File krb5-mini.changes of Package krb5
1793
1
-------------------------------------------------------------------2
Mon Nov 9 10:59:26 UTC 2020 - Samuel Cabrero <scabrero@suse.de>3
4
- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);5
(bsc#1178512);6
- Added patches:7
* 0012-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch8
9
-------------------------------------------------------------------10
Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero <scabrero@suse.de>11
12
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);13
(bsc#1144047);14
15
-------------------------------------------------------------------16
Fri Jan 18 16:36:16 UTC 2019 - Samuel Cabrero <scabrero@suse.de>17
18
- Fix flaws in LDAP DN checking; (CVE-2018-5729); (CVE-2018-5730);19
(bsc#1083926); (bsc#1083927)20
- Added patches:21
* 0011-Fix-flaws-in-LDAP-DN-checking.patch22
23
-------------------------------------------------------------------24
Tue Jan 8 10:19:13 UTC 2019 - Samuel Cabrero <scabrero@suse.de>25
26
- Remove incorrect KDC assertion; (CVE-2018-20217); (bsc#1120489);27
- Added patches:28
* 0010-Remove-incorrect-KDC-assertion.patch29
30
-------------------------------------------------------------------31
Thu Nov 23 13:38:33 UTC 2017 - rbrown@suse.com32
33
- Replace references to /var/adm/fillup-templates with new 34
%_fillupdir macro (boo#1069468)35
36
-------------------------------------------------------------------37
Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de38
39
- Update package descriptions.40
41
-------------------------------------------------------------------42
Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com43
44
- Upgrade to 1.15.245
* Fix a KDC denial of service vulnerability caused by unset status46
strings [CVE-2017-11368]47
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]48
* Fix kadm5 setkey operation with LDAP KDB module49
* Use a ten-second timeout after successful connection for HTTPS KDC50
requests, as we do for TCP requests51
* Fix client null dereference when KDC offers encrypted challenge52
without FAST53
* Ignore dotfiles when processing profile includedir directive54
* Improve documentation55
56
-------------------------------------------------------------------57
Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com58
59
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf60
in order to improve client security in handling service principle61
names. (bsc#1054028)62
63
-------------------------------------------------------------------64
Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com65
66
- There is no change made about the package itself, this is only67
copying over some changelog texts from SLE package:68
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-535569
krb5: denial of service in krb5_read_message70
- bug#912002 owned by varkoly@suse.com: VUL-071
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:72
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token73
- bug#910458 owned by varkoly@suse.com: VUL-174
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries75
- bug#928978 owned by varkoly@suse.com: VUL-076
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading77
to requires_preauth bypass78
- bug#910457 owned by varkoly@suse.com: VUL-179
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy80
name as a password policy name81
- bug#991088 owned by hguo@suse.com: VUL-182
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted83
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires84
- [fate#320326](https://fate.suse.com/320326)85
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference86
from \cite87
88
-------------------------------------------------------------------89
Thu Apr 6 13:00:26 CEST 2017 - kukuk@suse.de90
91
- Remove wrong PreRequires92
93
-------------------------------------------------------------------94
Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com95
96
- use HTTPS project and source URLs97
98
-------------------------------------------------------------------99
Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com100
101
- use source urls.102
- krb5.keyring: Added Greg Hudson103
104
-------------------------------------------------------------------105
Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com106
107
- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch108
- Upgrade to 1.15.1109
* Allow KDB modules to determine how the e_data field of principal110
fields is freed111
* Fix udp_preference_limit when the KDC location is configured with112
SRV records113
* Fix KDC and kadmind startup on some IPv4-only systems114
* Fix the processing of PKINIT certificate matching rules which have115
two components and no explicit relation116
* Improve documentation117
118
-------------------------------------------------------------------119
Thu Jan 19 16:01:27 UTC 2017 - asn@cryptomilk.org120
121
- Introduce patch122
krb5-1.15-fix_kdb_free_principal_e_data.patch123
to fix freeing of e_data in the kdb principal124
125
-------------------------------------------------------------------126
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com127
128
- Upgrade to 1.15129
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2130
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since131
file is not available in upstream source anymore132
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15133
- doc/CHANGES not available in 1.15 source anymore134
135
- Upgrade from 1.14.4 to 1.15 - major changes:136
Administrator experience:137
* Add support to kadmin for remote extraction of current keys without138
changing them (requires a special kadmin permission that is excluded139
