File krb5.changes of Package krb5-mini
1983
1
-------------------------------------------------------------------2
Mon Jul 1 09:12:55 UTC 2024 - Samuel Cabrero <scabrero@suse.de>3
4
- Fix vulnerabilities in GSS message token handling, add patch5
0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch6
* CVE-2024-37370, bsc#12271867
* CVE-2024-37371, bsc#12271878
9
-------------------------------------------------------------------10
Fri Mar 22 09:19:41 UTC 2024 - Samuel Cabrero <scabrero@suse.de>11
12
- Fix memory leaks, add patch 0015-Fix-two-unlikely-memory-leaks.patch13
* CVE-2024-26458, bsc#122077014
* CVE-2024-26461, bsc#122077115
16
-------------------------------------------------------------------17
Tue Aug 8 11:17:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>18
19
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);20
(CVE-2023-36054);21
- Added patches:22
* 0014-Ensure-array-count-consistency-in-kadm5-RPC.patch23
24
-------------------------------------------------------------------25
Mon Nov 7 14:35:42 UTC 2022 - Samuel Cabrero <scabrero@suse.de>26
27
- Fix integer overflows in PAC parsing; (CVE-2022-42898);28
(bsc#1205126);29
- Added patches:30
* 0013-Fix-integer-overflows-in-PAC-parsing.patch31
32
-------------------------------------------------------------------33
Mon Aug 30 12:39:02 UTC 2021 - Samuel Cabrero <scabrero@suse.de>34
35
- Fix KDC null pointer dereference via a FAST inner body that36
lacks a server field; (CVE-2021-37750); (bsc#1189929);37
- Added patches:38
* 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch39
40
-------------------------------------------------------------------41
Mon Jul 26 11:25:45 UTC 2021 - Samuel Cabrero <scabrero@suse.de>42
43
- Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222);44
(bsc#1188571);45
- Added patches:46
* 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch47
48
-------------------------------------------------------------------49
Thu Apr 22 15:29:29 UTC 2021 - Samuel Cabrero <scabrero@suse.de>50
51
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);52
53
-------------------------------------------------------------------54
Mon Nov 9 11:04:57 UTC 2020 - Samuel Cabrero <scabrero@suse.de>55
56
- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);57
(bsc#1178512);58
- Added patches:59
* 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch60
61
-------------------------------------------------------------------62
Mon Jul 27 12:15:31 UTC 2020 - Samuel Cabrero <scabrero@suse.de>63
64
- Fix prefix reported by krb5-config, libraries and headers are not65
installed under /usr/lib/mit prefix. (bsc#1174079)66
67
-------------------------------------------------------------------68
Mon Jun 8 10:01:09 UTC 2020 - Samuel Cabrero <scabrero@suse.de>69
70
- Update logrotate script, call systemd to reload the services71
instead of init-scripts. (boo#1169357)72
73
-------------------------------------------------------------------74
Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero <scabrero@suse.de>75
76
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);77
(bsc#1144047);78
79
-------------------------------------------------------------------80
Tue May 7 09:34:24 UTC 2019 - Samuel Cabrero <scabrero@suse.de>81
82
- Move LDAP schema files from /usr/share/doc/packages/krb5 to83
/usr/share/kerberos/ldap; (bsc#1134217);84
85
-------------------------------------------------------------------86
Wed Jan 30 12:32:33 UTC 2019 - Samuel Cabrero <scabrero@suse.de>87
88
- Upgrade to 1.16.389
* Fix a regression in the MEMORY credential cache type which could cause90
client programs to crash.91
* MEMORY credential caches will not be listed in the global collection,92
with the exception of the default credential cache if it is of type MEMORY.93
* Remove an incorrect assertion in the KDC which could be used to cause94
a crash [CVE-2018-20217].95
* Fix bugs with concurrent use of MEMORY ccache handles.96
* Fix a KDC crash when falling back between multiple OTP tokens configured97
for a principal entry.98
* Fix memory bugs when gss_add_cred() is used to create a new credential,99
and fix a bug where it ignores the desired_name.100
* Fix the behavior of gss_inquire_cred_by_mech() when the credential does101
not contain an element of the requested mechanism.102
* Make cross-realm S4U2Self requests work on the client when no103
default_realm is configured.104
* Add a kerberos(7) man page containing documentation of the environment105
variables that affect Kerberos programs.106
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required107
by transactional updates; (bsc#1100126);108
- Rename patches:109
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch110
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch111
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch112
* krb5-1.6.3-gssapi_improve_errormessages.dif to113
0004-krb5-1.6.3-gssapi_improve_errormessages.patch114
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch115
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch116
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch117
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch118
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch119
120
-------------------------------------------------------------------121
Tue Oct 9 20:00:21 UTC 2018 - James McDonough <jmcdonough@suse.com>122
123
- Upgrade to 1.16.1124
* kdc client cert matching on client principal entry125
* Allow ktutil addent command to ignore key version and use126
non-default salt string.127
* add kpropd pidfile support128
* enable "encrypted_challenge_indicator" realm option on tickets129
obtained using FAST encrypted challenge pre-authentication.130
* dates through 2106 accepted131
* KDC support for trivially renewable tickets132
* stop caching referral and alternate cross-realm TGTs to prevent133
duplicate credential cache entries134
135
-------------------------------------------------------------------136
Mon Jun 18 11:02:57 UTC 2018 - mcepl@suse.com137
138
- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package139
so it is avaiable for krb5-client as well.140
141
-------------------------------------------------------------------142
Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com143
144
- Upgrade to 1.15.3145
* Fix flaws in LDAP DN checking, including a null dereference KDC146
crash which could be triggered by kadmin clients with administrative147
privileges [CVE-2018-5729, CVE-2018-5730].148
* Fix a KDC PKINIT memory leak.149
* Fix a small KDC memory leak on transited or authdata errors when150
processing TGS requests.151
* Fix a null dereference when the KDC sends a large TGS reply.152
* Fix "kdestroy -A" with the KCM credential cache type.153
* Fix the handling of capaths "." values.154
* Fix handling of repeated subsection specifications in profile files155
(such as when multiple included files specify relations in the same156
subsection).157
158
-------------------------------------------------------------------159
Wed Apr 25 21:54:39 UTC 2018 - luizluca@gmail.com160
161
- Added support for /etc/krb5.conf.d/ for configuration snippets162
163
-------------------------------------------------------------------164
Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com165
166
- Replace references to /var/adm/fillup-templates with new 167
%_fillupdir macro (boo#1069468)168
169
-------------------------------------------------------------------170
Mon Nov 6 10:23:00 UTC 2017 - hguo@suse.com171
172
- Remove build dependency doxygen, python-Cheetah, python-Sphinx,173
python-libxml2, python-lxml, most of which are python 2 programs.174
Consequently remove -doc subpackage. Users are encouraged to use175
online documentation. (bsc#1066461)176
177
-------------------------------------------------------------------178
Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de179
180
- Update package descriptions.181
182
-------------------------------------------------------------------183
Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com184
185
- Upgrade to 1.15.2186
* Fix a KDC denial of service vulnerability caused by unset status187
strings [CVE-2017-11368]188
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]189
* Fix kadm5 setkey operation with LDAP KDB module190
* Use a ten-second timeout after successful connection for HTTPS KDC191
requests, as we do for TCP requests192
* Fix client null dereference when KDC offers encrypted challenge193
without FAST194
* Ignore dotfiles when processing profile includedir directive195
* Improve documentation196
197
-------------------------------------------------------------------198
Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com199
200
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf201
in order to improve client security in handling service principle202
names. (bsc#1054028)203
204
-------------------------------------------------------------------205
Fri Aug 11 09:08:58 UTC 2017 - hguo@suse.com206
207
- Prevent kadmind.service startup failure caused by absence of208
LDAP service. (bsc#903543)209
210
-------------------------------------------------------------------211
Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com212
213
- There is no change made about the package itself, this is only214
copying over some changelog texts from SLE package:215
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355216
krb5: denial of service in krb5_read_message217
- bug#912002 owned by varkoly@suse.com: VUL-0218
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:219
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token220
- bug#910458 owned by varkoly@suse.com: VUL-1221
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries222
- bug#928978 owned by varkoly@suse.com: VUL-0223
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading224
to requires_preauth bypass225
- bug#910457 owned by varkoly@suse.com: VUL-1226
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy227
name as a password policy name228
- bug#991088 owned by hguo@suse.com: VUL-1229
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted230
