------------------------------------------------------------------1207
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de1208
1209
- in case we use ldap as database backend, ldap should be1210
started before krb5kdc 1211
1212
-------------------------------------------------------------------1213
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de1214
1215
- add new fixes to post 1.6.3 patch1216
* fix mem leak in krb5_gss_accept_sec_context()1217
* keep minor_status1218
* kadm5_decrypt_key: A ktype of -1 is documented as meaning 1219
"to be ignored" 1220
* Reject socket fds > FD_SETSIZE1221
1222
-------------------------------------------------------------------1223
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de1224
1225
- add patches from SVN post 1.6.31226
* krb5_string_to_keysalts: Fix an infinite loop1227
* fix some mutex issues1228
* better recovery from corrupt rcache files1229
* some more small fixes1230
1231
-------------------------------------------------------------------1232
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de1233
1234
- add case-insensitive.dif (FATE#300771)1235
- minor fixes for ktutil man page1236
- reduce rpmlint warnings 1237
1238
-------------------------------------------------------------------1239
Wed May 14 17:44:59 CEST 2008 - mc@suse.de1240
1241
- Fall back to TCP on kdc-unresolvable/unreachable errors.1242
- restore valid sequence number before generating requests1243
(fix changing passwords in mixed ipv4/ipv6 enviroments) 1244
1245
-------------------------------------------------------------------1246
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de1247
1248
- added baselibs.conf file to build xxbit packages1249
for multilib support1250
1251
-------------------------------------------------------------------1252
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de1253
1254
- modify krb5-config to not output rpath and cflags in --libs 1255
(bnc#378270)1256
1257
-------------------------------------------------------------------1258
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de1259
1260
- fix two security bugs:1261
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)1262
fix double free [bnc#361373]1263
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)1264
Memory corruption while too many open file descriptors1265
[bnc#363151]1266
- change default config file. Comment out the examples. 1267
1268
-------------------------------------------------------------------1269
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de1270
1271
- fix several security bugs:1272
* CVE-2007-5894 apparent uninit length1273
* CVE-2007-5902 integer overflow1274
* CVE-2007-5971 free of non-heap pointer and double-free1275
* CVE-2007-5972 double fclose()1276
[#346745, #346748, #346746, #346749, #346747]1277
1278
-------------------------------------------------------------------1279
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de1280
1281
- improve GSSAPI error messages 1282
1283
-------------------------------------------------------------------1284
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de1285
1286
- add coreutils to PreReq 1287
1288
-------------------------------------------------------------------1289
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de1290
1291
- update to krb5 version 1.6.31292
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow1293
* fix CVE-2007-4000 modify_policy vulnerability1294
* Add PKINIT support1295
- remove patches which are upstream now1296
- enhance init scripts and xinetd profiles1297
1298
-------------------------------------------------------------------1299
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de1300
1301
- update krb5-1.6.2-post.dif1302
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that 1303
that the client library will not failover to the next KDC. 1304
[#310540]1305
1306
-------------------------------------------------------------------1307
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de1308
1309
- update krb5-1.6.2-post.dif1310
* new -S sname option for kvno1311
* read_entropy_from_device on partial read will not fill buffer1312
* Bail out if encoded "ticket" doesn't decode correctly.1313
* patch for referrals loop 1314
1315
-------------------------------------------------------------------1316
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de1317
1318
- fix a problem with the originally published patch1319
for MITKRB5-SA-2007-006 - CVE-2007-39991320
[#302377]1321
1322
-------------------------------------------------------------------1323
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de1324
1325
- fix execute arbitrary code1326
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)1327
[#302377]1328
1329
-------------------------------------------------------------------1330
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de1331
1332
- add krb5-1.6.2-post.dif1333
* during the referrals loop, check to see if the1334
session key enctype of a returned credential for the final 1335
service is among the enctypes explicitly selected by the 1336
application, and retry with old_use_conf_ktypes if it is not. 1337
* If mkstemp() is available, the new ccache file gets created but 1338
the subsequent open(O_CREAT|O_EXCL) call fails because the file1339
was already created by mkstemp(). Apply patch from Apple to keep1340
the file descriptor open.1341
1342
-------------------------------------------------------------------1343
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de1344
1345
- update to version 1.6.21346
- remove krb5-1.6.1-post.dif all fixes are included in this release 1347
1348
-------------------------------------------------------------------1349
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de1350
1351
- change requires to libcom_err-devel1352
1353
-------------------------------------------------------------------1354
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de1355
1356
- update krb5-1.6.1-post.dif1357
* fix leak in krb5_walk_realm_tree1358