from the wildcard permission), with the exception of highly140
protected keys.141
* Add a lockdown_keys principal attribute to prevent retrieval of the142
principal's keys (old or new) via the kadmin protocol. In newly143
created databases, this attribute is set on the krbtgt and kadmin144
principals.145
* Restore recursive dump capability for DB2 back end, so sites can146
more easily recover from database corruption resulting from power147
failure events.148
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,149
in addition to SRV records. URI records can convey TCP and UDP150
servers and master KDC status in a single DNS lookup, and can also151
point to HTTPS proxy servers.152
* Add support for password history to the LDAP back end.153
* Add support for principal renaming to the LDAP back end.154
* Use the getrandom system call on supported Linux kernels to avoid155
blocking problems when getting entropy from the operating system.156
* In the PKINIT client, use the correct DigestInfo encoding for PKCS157
#1 signatures, so that some especially strict smart cards will work.158
Code quality:159
* Clean up numerous compilation warnings.160
* Remove various infrequently built modules, including some preauth161
modules that were not built by default.162
Developer experience:163
* Add support for building with OpenSSL 1.1.164
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of165
authenticators in the replay cache. This helps sites that must166
build with FIPS 140 conformant libraries that lack MD5.167
Protocol evolution:168
* Add support for the AES-SHA2 enctypes, which allows sites to conform169
to Suite B crypto requirements.170
171
- Upgrade from 1.14.3 to 1.14.4 - major changes:172
* Fix some rare btree data corruption bugs173
* Fix numerous minor memory leaks174
* Improve portability (Linux-ppc64el, FreeBSD)175
* Improve some error messages176
* Improve documentation177
178
-------------------------------------------------------------------179
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com180
181
- Upgrade from 1.14.2 to 1.14.3:182
* Improve some error messages183
* Improve documentation184
* Allow a principal with nonexistent policy to bypass the minimum185
password lifetime check, consistent with other aspects of186
nonexistent policies187
* Fix a rare KDC denial of service vulnerability when anonymous client188
principals are restricted to obtaining TGTs only [CVE-2016-3120]189
190
------------------------------------------------------------------191
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com192
193
- Remove source file ccapi/common/win/OldCC/autolock.hxx194
that is not needed and does not carry an acceptable license.195
(bsc#968111)196
197
-------------------------------------------------------------------198
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com199
200
- removed obsolete patches:201
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch202
* krb5-mechglue_inqure_attrs.patch203
- Upgrade from 1.14.1 to 1.14.2:204
* Fix a moderate-severity vulnerability in the LDAP KDC back end that205
could be exploited by a privileged kadmin user [CVE-2016-3119]206
* Improve documentation207
* Fix some interactions with GSSAPI interposer mechanisms208
209
-------------------------------------------------------------------210
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com211
212
- Upgrade from 1.14 to 1.14.1:213
* Remove expired patches:214
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch215
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch216
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch217
krbdev.mit.edu-8301.patch218
* Replace source archives:219
krb5-1.14.tar.gz ->220
krb5-1.14.1.tar.gz221
krb5-1.14.tar.gz.asc ->222
krb5-1.14.1.tar.gz.asc223
* Adjust line numbers in:224
krb5-fix_interposer.patch225
226
-------------------------------------------------------------------227
Thu Feb 11 15:07:26 UTC 2016 - hguo@suse.com228
229
- Remove krb5 pieces from spec file.230
Hence remove pre_checkin.sh231
- Remove expired macros and other minor clena-ups in spec file.232
- Change package description to explain what "mini" means.233
234
-------------------------------------------------------------------235
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com236
237
- Add two patches from Fedora, fixing two crashes:238
* krb5-fix_interposer.patch239
* krb5-mechglue_inqure_attrs.patch240
241
-------------------------------------------------------------------242
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com243
244
- Update to 1.14245
- dropped krb5-kvno-230379.patch246
- added krbdev.mit.edu-8301.patch fixing wrong function call247
248
Major changes in 1.14 (2015-11-20)249
==================================250
251
Administrator experience:252
253
* Add a new kdb5_util tabdump command to provide reporting-friendly254
tabular dump formats (tab-separated or CSV) for the KDC database.255
Unlike the normal dump format, each output table has a fixed number256
of fields. Some tables include human-readable forms of data that257
are opaque in ordinary dump files. This format is also suitable for258
importing into relational databases for complex queries.259
* Add support to kadmin and kadmin.local for specifying a single260
command line following any global options, where the command261
arguments are split by the shell--for example, "kadmin getprinc262
principalname". Commands issued this way do not prompt for263
confirmation or display warning messages, and exit with non-zero264
status if the operation fails.265
* Accept the same principal flag names in kadmin as we do for the266