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires231
- [fate#320326](https://fate.suse.com/320326)232
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference233
from \cite234
235
-------------------------------------------------------------------236
Thu Apr 6 12:58:53 CEST 2017 - kukuk@suse.de237
238
- Remove wrong PreRequires from krb5239
240
-------------------------------------------------------------------241
Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com242
243
- use HTTPS project and source URLs244
245
-------------------------------------------------------------------246
Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com247
248
- use source urls.249
- krb5.keyring: Added Greg Hudson250
251
-------------------------------------------------------------------252
Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com253
254
- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch255
- Upgrade to 1.15.1256
* Allow KDB modules to determine how the e_data field of principal257
fields is freed258
* Fix udp_preference_limit when the KDC location is configured with259
SRV records260
* Fix KDC and kadmind startup on some IPv4-only systems261
* Fix the processing of PKINIT certificate matching rules which have262
two components and no explicit relation263
* Improve documentation264
265
-------------------------------------------------------------------266
Fri Jan 27 14:50:39 UTC 2017 - bwiedemann@suse.com267
268
- remove useless environment.pickle to make build-compare happy269
270
-------------------------------------------------------------------271
Thu Jan 19 15:59:38 UTC 2017 - asn@cryptomilk.org272
273
- Introduce patch274
krb5-1.15-fix_kdb_free_principal_e_data.patch275
to fix freeing of e_data in the kdb principal276
277
-------------------------------------------------------------------278
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com279
280
- Upgrade to 1.15281
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2282
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since283
file is not available in upstream source anymore284
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15285
286
- Upgrade from 1.14.4 to 1.15 - major changes:287
Administrator experience:288
* Add support to kadmin for remote extraction of current keys without289
changing them (requires a special kadmin permission that is excluded290
from the wildcard permission), with the exception of highly291
protected keys.292
* Add a lockdown_keys principal attribute to prevent retrieval of the293
principal's keys (old or new) via the kadmin protocol. In newly294
created databases, this attribute is set on the krbtgt and kadmin295
principals.296
* Restore recursive dump capability for DB2 back end, so sites can297
more easily recover from database corruption resulting from power298
failure events.299
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,300
in addition to SRV records. URI records can convey TCP and UDP301
servers and master KDC status in a single DNS lookup, and can also302
point to HTTPS proxy servers.303
* Add support for password history to the LDAP back end.304
* Add support for principal renaming to the LDAP back end.305
* Use the getrandom system call on supported Linux kernels to avoid306
blocking problems when getting entropy from the operating system.307
* In the PKINIT client, use the correct DigestInfo encoding for PKCS308
#1 signatures, so that some especially strict smart cards will work.309
Code quality:310
* Clean up numerous compilation warnings.311
* Remove various infrequently built modules, including some preauth312
modules that were not built by default.313
Developer experience:314
* Add support for building with OpenSSL 1.1.315
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of316
authenticators in the replay cache. This helps sites that must317
build with FIPS 140 conformant libraries that lack MD5.318
Protocol evolution:319
* Add support for the AES-SHA2 enctypes, which allows sites to conform320
to Suite B crypto requirements.321
322
- Upgrade from 1.14.3 to 1.14.4 - major changes:323
* Fix some rare btree data corruption bugs324
* Fix numerous minor memory leaks325
* Improve portability (Linux-ppc64el, FreeBSD)326
* Improve some error messages327
* Improve documentation328
329
-------------------------------------------------------------------330
Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de331
332
- add pam configuration file required for ksu 333
just use a copy of "su" one from Tumbleweed 334
335
-------------------------------------------------------------------336
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com337
338
- Upgrade from 1.14.2 to 1.14.3:339
* Improve some error messages340
* Improve documentation341
* Allow a principal with nonexistent policy to bypass the minimum342
password lifetime check, consistent with other aspects of343
nonexistent policies344
* Fix a rare KDC denial of service vulnerability when anonymous client345
principals are restricted to obtaining TGTs only [CVE-2016-3120]346
347
-------------------------------------------------------------------348
Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com349
350
- Remove comments breaking post scripts. 351
352
-------------------------------------------------------------------353
Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com354
355
- Do no use systemd_requires macros in main package, it adds356
unneeded dependencies which pulls systemd into minimal chroot.357
- Only call %insserv_prereq when building for pre-systemd358
distributions.359
- Optimise some %post/%postun when only /sbin/ldconfig is called.360
361
------------------------------------------------------------------362
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com363
364
- Remove source file ccapi/common/win/OldCC/autolock.hxx365
that is not needed and does not carry an acceptable license.366
(bsc#968111)367
368
-------------------------------------------------------------------369
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com370
371
- removed obsolete patches:372
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch373
* krb5-mechglue_inqure_attrs.patch374
- Upgrade from 1.14.1 to 1.14.2:375
* Fix a moderate-severity vulnerability in the LDAP KDC back end that376
could be exploited by a privileged kadmin user [CVE-2016-3119]377
* Improve documentation378
* Fix some interactions with GSSAPI interposer mechanisms379
380
-------------------------------------------------------------------381
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com382
383
- Upgrade from 1.14 to 1.14.1:384
* Remove expired patches:385
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch386
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch387
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch388
krbdev.mit.edu-8301.patch389
* Replace source archives:390
krb5-1.14.tar.gz ->391
krb5-1.14.1.tar.gz392
krb5-1.14.tar.gz.asc ->393
krb5-1.14.1.tar.gz.asc394
* Adjust line numbers in:395
krb5-fix_interposer.patch396
397
-------------------------------------------------------------------398
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com399
400
- Introduce patch401
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch402
to fix CVE-2016-3119 (bsc#971942)403
404
-------------------------------------------------------------------405
Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com406
407
- Remove krb5-mini pieces from spec file.408
Hence remove pre_checkin.sh409
- Remove expired macros and other minor clean-ups in spec file.410
411
-------------------------------------------------------------------412
Tue Feb 2 08:41:13 UTC 2016 - hguo@suse.com413
414
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character415
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch416
(bsc#963968)417
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request418
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch419
(bsc#963975)420
- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask421
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch422
(bsc#963964)423
424
-------------------------------------------------------------------425
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com426
427
- Add two patches from Fedora, fixing two crashes:428
* krb5-fix_interposer.patch429
* krb5-mechglue_inqure_attrs.patch430
431
-------------------------------------------------------------------432
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com433
434
- Update to 1.14435
- dropped krb5-kvno-230379.patch436
- added krbdev.mit.edu-8301.patch fixing wrong function call437
438
Major changes in 1.14 (2015-11-20)439
==================================440
441
Administrator experience:442
443
* Add a new kdb5_util tabdump command to provide reporting-friendly444
tabular dump formats (tab-separated or CSV) for the KDC database.445
Unlike the normal dump format, each output table has a fixed number446
of fields. Some tables include human-readable forms of data that447
are opaque in ordinary dump files. This format is also suitable for448
importing into relational databases for complex queries.449
* Add support to kadmin and kadmin.local for specifying a single450
command line following any global options, where the command451
arguments are split by the shell--for example, "kadmin getprinc452
principalname". Commands issued this way do not prompt for453
confirmation or display warning messages, and exit with non-zero454
status if the operation fails.455
* Accept the same principal flag names in kadmin as we do for the456
default_principal_flags kdc.conf variable, and vice versa. Also457
accept flag specifiers in the form that kadmin prints, as well as458
hexadecimal numbers.459
* Remove the triple-DES and RC4 encryption types from the default460
value of supported_enctypes, which determines the default key and461
salt types for new password-derived keys. By default, keys will462
only created only for AES128 and AES256. This mitigates some types463
of password guessing attacks.464
* Add support for directory names in the KRB5_CONFIG and465