* rd_req_decoded needs to deal with referral realms 1359
* fix buffer overflow in kadmind1360
(MITKRB5-SA-2007-005 - CVE-2007-2798)1361
[#278689]1362
* fix kadmind code execution bug1363
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)1364
[#271191]1365
1366
-------------------------------------------------------------------1367
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de1368
1369
- fix unstripped-binary-or-object rpmlint warning 1370
1371
-------------------------------------------------------------------1372
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de1373
1374
- fixing rpmlint warnings and errors:1375
* merged logrotate scripts kadmin and krb5kdc into a single file1376
krb5-server. 1377
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl1378
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.1379
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.1380
* added surpression filter for1381
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"1382
(see [#147912]).1383
* set default runlevel of init scripts in chkconfig line to 3 and1384
51385
1386
-------------------------------------------------------------------1387
Wed May 9 15:30:53 CEST 2007 - mc@suse.de1388
1389
- fix uninitialized salt length 1390
- add extra check for keytab file1391
1392
-------------------------------------------------------------------1393
Thu May 3 12:11:29 CEST 2007 - mc@suse.de1394
1395
- adding krb5-1.6.1-post.dif1396
* fix segfault in krb5_get_init_creds_password 1397
* remove debug output in ftp client1398
* profile stores empty string values without double quotes1399
1400
-------------------------------------------------------------------1401
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de1402
1403
- update to final 1.6.1 version 1404
1405
-------------------------------------------------------------------1406
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de1407
1408
- add plugin directories to main package 1409
1410
-------------------------------------------------------------------1411
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de1412
1413
- update to version 1.6.1 Beta11414
- remove obsolete patches 1415
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)1416
- rework compile_pie patch1417
1418
-------------------------------------------------------------------1419
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de1420
1421
- update krb5-1.6-post.dif1422
* fix kadmind stack overflow in krb5_klog_syslog1423
(MITKRB5-SA-2007-002 - CVE-2007-0957)1424
[#253548]1425
* fix double free attack in the RPC library1426
(MITKRB5-SA-2007-003 - CVE-2007-1216)1427
[#252487]1428
* fix krb5 telnetd login injection1429
(MIT-SA-2007-001 - CVE-2007-0956)1430
#2477651431
1432
-------------------------------------------------------------------1433
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de1434
1435
- add ncurses-devel and bison to BuildRequires1436
- rework some patches1437
1438
-------------------------------------------------------------------1439
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de1440
1441
- move SuSEFirewall service definitions to 1442
/etc/sysconfig/SuSEfirewall2.d/services 1443
1444
-------------------------------------------------------------------1445
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de1446
1447
- add firewall definition to krb5-server, FATE #3006871448
1449
-------------------------------------------------------------------1450
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de1451
1452
- update krb5-1.6-post.dif1453
- move some applications into the right package 1454
1455
-------------------------------------------------------------------1456
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de1457
1458
- update krb5-1.6-post.dif 1459
1460
-------------------------------------------------------------------1461
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de1462
1463
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif1464
are now upstream. Remove patches.1465
- fix leak in krb5_kt_resolve and krb5_kt_wresolve1466
1467
-------------------------------------------------------------------1468
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de1469
1470
- fix "local variable used before set" in ftp.c1471
[#237684]1472
1473
-------------------------------------------------------------------1474
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de1475
1476
- krb5-devel should require keyutils-devel 1477
1478
-------------------------------------------------------------------1479
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de1480
1481
- update to version 1.61482
* Major changes in 1.6 include 1483
* Partial client implementation to handle server name referrals. 1484
* Pre-authentication plug-in framework, donated by Red Hat. 1485
* LDAP KDB plug-in, donated by Novell. 1486
- remove obsolete patches1487
1488
-------------------------------------------------------------------1489
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de1490
1491
- fix for1492
kadmind (via RPC library) calls uninitialized function pointer1493
(CVE-2006-6143)(Bug #225990)1494
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif1495
- fix for1496
kadmind (via GSS-API mechglue) frees uninitialized pointers1497
(CVE-2006-6144)(Bug #225992)1498
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif1499
1500
-------------------------------------------------------------------1501
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de1502
1503
- Fix Requires in krb5-devel 1504
[Bug #231008]1505
1506
-------------------------------------------------------------------1507
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de1508
1509
- fix "local variable used before set" [#217692]1510
- fix strncat warning 1511
1512
-------------------------------------------------------------------1513
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de1514
1515
- add a default kadm5.dict file1516
- require $network on daemon start1517
1518