default_principal_flags kdc.conf variable, and vice versa. Also267
accept flag specifiers in the form that kadmin prints, as well as268
hexadecimal numbers.269
* Remove the triple-DES and RC4 encryption types from the default270
value of supported_enctypes, which determines the default key and271
salt types for new password-derived keys. By default, keys will272
only created only for AES128 and AES256. This mitigates some types273
of password guessing attacks.274
* Add support for directory names in the KRB5_CONFIG and275
KRB5_KDC_PROFILE environment variables.276
* Add support for authentication indicators, which are ticket277
annotations to indicate the strength of the initial authentication.278
Add support for the "require_auth" string attribute, which can be279
set on server principal entries to require an indicator when280
authenticating to the server.281
* Add support for key version numbers larger than 255 in keytab files,282
and for version numbers up to 65535 in KDC databases.283
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC284
during pre-authentication, corresponding to the client's most285
preferred encryption type.286
* Add support for server name identification (SNI) when proxying KDC287
requests over HTTPS.288
* Add support for the err_fmt profile parameter, which can be used to289
generate custom-formatted error messages.290
291
Code quality:292
293
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that294
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]295
[CVE-2015-2698]296
* Fix build_principal memory bug that could cause a KDC297
crash. [CVE-2015-2697]298
299
Developer experience:300
301
* Change gss_acquire_cred_with_password() to acquire credentials into302
a private memory credential cache. Applications can use303
gss_store_cred() to make the resulting credentials visible to other304
processes.305
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for306
IAKERB or for non-standard variants of the krb5 mechanism OID unless307
explicitly requested. (SPNEGO will still accept the Microsoft308
variant of the krb5 mechanism OID during negotiation.)309
* Change gss_accept_sec_context() not to accept tokens for IAKERB or310
for non-standard variants of the krb5 mechanism OID unless an311
acceptor credential is acquired for those mechanisms.312
* Change gss_acquire_cred() to immediately resolve credentials if the313
time_rec parameter is not NULL, so that a correct expiration time314
can be returned. Normally credential resolution is delayed until315
the target name is known.316
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,317
which can be used by plugin modules or applications to add prefixes318
to existing detailed error messages.319
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which320
implement the RFC 6113 PRF+ operation and key derivation using PRF+.321
* Add support for pre-authentication mechanisms which use multiple322
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error323
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth324
interface; these callbacks can be used to save marshalled state325
information in an encrypted cookie for the next request.326
* Add a client_key() callback to the kdcpreauth interface to retrieve327
the chosen client key, corresponding to the ETYPE-INFO2 entry sent328
by the KDC.329
* Add an add_auth_indicator() callback to the kdcpreauth interface,330
allowing pre-authentication modules to assert authentication331
indicators.332
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to333
suppress sending the confidentiality and integrity flags in GSS334
initiator tokens unless they are requested by the caller. These335
flags control the negotiated SASL security layer for the Microsoft336
GSS-SPNEGO SASL mechanism.337
* Make the FILE credential cache implementation less prone to338
corruption issues in multi-threaded programs, especially on339
platforms with support for open file description locks.340
341
Performance:342
343
* On slave KDCs, poll the master KDC immediately after processing a344
full resync, and do not require two full resyncs after the master345
KDC's log file is reset.346
347
User experience:348
349
* Make gss_accept_sec_context() accept tickets near their expiration350
but within clock skew tolerances, rather than rejecting them351
immediately after the server's view of the ticket expiration time.352
353
-------------------------------------------------------------------354
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com355
356
- Update to 1.13.3357
- removed patches for security fixes now in upstream source:358
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch359
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch360
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch361
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch362
363
Major changes in 1.13.3 (2015-12-04)364
====================================365
366
This is a bug fix release. The krb5-1.13 release series is in367
maintenance, and for new deployments, installers should prefer the368
krb5-1.14 release series or later.369
370
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that371
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]372
[CVE-2015-2698]373
* Fix build_principal memory bug that could cause a KDC374
crash. [CVE-2015-2697]375
* Allow an iprop slave to receive full resyncs from KDCs running376
krb5-1.10 or earlier.377
378
-------------------------------------------------------------------379
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com380
381
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch382
to fix a memory corruption regression introduced by resolution of383