KRB5_KDC_PROFILE environment variables.466
* Add support for authentication indicators, which are ticket467
annotations to indicate the strength of the initial authentication.468
Add support for the "require_auth" string attribute, which can be469
set on server principal entries to require an indicator when470
authenticating to the server.471
* Add support for key version numbers larger than 255 in keytab files,472
and for version numbers up to 65535 in KDC databases.473
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC474
during pre-authentication, corresponding to the client's most475
preferred encryption type.476
* Add support for server name identification (SNI) when proxying KDC477
requests over HTTPS.478
* Add support for the err_fmt profile parameter, which can be used to479
generate custom-formatted error messages.480
481
Code quality:482
483
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that484
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]485
[CVE-2015-2698]486
* Fix build_principal memory bug that could cause a KDC487
crash. [CVE-2015-2697]488
489
Developer experience:490
491
* Change gss_acquire_cred_with_password() to acquire credentials into492
a private memory credential cache. Applications can use493
gss_store_cred() to make the resulting credentials visible to other494
processes.495
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for496
IAKERB or for non-standard variants of the krb5 mechanism OID unless497
explicitly requested. (SPNEGO will still accept the Microsoft498
variant of the krb5 mechanism OID during negotiation.)499
* Change gss_accept_sec_context() not to accept tokens for IAKERB or500
for non-standard variants of the krb5 mechanism OID unless an501
acceptor credential is acquired for those mechanisms.502
* Change gss_acquire_cred() to immediately resolve credentials if the503
time_rec parameter is not NULL, so that a correct expiration time504
can be returned. Normally credential resolution is delayed until505
the target name is known.506
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,507
which can be used by plugin modules or applications to add prefixes508
to existing detailed error messages.509
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which510
implement the RFC 6113 PRF+ operation and key derivation using PRF+.511
* Add support for pre-authentication mechanisms which use multiple512
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error513
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth514
interface; these callbacks can be used to save marshalled state515
information in an encrypted cookie for the next request.516
* Add a client_key() callback to the kdcpreauth interface to retrieve517
the chosen client key, corresponding to the ETYPE-INFO2 entry sent518
by the KDC.519
* Add an add_auth_indicator() callback to the kdcpreauth interface,520
allowing pre-authentication modules to assert authentication521
indicators.522
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to523
suppress sending the confidentiality and integrity flags in GSS524
initiator tokens unless they are requested by the caller. These525
flags control the negotiated SASL security layer for the Microsoft526
GSS-SPNEGO SASL mechanism.527
* Make the FILE credential cache implementation less prone to528
corruption issues in multi-threaded programs, especially on529
platforms with support for open file description locks.530
531
Performance:532
533
* On slave KDCs, poll the master KDC immediately after processing a534
full resync, and do not require two full resyncs after the master535
KDC's log file is reset.536
537
User experience:538
539
* Make gss_accept_sec_context() accept tickets near their expiration540
but within clock skew tolerances, rather than rejecting them541
immediately after the server's view of the ticket expiration time.542
543
-------------------------------------------------------------------544
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com545
546
- Update to 1.13.3547
- removed patches for security fixes now in upstream source:548
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch549
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch550
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch551
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch552
553
Major changes in 1.13.3 (2015-12-04)554
====================================555
556
This is a bug fix release. The krb5-1.13 release series is in557
maintenance, and for new deployments, installers should prefer the558
krb5-1.14 release series or later.559
560
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that561
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]562
[CVE-2015-2698]563
* Fix build_principal memory bug that could cause a KDC564
crash. [CVE-2015-2697]565
* Allow an iprop slave to receive full resyncs from KDCs running566
krb5-1.10 or earlier.567
568
-------------------------------------------------------------------569
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com570
571
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch572
to fix a memory corruption regression introduced by resolution of573
CVE-2015-2698. bsc#954204574
575
-------------------------------------------------------------------576
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com577
578
- Make kadmin.local man page available without having to install krb5-client. bsc#948011579
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch580
to fix build_principal memory bug [CVE-2015-2697] bsc#952190581
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch582
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189583
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch584
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188585
586
-------------------------------------------------------------------587
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com588
589
- Let server depend on libev (module of libverto). This was the590
preferred implementation before the seperation of libverto from krb.591
592
-------------------------------------------------------------------593
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org594
595
- Drop libverto and libverto-libev Requires from the -server596
package: those package names don't exist and the shared libs597
are pulled in automatically.598
599
-------------------------------------------------------------------600
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org601
602
- Unconditionally buildrequire libverto-devel: krb5-mini also603
depends on it.604
605
-------------------------------------------------------------------606
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com607
608
- pre_checkin.sh aligned changes between krb5/krb5-mini609
- added krb5.keyring610
611
-------------------------------------------------------------------612
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com613
614
- update to krb5 1.13.2615
616
- DES transition617
==============618
619
The Data Encryption Standard (DES) is widely recognized as weak. The620
krb5-1.7 release contains measures to encourage sites to migrate away621
- From using single-DES cryptosystems. Among these is a configuration622
variable that enables "weak" enctypes, which defaults to "false"623
beginning with krb5-1.8.624
625
626
Major changes in 1.13.2 (2015-05-08)627
====================================628
629
This is a bug fix release.630
631
* Fix a minor vulnerability in krb5_read_message, which is primarily632
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]633
634
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.635
[CVE-2015-2694]636
637
* Fix some issues with the LDAP KDC database back end.638
639
* Fix an iteration-related memory leak in the DB2 KDC database back640
end.641
642
* Fix issues with some less-used kadm5.acl functionality.643
644
* Improve documentation.645
646
-------------------------------------------------------------------647
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com648
649
- Use externally built libverto650
651
-------------------------------------------------------------------652
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com653
654
- update to krb5 1.13.1655
656
Major changes in 1.13.1 (2015-02-11)657
====================================658
659
This is a bug fix release.660
661
* Fix multiple vulnerabilities in the LDAP KDC back end.662
[CVE-2014-5354] [CVE-2014-5353]663
664
* Fix multiple kadmind vulnerabilities, some of which are based in the665
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421666
CVE-2014-9422 CVE-2014-9423]667
668
-------------------------------------------------------------------669
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com670
671
- Update to krb5 1.13672
* Add support for accessing KDCs via an HTTPS proxy server using the673
MS-KKDCP protocol.674
* Add support for hierarchical incremental propagation, where slaves675
can act as intermediates between an upstream master and other downstream676
slaves.677
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf678
files in addition to /etc/gss/mech.679
* Add support to the LDAP KDB module for binding to the LDAP server using680
SASL.681
* The KDC listens for TCP connections by default.682
* Fix a minor key disclosure vulnerability where using the "keepold" option683
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]684
* Add client support for the Kerberos Cache Manager protocol. If the host685
is running a Heimdal kcm daemon, caches served by the daemon can be686
accessed with the KCM: cache type.687
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,688
unless overridden by command-line options or krb5-config values.689
* Add support for doing unlocked database dumps for the DB2 KDC back end,690
which would allow the KDC and kadmind to continue accessing the database691
during lengthy database dumps.692
- Removed patches, useless or upstreamed693
* krb5-1.9-kprop-mktemp.patch694
* krb5-1.10-ksu-access.patch695
* krb5-1.12-doxygen.patch696
* bnc#897874-CVE-2014-5351.diff697
* krb5-1.13-work-around-replay-cache-creation-race.patch698