-------------------------------------------------------------------1519
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de1520
1521
- fix function call with too few arguments [#203837] 1522
1523
-------------------------------------------------------------------1524
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de1525
1526
- update to version 1.5.11527
- remove obsolete patches which are now included upstream1528
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1529
* trunk-fix-uninitialized-vars.dif 1530
1531
-------------------------------------------------------------------1532
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de1533
1534
- krb5 setuid return check fixes1535
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1536
[#182351]1537
1538
-------------------------------------------------------------------1539
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de1540
1541
- remove update-messages 1542
1543
-------------------------------------------------------------------1544
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de1545
1546
- add check for krb5_prop in services to kpropd init script.1547
[#192446]1548
1549
-------------------------------------------------------------------1550
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de1551
1552
- update to version 1.51553
* KDB abstraction layer, donated by Novell. 1554
* plug-in architecture, allowing for extension modules to be 1555
loaded at run-time. 1556
* multi-mechanism GSS-API implementation ("mechglue"), 1557
donated by Sun Microsystems 1558
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO") 1559
implementation, donated by Sun Microsystems 1560
- remove obsolete patches and add some new1561
1562
-------------------------------------------------------------------1563
Fri May 26 14:50:00 CEST 2006 - ro@suse.de1564
1565
- libcom is not in e2fsck-devel but in its own package now, change1566
Requires accordingly.1567
1568
-------------------------------------------------------------------1569
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de1570
1571
- add all daemons to %stop_on_removal and %restart_on_update1572
- add reload to kpropd init script1573
- add force-reload to all init scripts 1574
1575
-------------------------------------------------------------------1576
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de1577
1578
- add libgssapi_krb5.so link to main package [#147912] 1579
1580
-------------------------------------------------------------------1581
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de1582
1583
- fix logging section for kadmind in convert script 1584
1585
-------------------------------------------------------------------1586
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de1587
1588
- converted neededforbuild to BuildRequires1589
1590
-------------------------------------------------------------------1591
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de1592
1593
- change the logging defaults 1594
1595
-------------------------------------------------------------------1596
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de1597
1598
- add tools and README for heimdal => MIT update 1599
1600
-------------------------------------------------------------------1601
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de1602
1603
- fix build problems, define _GNU_SOURCE1604
(krb5-1.4.3-set_gnu_source.dif )1605
1606
-------------------------------------------------------------------1607
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de1608
1609
- added "make %{?jobs:-j%jobs}" 1610
1611
-------------------------------------------------------------------1612
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de1613
1614
- update to version 1.4.31615
* some memmory leaks fixed1616
* fix for "AS_REP padata has wrong enctype"1617
* fix for "AS_REP padata missing PA-ETYPE-INFO"1618
* ... and more 1619
1620
-------------------------------------------------------------------1621
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de1622
1623
- don't build as root 1624
1625
-------------------------------------------------------------------1626
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de1627
1628
- update to version 1.4.21629
- remove some obsolet patches 1630
1631
-------------------------------------------------------------------1632
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de1633
1634
- build with --disable-static 1635
1636
-------------------------------------------------------------------1637
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de1638
1639
- remove devel-static subpackage 1640
1641
-------------------------------------------------------------------1642
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de1643
1644
- better patch for princ_comp problem 1645
1646
-------------------------------------------------------------------1647
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de1648
1649
- update to version 1.4.11650
- remove obsolet patches1651
- krb5-1.4-gcc4.dif1652
- krb5-1.4-reduce-namespace-polution.dif1653
- krb5-1.4-VUL-0-telnet.dif1654
1655
-------------------------------------------------------------------1656
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de1657
1658
- fixed krb5 KDC heap corruption by random free1659
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]1660
- fixed krb5 double free()1661
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]1662
- fix krb5 NULL pointer reference while comparing principals1663
[#91600] 1664
1665
-------------------------------------------------------------------1666
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de1667
1668
- fix uninitialized variables 1669
- compile with -fPIE/ link with -pie1670
1671
-------------------------------------------------------------------1672
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de1673
1674
- fixed wrong xinetd files [#77149] 1675
1676
-------------------------------------------------------------------1677