CVE-2015-2698. bsc#954204384
385
-------------------------------------------------------------------386
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com387
388
- Make kadmin.local man page available without having to install krb5-client. bsc#948011389
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch390
to fix build_principal memory bug [CVE-2015-2697] bsc#952190391
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch392
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189393
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch394
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188395
396
-------------------------------------------------------------------397
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com398
399
- Let server depend on libev (module of libverto). This was the400
preferred implementation before the seperation of libverto from krb.401
402
-------------------------------------------------------------------403
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org404
405
- Drop libverto and libverto-libev Requires from the -server406
package: those package names don't exist and the shared libs407
are pulled in automatically.408
409
-------------------------------------------------------------------410
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org411
412
- Unconditionally buildrequire libverto-devel: krb5-mini also413
depends on it.414
415
-------------------------------------------------------------------416
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com417
418
- pre_checkin.sh aligned changes between krb5/krb5-mini419
- added krb5.keyring420
421
-------------------------------------------------------------------422
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com423
424
- update to krb5 1.13.2425
426
- DES transition427
==============428
429
The Data Encryption Standard (DES) is widely recognized as weak. The430
krb5-1.7 release contains measures to encourage sites to migrate away431
- From using single-DES cryptosystems. Among these is a configuration432
variable that enables "weak" enctypes, which defaults to "false"433
beginning with krb5-1.8.434
435
436
Major changes in 1.13.2 (2015-05-08)437
====================================438
439
This is a bug fix release.440
441
* Fix a minor vulnerability in krb5_read_message, which is primarily442
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]443
444
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.445
[CVE-2015-2694]446
447
* Fix some issues with the LDAP KDC database back end.448
449
* Fix an iteration-related memory leak in the DB2 KDC database back450
end.451
452
* Fix issues with some less-used kadm5.acl functionality.453
454
* Improve documentation.455
456
-------------------------------------------------------------------457
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com458
459
- Use externally built libverto460
461
-------------------------------------------------------------------462
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com463
464
- update to krb5 1.13.1465
466
Major changes in 1.13.1 (2015-02-11)467
====================================468
469
This is a bug fix release.470
471
* Fix multiple vulnerabilities in the LDAP KDC back end.472
[CVE-2014-5354] [CVE-2014-5353]473
474
* Fix multiple kadmind vulnerabilities, some of which are based in the475
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421476
CVE-2014-9422 CVE-2014-9423]477
478
-------------------------------------------------------------------479
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com480
481
- Update to krb5 1.13482
* Add support for accessing KDCs via an HTTPS proxy server using the483
MS-KKDCP protocol.484
* Add support for hierarchical incremental propagation, where slaves485
can act as intermediates between an upstream master and other downstream486
slaves.487
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf488
files in addition to /etc/gss/mech.489
* Add support to the LDAP KDB module for binding to the LDAP server using490
SASL.491
* The KDC listens for TCP connections by default.492
* Fix a minor key disclosure vulnerability where using the "keepold" option493
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]494
* Add client support for the Kerberos Cache Manager protocol. If the host495
is running a Heimdal kcm daemon, caches served by the daemon can be496
accessed with the KCM: cache type.497
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,498
unless overridden by command-line options or krb5-config values.499
* Add support for doing unlocked database dumps for the DB2 KDC back end,500
which would allow the KDC and kadmind to continue accessing the database501
during lengthy database dumps.502
- Removed patches, useless or upstreamed503
* krb5-1.9-kprop-mktemp.patch504
* krb5-1.10-ksu-access.patch505
* krb5-1.12-doxygen.patch506
* bnc#897874-CVE-2014-5351.diff507
* krb5-1.13-work-around-replay-cache-creation-race.patch508
* krb5-1.10-kpasswd_tcp.patch509
- Refreshed patches510
* krb5-1.12-pam.patch511
* krb5-1.12-selinux-label.patch512
* krb5-1.7-doublelog.patch513
514
-------------------------------------------------------------------515
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com516
517
- Work around replay cache creation race; (bnc#898439).518
krb5-1.13-work-around-replay-cache-creation-race.patch519
520
-------------------------------------------------------------------521
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com522
523
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 524
- added patches:525
* bnc#897874-CVE-2014-5351.diff526
-------------------------------------------------------------------527