* krb5-1.10-kpasswd_tcp.patch699
- Refreshed patches700
* krb5-1.12-pam.patch701
* krb5-1.12-selinux-label.patch702
* krb5-1.7-doublelog.patch703
704
-------------------------------------------------------------------705
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com706
707
- Work around replay cache creation race; (bnc#898439).708
krb5-1.13-work-around-replay-cache-creation-race.patch709
710
-------------------------------------------------------------------711
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com712
713
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 714
- added patches:715
* bnc#897874-CVE-2014-5351.diff716
-------------------------------------------------------------------717
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de718
719
- krb5 5.12.2:720
* Work around a gcc optimizer bug that could cause DB2 KDC721
database operations to spin in an infinite loop722
* Fix a backward compatibility problem with the LDAP KDB schema723
that could prevent krb5-1.11 and later from decoding entries724
created by krb5-1.6.725
* Avoid an infinite loop under some circumstances when the GSS726
mechglue loads a dynamic mechanism.727
* Fix krb5kdc argument parsing so "-w" and "-r" options work728
togetherreliably.729
- Vulnerability fixes previously fixed in package via patches:730
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid731
invalid memory reference vulnerabilities. [CVE-2014-4341732
CVE-2014-4342]733
* Fix memory management vulnerabilities in GSSAPI SPNEGO.734
[CVE-2014-4343 CVE-2014-4344]735
* Fix buffer overflow vulnerability in LDAP KDB back end.736
[CVE-2014-4345]737
- updated patches:738
* krb5-1.7-doublelog.patch for context change739
* krb5-1.6.3-ktutil-manpage.dif, same740
- removed patches, in upstream:741
* krb5-master-keyring-kdcsync.patch742
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch743
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch744
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch745
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch746
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch747
from upstream748
749
-------------------------------------------------------------------750
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com751
752
- buffer overrun in kadmind with LDAP backend753
CVE-2014-4345 (bnc#891082)754
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 755
756
-------------------------------------------------------------------757
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com758
759
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)760
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch761
Fix null deref in SPNEGO acceptor [CVE-2014-4344]762
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch763
764
-------------------------------------------------------------------765
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com766
767
- Do not depend of insserv if systemd is used 768
769
-------------------------------------------------------------------770
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com771
772
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)773
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch774
- start krb5kdc after slapd (bnc#886102)775
776
-------------------------------------------------------------------777
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com778
779
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)780
similar functionality is provided by krb5-plugin-preauth-pkinit781
782
-------------------------------------------------------------------783
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com784
785
- don't deliver SysV init files to systemd distributions786
787
-------------------------------------------------------------------788
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com789
790
- update to version 1.12.1791
* Make KDC log service principal names more consistently during792
some error conditions, instead of "<unknown server>"793
* Fix several bugs related to building AES-NI support on less794
common configurations795
* Fix several bugs related to keyring credential caches796
- upstream obsoletes:797
krb5-1.12-copy_context.patch798
krb5-1.12-enable-NX.patch799
krb5-1.12-pic-aes-ni.patch800
krb5-master-no-malloc0.patch801
krb5-master-ignore-empty-unnecessary-final-token.patch802
krb5-master-gss_oid_leak.patch803
krb5-master-keytab_close.patch804
krb5-master-spnego_error_messages.patch805
- Fix Get time offsets for all keyring ccaches806
krb5-master-keyring-kdcsync.patch (RT#7820)807
808
-------------------------------------------------------------------809
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com810
811
- update to version 1.12812
* Add GSSAPI extensions for constructing MIC tokens using IOV lists813
* Add a FAST OTP preauthentication module for the KDC which uses814
RADIUS to validate OTP token values.815
* The AES-based encryption types will use AES-NI instructions816
when possible for improved performance.817
- revert dependency on libcom_err-mini-devel since it's not yet818
available819
- update and rebase patches820
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch821
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch822
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch823
* krb5-1.8-api.patch -> krb5-1.12-api.patch824
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch825
* krb5-1.9-debuginfo.patch826
* krb5-1.9-kprop-mktemp.patch827
* krb5-kvno-230379.patch828
- added upstream patches829
- Fix krb5_copy_context830
* krb5-1.12-copy_context.patch831
- Mark AESNI files as not needing executable stacks832
* krb5-1.12-enable-NX.patch833
* krb5-1.12-pic-aes-ni.patch834
- Fix memory leak in SPNEGO initiator835
* krb5-master-gss_oid_leak.patch836
- Fix SPNEGO one-hop interop against old IIS837
* krb5-master-ignore-empty-unnecessary-final-token.patch838
- Fix GSS krb5 acceptor acquire_cred error handling 839
* krb5-master-keytab_close.patch840
- Avoid malloc(0) in SPNEGO get_input_token841
* krb5-master-no-malloc0.patch842
- Test SPNEGO error message in t_s4u.py843
* krb5-master-spnego_error_messages.patch844
845
-------------------------------------------------------------------846
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com847
848
- Reduce build dependencies for krb5-mini by removing849
doxygen and changing libcom_err-devel to850
libcom_err-mini-devel851
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.852
853
-------------------------------------------------------------------854
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com855
856
- update to version 1.11.4857
- Fix a KDC null pointer dereference [CVE-2013-1417] that could858
affect realms with an uncommon configuration.859
- Fix a KDC null pointer dereference [CVE-2013-1418] that could860
affect KDCs that serve multiple realms.861
- Fix a number of bugs related to KDC master key rollover.862
863
-------------------------------------------------------------------864
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com865
866
- install and enable systemd service files also in -mini package867
868
-------------------------------------------------------------------869
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org870
871
- remove fstack-protector-all from CFLAGS, just use the 872
lighter/fast version already present in %optflags873
874
- Use LFS_CFLAGS to build in 32 bit archs.875
876
-------------------------------------------------------------------877
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com878
879
- update to version 1.11.3880
- Fix a UDP ping-pong vulnerability in the kpasswd881
(password changing) service. [CVE-2002-2443]882
- Improve interoperability with some Windows native PKINIT clients.883
- install translation files884
- remove outdated configure options885
886
-------------------------------------------------------------------887
Tue May 28 17:08:01 UTC 2013 - mc@suse.com888
889
- cleanup systemd files (remove syslog.target)890
891
-------------------------------------------------------------------892
Fri May 3 09:43:47 CEST 2013 - mc@suse.de893
894
- let krb5-mini conflict with all main packages895
896
-------------------------------------------------------------------897
Thu May 2 16:43:16 CEST 2013 - mc@suse.de898
899
- add conflicts between krb5-mini and krb5-server900
901
-------------------------------------------------------------------902
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de903
904
- update to version 1.11.2905
* Incremental propagation could erroneously act as if a slave's906
database were current after the slave received a full dump907
that failed to load.908
* gss_import_sec_context incorrectly set internal state that909
identifies whether an imported context is from an interposer910
mechanism or from the underlying mechanism. 911
- upstream fix obsolete krb5-lookup_etypes-leak.patch912
913
-------------------------------------------------------------------914
Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de915
916
- add conflicts between krb5-mini-devel and krb5-devel917
918
-------------------------------------------------------------------919
Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de920
921
- add conflicts between krb5-mini and krb5 and krb5-client922
923
-------------------------------------------------------------------924
Wed Mar 27 11:36:00 CET 2013 - mc@suse.de925
926
- enable selinux and set openssl as crypto implementation927
928
-------------------------------------------------------------------929
Fri Mar 22 10:34:55 CET 2013 - mc@suse.de930
931
- fix path to executables in service files932
(bnc#810926)933
934
-------------------------------------------------------------------935
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de936
937
- update to version 1.11.1938
* Improve ASN.1 support code, making it table-driven for939
decoding as well as encoding940
* Refactor parts of KDC941
* Documentation consolidation942
* build docs in the main package943
* bugfixing944
- changes of patches:945
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:946