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de1678
1679
- removed krb5-1.4-fix-error_tables.dif patch obsoleted1680
by libcom_err locking patches1681
1682
-------------------------------------------------------------------1683
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de1684
1685
- fixed missing descriptions in init files 1686
[#76164, #76165, #76166, #76169] 1687
1688
-------------------------------------------------------------------1689
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de1690
1691
- enhance $PATH via /etc/profile.d/ [#74018]1692
- remove the "links to important programs" 1693
1694
-------------------------------------------------------------------1695
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de1696
1697
- fixed not running converter script [#72854] 1698
1699
-------------------------------------------------------------------1700
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de1701
1702
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer 1703
Overflow1704
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer 1705
Overflow1706
[#73618]1707
1708
-------------------------------------------------------------------1709
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de1710
1711
- fixed wrong PreReqs [#73020]1712
1713
-------------------------------------------------------------------1714
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de1715
1716
- add a simple krb5.conf converter [#72854]1717
1718
-------------------------------------------------------------------1719
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de1720
1721
- fixed: rckrb5kdc restart gives wrong status with non-running service1722
[#72446] 1723
1724
-------------------------------------------------------------------1725
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de1726
1727
- add requires: e2fsprogs-devel to krb5-devel package [#71732] 1728
1729
-------------------------------------------------------------------1730
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de1731
1732
- fix double free [#66534]1733
krb5-1.4-fix-error_tables.dif 1734
1735
-------------------------------------------------------------------1736
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de1737
1738
- change mode for shared libraries to 755 1739
1740
-------------------------------------------------------------------1741
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de1742
1743
- remove spx.c from tarball because of legal risk1744
- add README.Source which tell the user about this 1745
action.1746
- add a check for spx.c in the spec-file1747
- use rich-text for update-messages [#50250] 1748
1749
-------------------------------------------------------------------1750
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de1751
1752
- add krb5-1.4-reduce-namespace-polution.dif1753
reduce namespace polution in gssapi.h [#50356] 1754
1755
-------------------------------------------------------------------1756
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de1757
1758
- update to version 1.41759
- Add implementation of the RPCSEC_GSS authentication flavor to the1760
RPC library.1761
- Thread safety for krb5 libraries.1762
- Merged Athena telnetd changes for creating a new option for1763
requiring encryption.1764
- The kadmind4 backwards-compatibility admin server and the v5passwdd1765
backwards-compatibility password-changing server have been removed.1766
- Yarrow code now uses AES.1767
- Merged Athena changes to allow ftpd to require encrypted passwords.1768
- Incorporate gss_krb5_set_allowable_enctypes() and1769
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.1770
- remove obsolet patches1771
1772
-------------------------------------------------------------------1773
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de1774
1775
- add proofreaded update-messages 1776
1777
-------------------------------------------------------------------1778
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de1779
1780
- remove Conflicts: and add Provides: 1781
- add some insserv stuff 1782
1783
-------------------------------------------------------------------1784
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de1785
1786
- move vendor files to vendor-files.tar.bz21787
- add obsoletes: heimdal1788
- add %pre and %post sections to detect update1789
from heimdal and backup invalid configuration files1790
- add update-messages for heimdal update1791
1792
-------------------------------------------------------------------1793
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de1794
1795
- update to version 1.3.61796
- fix for: heap buffer overflow in libkadm5srv 1797
[CAN-2004-1189 / MITKRB5-SA-2004-004] 1798
1799
-------------------------------------------------------------------1800
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de1801
1802
- build doc subpackage in an own specfile 1803
- removed unnecessary neededforbuild requirements1804
1805
-------------------------------------------------------------------1806
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de1807
1808
- fix build with gcc 41809
1810
-------------------------------------------------------------------1811
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de1812
1813
- added Conflicts with heimdal*1814
- rename some manpages to avoid conflicts 1815
1816
-------------------------------------------------------------------1817
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de1818
1819
- new init scripts1820
- fix logrotate scripts1821
- add some 64Bit fixes1822
- add default krb5.conf, kdc.conf and kadm5.acl1823
1824
-------------------------------------------------------------------1825
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de1826
1827
- add e2fsprogs to NFB1828
- use system-et and system-ss 1829
- fix includes of com_err.h 1830
1831
-------------------------------------------------------------------1832
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de1833
1834
- Initital checkin 1835
1836