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de528
529
- krb5 5.12.2:530
* Work around a gcc optimizer bug that could cause DB2 KDC531
database operations to spin in an infinite loop532
* Fix a backward compatibility problem with the LDAP KDB schema533
that could prevent krb5-1.11 and later from decoding entries534
created by krb5-1.6.535
* Avoid an infinite loop under some circumstances when the GSS536
mechglue loads a dynamic mechanism.537
* Fix krb5kdc argument parsing so "-w" and "-r" options work538
togetherreliably.539
- Vulnerability fixes previously fixed in package via patches:540
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid541
invalid memory reference vulnerabilities. [CVE-2014-4341542
CVE-2014-4342]543
* Fix memory management vulnerabilities in GSSAPI SPNEGO.544
[CVE-2014-4343 CVE-2014-4344]545
* Fix buffer overflow vulnerability in LDAP KDB back end.546
[CVE-2014-4345]547
- updated patches:548
* krb5-1.7-doublelog.patch for context change549
* krb5-1.6.3-ktutil-manpage.dif, same550
- removed patches, in upstream:551
* krb5-master-keyring-kdcsync.patch552
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch553
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch554
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch555
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch556
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch557
from upstream558
559
-------------------------------------------------------------------560
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com561
562
- buffer overrun in kadmind with LDAP backend563
CVE-2014-4345 (bnc#891082)564
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 565
566
-------------------------------------------------------------------567
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com568
569
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)570
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch571
Fix null deref in SPNEGO acceptor [CVE-2014-4344]572
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch573
574
-------------------------------------------------------------------575
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com576
577
- Do not depend of insserv if systemd is used 578
579
-------------------------------------------------------------------580
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com581
582
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)583
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch584
- start krb5kdc after slapd (bnc#886102)585
586
-------------------------------------------------------------------587
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com588
589
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)590
similar functionality is provided by krb5-plugin-preauth-pkinit591
592
-------------------------------------------------------------------593
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com594
595
- don't deliver SysV init files to systemd distributions596
597
-------------------------------------------------------------------598
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com599
600
- update to version 1.12.1601
* Make KDC log service principal names more consistently during602
some error conditions, instead of "<unknown server>"603
* Fix several bugs related to building AES-NI support on less604
common configurations605
* Fix several bugs related to keyring credential caches606
- upstream obsoletes:607
krb5-1.12-copy_context.patch608
krb5-1.12-enable-NX.patch609
krb5-1.12-pic-aes-ni.patch610
krb5-master-no-malloc0.patch611
krb5-master-ignore-empty-unnecessary-final-token.patch612
krb5-master-gss_oid_leak.patch613
krb5-master-keytab_close.patch614
krb5-master-spnego_error_messages.patch615
- Fix Get time offsets for all keyring ccaches616
krb5-master-keyring-kdcsync.patch (RT#7820)617
618
-------------------------------------------------------------------619
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com620
621
- update to version 1.12622
* Add GSSAPI extensions for constructing MIC tokens using IOV lists623
* Add a FAST OTP preauthentication module for the KDC which uses624
RADIUS to validate OTP token values.625
* The AES-based encryption types will use AES-NI instructions626
when possible for improved performance.627
- revert dependency on libcom_err-mini-devel since it's not yet628
available629
- update and rebase patches630
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch631
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch632
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch633
* krb5-1.8-api.patch -> krb5-1.12-api.patch634
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch635
* krb5-1.9-debuginfo.patch636
* krb5-1.9-kprop-mktemp.patch637
* krb5-kvno-230379.patch638
- added upstream patches639
- Fix krb5_copy_context640
* krb5-1.12-copy_context.patch641
- Mark AESNI files as not needing executable stacks642
* krb5-1.12-enable-NX.patch643
* krb5-1.12-pic-aes-ni.patch644
- Fix memory leak in SPNEGO initiator645
* krb5-master-gss_oid_leak.patch646
- Fix SPNEGO one-hop interop against old IIS647
* krb5-master-ignore-empty-unnecessary-final-token.patch648
- Fix GSS krb5 acceptor acquire_cred error handling 649
* krb5-master-keytab_close.patch650
- Avoid malloc(0) in SPNEGO get_input_token651
* krb5-master-no-malloc0.patch652
- Test SPNEGO error message in t_s4u.py653
* krb5-master-spnego_error_messages.patch654
655
-------------------------------------------------------------------656
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com657
658
- Reduce build dependencies for krb5-mini by removing659