upstream947
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:948
upstream949
* krb5-1.10-gcc47.patch: upstream950
* krb5-1.10-selinux-label.patch replaced by951
krb5-1.11-selinux-label.patch952
* krb5-1.10-spin-loop.patch: upstream953
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream954
* krb5-1.8-pam.patch replaced by955
krb5-1.11-pam.patch956
957
-------------------------------------------------------------------958
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de959
960
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()961
CVE-2012-1016 (bnc#807556)962
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif963
964
-------------------------------------------------------------------965
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de966
967
- fix PKINIT null pointer deref968
CVE-2013-1415 (bnc#806715)969
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif970
971
-------------------------------------------------------------------972
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de973
974
- package missing file (bnc#794784)975
976
-------------------------------------------------------------------977
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com978
979
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc980
(bnc#793336)981
982
-------------------------------------------------------------------983
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com984
985
- revert the -p usage in %postun to fix SLE build986
987
-------------------------------------------------------------------988
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com989
990
- buildrequire systemd by pkgconfig provide to get systemd-mini991
992
-------------------------------------------------------------------993
Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com994
995
- do not require systemd in krb5-mini996
997
-------------------------------------------------------------------998
Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de999
1000
- add systemd service files for kadmind, krb5kdc and kpropd1001
- add sysconfig templates for kadmind and krb5kdc1002
1003
-------------------------------------------------------------------1004
Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com1005
1006
- fix %files section for krb5-mini1007
1008
-------------------------------------------------------------------1009
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de1010
1011
- fix gcc47 issues1012
1013
-------------------------------------------------------------------1014
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de1015
1016
- update to version 1.10.21017
obsolte patches:1018
* krb5-1.7-nodeplibs.patch1019
* krb5-1.9.1-ai_addrconfig.patch1020
* krb5-1.9.1-ai_addrconfig2.patch1021
* krb5-1.9.1-sendto_poll.patch1022
* krb5-1.9-canonicalize-fallback.patch1023
* krb5-1.9-paren.patch1024
* krb5-klist_s.patch1025
* krb5-pkinit-cms2.patch1026
* krb5-trunk-chpw-err.patch1027
* krb5-trunk-gss_delete_sec.patch1028
* krb5-trunk-kadmin-oldproto.patch1029
* krb5-1.9-MITKRB5-SA-2011-006.dif1030
* krb5-1.9-gss_display_status-iakerb.patch1031
* krb5-1.9.1-sendto_poll2.patch1032
* krb5-1.9.1-sendto_poll3.patch1033
* krb5-1.9-MITKRB5-SA-2011-007.dif1034
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain1035
Controllers.1036
- Update a workaround for a glibc bug that would cause DNS PTR queries1037
to occur even when rdns = false.1038
- Fix a kadmind denial of service issue (null pointer dereference),1039
which could only be triggered by an administrator with the "create"1040
privilege. [CVE-2012-1013]1041
- Fix access controls for KDB string attributes [CVE-2012-1012]1042
- Make the ASN.1 encoding of key version numbers interoperate with1043
Windows Read-Only Domain Controllers1044
- Avoid generating spurious password expiry warnings in cases where1045
the KDC sends an account expiry time without a password expiry time1046
- Make PKINIT work with FAST in the client library.1047
- Add the DIR credential cache type, which can hold a collection of1048
credential caches.1049
- Enhance kinit, klist, and kdestroy to support credential cache1050
collections if the cache type supports it.1051
- Add the kswitch command, which changes the selected default cache1052
within a collection.1053
- Add heuristic support for choosing client credentials based on1054
the service realm.1055
- Add support for $HOME/.k5identity, which allows credential1056
choice based on configured rules.1057
1058
-------------------------------------------------------------------1059
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de1060
1061
- add autoconf macro to devel subpackage1062
1063
-------------------------------------------------------------------1064
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de1065
1066
- fix license in krb5-mini1067
1068
-------------------------------------------------------------------1069
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com1070
1071
- add autoconf as buildrequire to avoid implicit dependency1072
1073
-------------------------------------------------------------------1074
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com1075
1076
- remove call to suse_update_config, very old work around1077
1078
-------------------------------------------------------------------1079
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de1080
1081
- fix KDC null pointer dereference in TGS handling1082
(MITKRB5-SA-2011-007, bnc#730393)1083
CVE-2011-15301084
1085
-------------------------------------------------------------------1086
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de1087
1088
- fix KDC HA feature introduced with implementing KDC poll1089
(RT#6951, bnc#731648)1090
1091
-------------------------------------------------------------------1092
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de1093
1094
- fix minor error messages for the IAKERB GSSAPI mechanism1095
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)1096
1097
-------------------------------------------------------------------1098
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de1099
1100
- fix kdc remote denial of service1101
(MITKRB5-SA-2011-006, bnc#719393)1102
CVE-2011-1527, CVE-2011-1528, CVE-2011-15291103
1104
-------------------------------------------------------------------1105
Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de1106
1107
- use --without-pam to build krb5-mini1108
1109
-------------------------------------------------------------------1110
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com1111
1112
- add patches from Fedora and upstream 1113
- fix init scripts (bnc#689006)1114
1115
-------------------------------------------------------------------1116
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com1117
1118
- update to version 1.9.11119
* obsolete patches:1120
MITKRB5-SA-2010-007-1.8.dif1121
krb5-1.8-MITKRB5-SA-2010-006.dif1122
krb5-1.8-MITKRB5-SA-2011-001.dif1123
krb5-1.8-MITKRB5-SA-2011-002.dif1124
krb5-1.8-MITKRB5-SA-2011-003.dif1125
krb5-1.8-MITKRB5-SA-2011-004.dif1126
krb5-1.4.3-enospc.dif1127
* replace krb5-1.6.1-compile_pie.dif1128
-------------------------------------------------------------------1129
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de1130
1131
- fix kadmind invalid pointer free()1132
(MITKRB5-SA-2011-004, bnc#687469)1133
CVE-2011-02851134
1135
-------------------------------------------------------------------1136
Tue Mar 1 12:43:22 CET 2011 - mc@suse.de1137
1138
- Fix vulnerability to a double-free condition in KDC daemon1139
(MITKRB5-SA-2011-003, bnc#671717)1140
CVE-2011-02841141
1142
-------------------------------------------------------------------1143
Wed Jan 19 14:42:27 CET 2011 - mc@suse.de1144
1145
- Fix kpropd denial of service1146
(MITKRB5-SA-2011-001, bnc#662665)1147
CVE-2010-40221148
- Fix KDC denial of service attacks with LDAP back end1149
(MITKRB5-SA-2011-002, bnc#663619)1150
CVE-2011-0281, CVE-2011-0282 1151
1152
-------------------------------------------------------------------1153
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de1154
1155
- Fix multiple checksum handling vulnerabilities 1156
(MITKRB5-SA-2010-007, bnc#650650)1157
CVE-2010-13241158
* krb5 GSS-API applications may accept unkeyed checksums1159
* krb5 application services may accept unkeyed PAC checksums1160
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums1161
CVE-2010-13231162
* krb5 clients may accept unkeyed SAM-2 challenge checksums1163
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys1164
CVE-2010-40201165
* krb5 may accept authdata checksums with low-entropy derived keys1166
CVE-2010-40211167
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery 1168
1169
-------------------------------------------------------------------1170
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de1171
1172
- fix csh profile (bnc#649856) 1173
1174
-------------------------------------------------------------------1175
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de1176
1177
- update to krb5-1.8.31178
* remove patches which are now upstrem1179
- krb5-1.7-MITKRB5-SA-2010-004.dif 1180
- krb5-1.8.1-gssapi-error-table.dif 1181
- krb5-MITKRB5-SA-2010-005.dif 1182
1183
-------------------------------------------------------------------1184
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de1185
1186
- change environment variable PATH directly for csh1187
(bnc#642080)1188
1189
-------------------------------------------------------------------1190
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de1191
1192
- fix a dereference of an uninitialized pointer while processing1193
authorization data. 1194
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)1195
1196
-------------------------------------------------------------------1197
Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com1198
1199
- add correct error table when initializing gss-krb5 (bnc#606584,1200
bnc#608295)1201
1202
-------------------------------------------------------------------1203
Wed May 19 14:27:19 CEST 2010 - mc@suse.de1204
1205
- fix GSS-API library null pointer dereference1206
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) 1207
1208
-------------------------------------------------------------------1209
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de1210
1211
- fix a double free vulnerability in the KDC 1212
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)1213
1214
-------------------------------------------------------------------1215
Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de1216
1217
- update to version 1.8.11218
* include krb5-1.8-POST.dif1219
* include MITKRB5-SA-2010-002 1220
1221
-------------------------------------------------------------------1222
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de1223
1224
- update krb5-1.8-POST.dif 1225
1226
-------------------------------------------------------------------1227
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de1228
1229
- fix a bug where an unauthenticated remote attacker could cause1230
a GSS-API application including the Kerberos administration1231
daemon (kadmind) to crash.1232
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 1233
1234
-------------------------------------------------------------------1235
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de1236
1237
- add post 1.8 fixes1238
* Add IPv6 support to changepw.c1239
* fix two problems in kadm5_get_principal mask handling 1240
* Ignore improperly encoded signedpath AD elements1241
* handle NT_SRV_INST in service principal referrals1242
* dereference options while checking 1243
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT1244
* Fix the kpasswd fallback from the ccache principal name1245
* Document the ticket_lifetime libdefaults setting1246
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 5121247
1248
-------------------------------------------------------------------1249
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de1250
1251
- update to version 1.81252
* Increase code quality 1253
* Move toward improved KDB interface1254
* Investigate and remedy repeatedly-reported performance 1255
bottlenecks.1256
* Reduce DNS dependence by implementing an interface that allows1257
client library to track whether a KDC supports service 1258
principal referrals.1259
* Disable DES by default 1260
* Account lockout for repeated login failures1261
* Bridge layer to allow Heimdal HDB modules to act as KDB 1262
backend modules1263
* FAST enhancements1264
* Microsoft Services for User (S4U) compatibility1265
* Anonymous PKINIT1266
- fix KDC denial of service1267
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)1268
- fix KDC denial of service in cross-realm referral processing1269
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)1270
- fix integer underflow in AES and RC4 decryption1271
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)1272
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl1273
1274
-------------------------------------------------------------------1275
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de1276
1277
- add baselibs.conf as a source1278
1279
-------------------------------------------------------------------1280
Fri Nov 13 16:51:37 CET 2009 - mc@suse.de1281
1282
- enhance '$PATH' only if the directories are available1283
and not empty (bnc#544949)1284
1285
-------------------------------------------------------------------1286
Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com1287
1288
- readd lost baselibs.conf1289
1290
-------------------------------------------------------------------1291
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de1292
1293
- update to final 1.7 release 1294
1295
-------------------------------------------------------------------1296
Wed May 13 11:30:42 CEST 2009 - mc@suse.de1297
1298
- update to version 1.7 Beta2 1299
* Incremental propagation support for the KDC database.1300
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation1301
framework that can protect the AS exchange from dictionary attack.1302
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which1303
allows a GSS application to request credential delegation only if1304
permitted by KDC policy.1305
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --1306
various vulnerabilities in SPNEGO and ASN.1 code.1307
1308
-------------------------------------------------------------------1309
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de1310
1311
- update to pre 1.7 version 1312
* Remove support for version 4 of the Kerberos protocol (krb4).1313
* New libdefaults configuration variable "allow_weak_crypto".1314
* Client library now follows client principal referrals, for1315
compatibility with Windows.1316
* KDC can issue realm referrals for service principals based on domain1317
names.1318
* Encryption algorithm negotiation (RFC 4537).1319
* In the replay cache, use a hash over the complete ciphertext to1320
avoid false-positive replay indications.1321
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is1322
similar to the equivalent SSPI functionality.1323
* DCE RPC, including three-leg GSS context setup and unencapsulated1324
GSS tokens.1325
* NTLM recognition support in GSS-API, to facilitate dropping in an1326
NTLM implementation.1327
* KDC support for principal aliases, if the back end supports them.1328
* Microsoft set/change password (RFC 3244) protocol in kadmind.1329
* Master key rollover support.1330
1331
-------------------------------------------------------------------1332
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de1333
1334
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit1335
1336
-------------------------------------------------------------------1337
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de1338
1339
- do not query IPv6 addresses if no IPv6 address exists on this host1340
[bnc#449143] 1341
1342
-------------------------------------------------------------------1343
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de1344
1345
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade1346
(bnc#437293)1347
1348
-------------------------------------------------------------------1349
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de1350
1351
- obsolete old -XXbit packages (bnc#437293)1352
1353
-------------------------------------------------------------------1354
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de1355
1356
- in case we use ldap as database backend, ldap should be1357
started before krb5kdc 1358
1359
-------------------------------------------------------------------1360
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de1361
1362
- add new fixes to post 1.6.3 patch1363
* fix mem leak in krb5_gss_accept_sec_context()1364
* keep minor_status1365
* kadm5_decrypt_key: A ktype of -1 is documented as meaning 1366
"to be ignored" 1367
* Reject socket fds > FD_SETSIZE1368
1369
-------------------------------------------------------------------1370
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de1371
1372
- add patches from SVN post 1.6.31373
* krb5_string_to_keysalts: Fix an infinite loop1374
* fix some mutex issues1375
* better recovery from corrupt rcache files1376
* some more small fixes1377
1378
-------------------------------------------------------------------1379
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de1380
1381
- add case-insensitive.dif (FATE#300771)1382
- minor fixes for ktutil man page1383
- reduce rpmlint warnings 1384
1385
-------------------------------------------------------------------1386
Wed May 14 17:44:59 CEST 2008 - mc@suse.de1387
1388
- Fall back to TCP on kdc-unresolvable/unreachable errors.1389
- restore valid sequence number before generating requests1390
(fix changing passwords in mixed ipv4/ipv6 enviroments) 1391
1392
-------------------------------------------------------------------1393
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de1394
1395
- added baselibs.conf file to build xxbit packages1396
for multilib support1397
1398
-------------------------------------------------------------------1399
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de1400
1401
- modify krb5-config to not output rpath and cflags in --libs 1402
(bnc#378270)1403
1404
-------------------------------------------------------------------1405
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de1406
1407
- fix two security bugs:1408
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)1409
fix double free [bnc#361373]1410
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)1411
Memory corruption while too many open file descriptors1412
[bnc#363151]1413
- change default config file. Comment out the examples. 1414
1415
-------------------------------------------------------------------1416
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de1417
1418
- fix several security bugs:1419
* CVE-2007-5894 apparent uninit length1420
* CVE-2007-5902 integer overflow1421
* CVE-2007-5971 free of non-heap pointer and double-free1422
* CVE-2007-5972 double fclose()1423
[#346745, #346748, #346746, #346749, #346747]1424
1425
-------------------------------------------------------------------1426
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de1427
1428
- improve GSSAPI error messages 1429
1430
-------------------------------------------------------------------1431
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de1432
1433
- add coreutils to PreReq 1434
1435
-------------------------------------------------------------------1436
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de1437
1438
- update to krb5 version 1.6.31439
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow1440
* fix CVE-2007-4000 modify_policy vulnerability1441
* Add PKINIT support1442
- remove patches which are upstream now1443
- enhance init scripts and xinetd profiles1444
1445
-------------------------------------------------------------------1446
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de1447
1448
- update krb5-1.6.2-post.dif1449
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that 1450
that the client library will not failover to the next KDC. 1451
[#310540]1452
1453