doxygen and changing libcom_err-devel to660
libcom_err-mini-devel661
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.662
663
-------------------------------------------------------------------664
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com665
666
- update to version 1.11.4667
- Fix a KDC null pointer dereference [CVE-2013-1417] that could668
affect realms with an uncommon configuration.669
- Fix a KDC null pointer dereference [CVE-2013-1418] that could670
affect KDCs that serve multiple realms.671
- Fix a number of bugs related to KDC master key rollover.672
673
-------------------------------------------------------------------674
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com675
676
- install and enable systemd service files also in -mini package677
678
-------------------------------------------------------------------679
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org680
681
- remove fstack-protector-all from CFLAGS, just use the 682
lighter/fast version already present in %optflags683
684
- Use LFS_CFLAGS to build in 32 bit archs.685
686
-------------------------------------------------------------------687
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com688
689
- update to version 1.11.3690
- Fix a UDP ping-pong vulnerability in the kpasswd691
(password changing) service. [CVE-2002-2443]692
- Improve interoperability with some Windows native PKINIT clients.693
- install translation files694
- remove outdated configure options695
696
-------------------------------------------------------------------697
Tue May 28 17:08:01 UTC 2013 - mc@suse.com698
699
- cleanup systemd files (remove syslog.target)700
701
-------------------------------------------------------------------702
Fri May 3 09:43:47 CEST 2013 - mc@suse.de703
704
- let krb5-mini conflict with all main packages705
706
-------------------------------------------------------------------707
Thu May 2 16:43:16 CEST 2013 - mc@suse.de708
709
- add conflicts between krb5-mini and krb5-server710
711
-------------------------------------------------------------------712
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de713
714
- update to version 1.11.2715
* Incremental propagation could erroneously act as if a slave's716
database were current after the slave received a full dump717
that failed to load.718
* gss_import_sec_context incorrectly set internal state that719
identifies whether an imported context is from an interposer720
mechanism or from the underlying mechanism. 721
- upstream fix obsolete krb5-lookup_etypes-leak.patch722
723
-------------------------------------------------------------------724
Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de725
726
- add conflicts between krb5-mini-devel and krb5-devel727
728
-------------------------------------------------------------------729
Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de730
731
- add conflicts between krb5-mini and krb5 and krb5-client732
733
-------------------------------------------------------------------734
Wed Mar 27 11:36:00 CET 2013 - mc@suse.de735
736
- enable selinux and set openssl as crypto implementation737
738
-------------------------------------------------------------------739
Fri Mar 22 10:34:55 CET 2013 - mc@suse.de740
741
- fix path to executables in service files742
(bnc#810926)743
744
-------------------------------------------------------------------745
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de746
747
- update to version 1.11.1748
* Improve ASN.1 support code, making it table-driven for749
decoding as well as encoding750
* Refactor parts of KDC751
* Documentation consolidation752
* build docs in the main package753
* bugfixing754
- changes of patches:755
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:756
upstream757
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:758
upstream759
* krb5-1.10-gcc47.patch: upstream760
* krb5-1.10-selinux-label.patch replaced by761
krb5-1.11-selinux-label.patch762
* krb5-1.10-spin-loop.patch: upstream763
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream764
* krb5-1.8-pam.patch replaced by765
krb5-1.11-pam.patch766
767
-------------------------------------------------------------------768
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de769
770
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()771
CVE-2012-1016 (bnc#807556)772
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif773
774
-------------------------------------------------------------------775
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de776
777
- fix PKINIT null pointer deref778
CVE-2013-1415 (bnc#806715)779
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif780
781
-------------------------------------------------------------------782
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de783
784
- package missing file (bnc#794784)785
786
-------------------------------------------------------------------787
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com788
789
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc790
(bnc#793336)791
792
-------------------------------------------------------------------793
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com794
795
- revert the -p usage in %postun to fix SLE build796
797
-------------------------------------------------------------------798
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com799
800
- buildrequire systemd by pkgconfig provide to get systemd-mini801
802
-------------------------------------------------------------------803
Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com804
805
- do not require systemd in krb5-mini806
807