-------------------------------------------------------------------1454
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de1455
1456
- update krb5-1.6.2-post.dif1457
* new -S sname option for kvno1458
* read_entropy_from_device on partial read will not fill buffer1459
* Bail out if encoded "ticket" doesn't decode correctly.1460
* patch for referrals loop 1461
1462
-------------------------------------------------------------------1463
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de1464
1465
- fix a problem with the originally published patch1466
for MITKRB5-SA-2007-006 - CVE-2007-39991467
[#302377]1468
1469
-------------------------------------------------------------------1470
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de1471
1472
- fix execute arbitrary code1473
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)1474
[#302377]1475
1476
-------------------------------------------------------------------1477
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de1478
1479
- add krb5-1.6.2-post.dif1480
* during the referrals loop, check to see if the1481
session key enctype of a returned credential for the final 1482
service is among the enctypes explicitly selected by the 1483
application, and retry with old_use_conf_ktypes if it is not. 1484
* If mkstemp() is available, the new ccache file gets created but 1485
the subsequent open(O_CREAT|O_EXCL) call fails because the file1486
was already created by mkstemp(). Apply patch from Apple to keep1487
the file descriptor open.1488
1489
-------------------------------------------------------------------1490
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de1491
1492
- update to version 1.6.21493
- remove krb5-1.6.1-post.dif all fixes are included in this release 1494
1495
-------------------------------------------------------------------1496
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de1497
1498
- change requires to libcom_err-devel1499
1500
-------------------------------------------------------------------1501
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de1502
1503
- update krb5-1.6.1-post.dif1504
* fix leak in krb5_walk_realm_tree1505
* rd_req_decoded needs to deal with referral realms 1506
* fix buffer overflow in kadmind1507
(MITKRB5-SA-2007-005 - CVE-2007-2798)1508
[#278689]1509
* fix kadmind code execution bug1510
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)1511
[#271191]1512
1513
-------------------------------------------------------------------1514
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de1515
1516
- fix unstripped-binary-or-object rpmlint warning 1517
1518
-------------------------------------------------------------------1519
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de1520
1521
- fixing rpmlint warnings and errors:1522
* merged logrotate scripts kadmin and krb5kdc into a single file1523
krb5-server. 1524
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl1525
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.1526
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.1527
* added surpression filter for1528
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"1529
(see [#147912]).1530
* set default runlevel of init scripts in chkconfig line to 3 and1531
51532
1533
-------------------------------------------------------------------1534
Wed May 9 15:30:53 CEST 2007 - mc@suse.de1535
1536
- fix uninitialized salt length 1537
- add extra check for keytab file1538
1539
-------------------------------------------------------------------1540
Thu May 3 12:11:29 CEST 2007 - mc@suse.de1541
1542
- adding krb5-1.6.1-post.dif1543
* fix segfault in krb5_get_init_creds_password 1544
* remove debug output in ftp client1545
* profile stores empty string values without double quotes1546
1547
-------------------------------------------------------------------1548
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de1549
1550
- update to final 1.6.1 version 1551
1552
-------------------------------------------------------------------1553
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de1554
1555
- add plugin directories to main package 1556
1557
-------------------------------------------------------------------1558
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de1559
1560
- update to version 1.6.1 Beta11561
- remove obsolete patches 1562
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)1563
- rework compile_pie patch1564
1565
-------------------------------------------------------------------1566
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de1567
1568
- update krb5-1.6-post.dif1569
* fix kadmind stack overflow in krb5_klog_syslog1570
(MITKRB5-SA-2007-002 - CVE-2007-0957)1571
[#253548]1572
* fix double free attack in the RPC library1573
(MITKRB5-SA-2007-003 - CVE-2007-1216)1574
[#252487]1575
* fix krb5 telnetd login injection1576
(MIT-SA-2007-001 - CVE-2007-0956)1577
#2477651578
1579
-------------------------------------------------------------------1580
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de1581
1582
- add ncurses-devel and bison to BuildRequires1583
- rework some patches1584
1585
-------------------------------------------------------------------1586
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de1587
1588
- move SuSEFirewall service definitions to 1589
/etc/sysconfig/SuSEfirewall2.d/services 1590
1591
-------------------------------------------------------------------1592
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de1593
1594
- add firewall definition to krb5-server, FATE #3006871595
1596
-------------------------------------------------------------------1597
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de1598
1599
- update krb5-1.6-post.dif1600
- move some applications into the right package 1601
1602
-------------------------------------------------------------------1603
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de1604
1605
- update krb5-1.6-post.dif 1606
1607
-------------------------------------------------------------------1608
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de1609
1610
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif1611
are now upstream. Remove patches.1612
- fix leak in krb5_kt_resolve and krb5_kt_wresolve1613
1614
-------------------------------------------------------------------1615
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de1616
1617
- fix "local variable used before set" in ftp.c1618
[#237684]1619
1620
-------------------------------------------------------------------1621
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de1622
1623
- krb5-devel should require keyutils-devel 1624
1625
-------------------------------------------------------------------1626
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de1627
1628
- update to version 1.61629
* Major changes in 1.6 include 1630
* Partial client implementation to handle server name referrals. 1631
* Pre-authentication plug-in framework, donated by Red Hat. 1632
* LDAP KDB plug-in, donated by Novell. 1633
- remove obsolete patches1634
1635
-------------------------------------------------------------------1636
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de1637
1638
- fix for1639
kadmind (via RPC library) calls uninitialized function pointer1640
(CVE-2006-6143)(Bug #225990)1641
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif1642
- fix for1643
kadmind (via GSS-API mechglue) frees uninitialized pointers1644
(CVE-2006-6144)(Bug #225992)1645
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif1646
1647
-------------------------------------------------------------------1648
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de1649
1650
- Fix Requires in krb5-devel 1651
[Bug #231008]1652
1653
-------------------------------------------------------------------1654
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de1655
1656
- fix "local variable used before set" [#217692]1657
- fix strncat warning 1658
1659
-------------------------------------------------------------------1660
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de1661
1662
- add a default kadm5.dict file1663
- require $network on daemon start1664
1665
-------------------------------------------------------------------1666
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de1667
1668
- fix function call with too few arguments [#203837] 1669
1670
-------------------------------------------------------------------1671
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de1672
1673
- update to version 1.5.11674
- remove obsolete patches which are now included upstream1675
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1676
* trunk-fix-uninitialized-vars.dif 1677
1678
-------------------------------------------------------------------1679
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de1680
1681
- krb5 setuid return check fixes1682
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1683
[#182351]1684
1685
-------------------------------------------------------------------1686
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de1687
1688
- remove update-messages 1689
1690
-------------------------------------------------------------------1691
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de1692
1693
- add check for krb5_prop in services to kpropd init script.1694
[#192446]1695
1696
-------------------------------------------------------------------1697
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de1698
1699
- update to version 1.51700
* KDB abstraction layer, donated by Novell. 1701
* plug-in architecture, allowing for extension modules to be 1702
loaded at run-time. 1703
* multi-mechanism GSS-API implementation ("mechglue"), 1704
donated by Sun Microsystems 1705
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO") 1706
implementation, donated by Sun Microsystems 1707
- remove obsolete patches and add some new1708
1709
-------------------------------------------------------------------1710
Fri May 26 14:50:00 CEST 2006 - ro@suse.de1711
1712
- libcom is not in e2fsck-devel but in its own package now, change1713
Requires accordingly.1714
1715
-------------------------------------------------------------------1716
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de1717
1718
- add all daemons to %stop_on_removal and %restart_on_update1719
- add reload to kpropd init script1720
- add force-reload to all init scripts 1721
1722
-------------------------------------------------------------------1723
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de1724
1725
- add libgssapi_krb5.so link to main package [#147912] 1726
1727
-------------------------------------------------------------------1728
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de1729
1730
- fix logging section for kadmind in convert script 1731
1732
-------------------------------------------------------------------1733
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de1734
1735
- converted neededforbuild to BuildRequires1736
1737
-------------------------------------------------------------------1738
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de1739
1740
- change the logging defaults 1741
1742
-------------------------------------------------------------------1743
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de1744
1745
- add tools and README for heimdal => MIT update 1746
1747
-------------------------------------------------------------------1748
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de1749
1750
- fix build problems, define _GNU_SOURCE1751
(krb5-1.4.3-set_gnu_source.dif )1752
1753
-------------------------------------------------------------------1754
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de1755
1756
- added "make %{?jobs:-j%jobs}" 1757
1758
-------------------------------------------------------------------1759
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de1760
1761
- update to version 1.4.31762
* some memmory leaks fixed1763
* fix for "AS_REP padata has wrong enctype"1764
* fix for "AS_REP padata missing PA-ETYPE-INFO"1765
* ... and more 1766
1767
-------------------------------------------------------------------1768
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de1769
1770
- don't build as root 1771
1772
-------------------------------------------------------------------1773
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de1774
1775
- update to version 1.4.21776
- remove some obsolet patches 1777
1778
-------------------------------------------------------------------1779
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de1780
1781
- build with --disable-static 1782
1783
-------------------------------------------------------------------1784
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de1785
1786
- remove devel-static subpackage 1787
1788
-------------------------------------------------------------------1789
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de1790
1791
- better patch for princ_comp problem 1792
1793
-------------------------------------------------------------------1794
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de1795
1796
- update to version 1.4.11797
- remove obsolet patches1798
- krb5-1.4-gcc4.dif1799
- krb5-1.4-reduce-namespace-polution.dif1800
- krb5-1.4-VUL-0-telnet.dif1801
1802
-------------------------------------------------------------------1803
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de1804
1805
- fixed krb5 KDC heap corruption by random free1806
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]1807
- fixed krb5 double free()1808
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]1809
- fix krb5 NULL pointer reference while comparing principals1810
[#91600] 1811
1812
-------------------------------------------------------------------1813
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de1814
1815
- fix uninitialized variables 1816
- compile with -fPIE/ link with -pie1817
1818
-------------------------------------------------------------------1819
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de1820
1821
- fixed wrong xinetd files [#77149] 1822
1823
-------------------------------------------------------------------1824
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de1825
1826
- removed krb5-1.4-fix-error_tables.dif patch obsoleted1827
by libcom_err locking patches1828
1829
-------------------------------------------------------------------1830
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de1831
1832
- fixed missing descriptions in init files 1833
[#76164, #76165, #76166, #76169] 1834
1835
-------------------------------------------------------------------1836
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de1837
1838
- enhance $PATH via /etc/profile.d/ [#74018]1839
- remove the "links to important programs" 1840
1841
-------------------------------------------------------------------1842
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de1843
1844
- fixed not running converter script [#72854] 1845
1846
-------------------------------------------------------------------1847
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de1848
1849
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer 1850
Overflow1851
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer 1852
Overflow1853
[#73618]1854
1855
-------------------------------------------------------------------1856
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de1857
1858
- fixed wrong PreReqs [#73020]1859
1860
-------------------------------------------------------------------1861
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de1862
1863
- add a simple krb5.conf converter [#72854]1864
1865
-------------------------------------------------------------------1866
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de1867
1868
- fixed: rckrb5kdc restart gives wrong status with non-running service1869
[#72446] 1870
1871
-------------------------------------------------------------------1872
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de1873
1874
- add requires: e2fsprogs-devel to krb5-devel package [#71732] 1875
1876
-------------------------------------------------------------------1877
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de1878
1879
- fix double free [#66534]1880
krb5-1.4-fix-error_tables.dif 1881
1882
-------------------------------------------------------------------1883
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de1884
1885
- change mode for shared libraries to 755 1886
1887
-------------------------------------------------------------------1888
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de1889
1890
- remove spx.c from tarball because of legal risk1891
- add README.Source which tell the user about this 1892
action.1893
- add a check for spx.c in the spec-file1894
- use rich-text for update-messages [#50250] 1895
1896
-------------------------------------------------------------------1897
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de1898
1899
- add krb5-1.4-reduce-namespace-polution.dif1900
reduce namespace polution in gssapi.h [#50356] 1901
1902
-------------------------------------------------------------------1903
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de1904
1905
- update to version 1.41906
- Add implementation of the RPCSEC_GSS authentication flavor to the1907
RPC library.1908
- Thread safety for krb5 libraries.1909
- Merged Athena telnetd changes for creating a new option for1910
requiring encryption.1911
- The kadmind4 backwards-compatibility admin server and the v5passwdd1912
backwards-compatibility password-changing server have been removed.1913
- Yarrow code now uses AES.1914
- Merged Athena changes to allow ftpd to require encrypted passwords.1915
- Incorporate gss_krb5_set_allowable_enctypes() and1916
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.1917
- remove obsolet patches1918
1919
-------------------------------------------------------------------1920
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de1921
1922
- add proofreaded update-messages 1923
1924
-------------------------------------------------------------------1925
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de1926
1927
- remove Conflicts: and add Provides: 1928
- add some insserv stuff 1929
1930
-------------------------------------------------------------------1931
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de1932
1933
- move vendor files to vendor-files.tar.bz21934
- add obsoletes: heimdal1935
- add %pre and %post sections to detect update1936
from heimdal and backup invalid configuration files1937
- add update-messages for heimdal update1938
1939
-------------------------------------------------------------------1940
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de1941
1942
- update to version 1.3.61943
- fix for: heap buffer overflow in libkadm5srv 1944
[CAN-2004-1189 / MITKRB5-SA-2004-004] 1945
1946
-------------------------------------------------------------------1947
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de1948
1949
- build doc subpackage in an own specfile 1950
- removed unnecessary neededforbuild requirements1951
1952
-------------------------------------------------------------------1953
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de1954
1955
- fix build with gcc 41956
1957
-------------------------------------------------------------------1958
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de1959
1960
- added Conflicts with heimdal*1961
- rename some manpages to avoid conflicts 1962
1963
-------------------------------------------------------------------1964
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de1965
1966
- new init scripts1967
- fix logrotate scripts1968
- add some 64Bit fixes1969
- add default krb5.conf, kdc.conf and kadm5.acl1970
1971
-------------------------------------------------------------------1972
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de1973
1974
- add e2fsprogs to NFB1975
- use system-et and system-ss 1976
- fix includes of com_err.h 1977
1978
-------------------------------------------------------------------1979
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de1980
1981
- Initital checkin 1982
1983