-------------------------------------------------------------------808
Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de809
810
- add systemd service files for kadmind, krb5kdc and kpropd811
- add sysconfig templates for kadmind and krb5kdc812
813
-------------------------------------------------------------------814
Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com815
816
- fix %files section for krb5-mini817
818
-------------------------------------------------------------------819
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de820
821
- fix gcc47 issues822
823
-------------------------------------------------------------------824
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de825
826
- update to version 1.10.2827
obsolte patches:828
* krb5-1.7-nodeplibs.patch829
* krb5-1.9.1-ai_addrconfig.patch830
* krb5-1.9.1-ai_addrconfig2.patch831
* krb5-1.9.1-sendto_poll.patch832
* krb5-1.9-canonicalize-fallback.patch833
* krb5-1.9-paren.patch834
* krb5-klist_s.patch835
* krb5-pkinit-cms2.patch836
* krb5-trunk-chpw-err.patch837
* krb5-trunk-gss_delete_sec.patch838
* krb5-trunk-kadmin-oldproto.patch839
* krb5-1.9-MITKRB5-SA-2011-006.dif840
* krb5-1.9-gss_display_status-iakerb.patch841
* krb5-1.9.1-sendto_poll2.patch842
* krb5-1.9.1-sendto_poll3.patch843
* krb5-1.9-MITKRB5-SA-2011-007.dif844
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain845
Controllers.846
- Update a workaround for a glibc bug that would cause DNS PTR queries847
to occur even when rdns = false.848
- Fix a kadmind denial of service issue (null pointer dereference),849
which could only be triggered by an administrator with the "create"850
privilege. [CVE-2012-1013]851
- Fix access controls for KDB string attributes [CVE-2012-1012]852
- Make the ASN.1 encoding of key version numbers interoperate with853
Windows Read-Only Domain Controllers854
- Avoid generating spurious password expiry warnings in cases where855
the KDC sends an account expiry time without a password expiry time856
- Make PKINIT work with FAST in the client library.857
- Add the DIR credential cache type, which can hold a collection of858
credential caches.859
- Enhance kinit, klist, and kdestroy to support credential cache860
collections if the cache type supports it.861
- Add the kswitch command, which changes the selected default cache862
within a collection.863
- Add heuristic support for choosing client credentials based on864
the service realm.865
- Add support for $HOME/.k5identity, which allows credential866
choice based on configured rules.867
868
-------------------------------------------------------------------869
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de870
871
- add autoconf macro to devel subpackage872
873
-------------------------------------------------------------------874
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de875
876
- fix license in krb5-mini877
878
-------------------------------------------------------------------879
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com880
881
- add autoconf as buildrequire to avoid implicit dependency882
883
-------------------------------------------------------------------884
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com885
886
- remove call to suse_update_config, very old work around887
888
-------------------------------------------------------------------889
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de890
891
- fix KDC null pointer dereference in TGS handling892
(MITKRB5-SA-2011-007, bnc#730393)893
CVE-2011-1530894
895
-------------------------------------------------------------------896
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de897
898
- fix KDC HA feature introduced with implementing KDC poll899
(RT#6951, bnc#731648)900
901
-------------------------------------------------------------------902
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de903
904
- fix minor error messages for the IAKERB GSSAPI mechanism905
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)906
907
-------------------------------------------------------------------908
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de909
910
- fix kdc remote denial of service911
(MITKRB5-SA-2011-006, bnc#719393)912
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529913
914
-------------------------------------------------------------------915
Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de916
917
- use --without-pam to build krb5-mini918
919
-------------------------------------------------------------------920
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com921
922
- add patches from Fedora and upstream 923
- fix init scripts (bnc#689006)924
925
-------------------------------------------------------------------926
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com927
928
- update to version 1.9.1929
* obsolete patches:930
MITKRB5-SA-2010-007-1.8.dif931
krb5-1.8-MITKRB5-SA-2010-006.dif932
krb5-1.8-MITKRB5-SA-2011-001.dif933
krb5-1.8-MITKRB5-SA-2011-002.dif934
krb5-1.8-MITKRB5-SA-2011-003.dif935
krb5-1.8-MITKRB5-SA-2011-004.dif936
krb5-1.4.3-enospc.dif937
* replace krb5-1.6.1-compile_pie.dif938
-------------------------------------------------------------------939
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de940
941
- fix kadmind invalid pointer free()942
(MITKRB5-SA-2011-004, bnc#687469)943
CVE-2011-0285944
945
-------------------------------------------------------------------946
Tue Mar 1 12:43:22 CET 2011 - mc@suse.de947
948
- Fix vulnerability to a double-free condition in KDC daemon949
(MITKRB5-SA-2011-003, bnc#671717)950
CVE-2011-0284951
952
-------------------------------------------------------------------953
Wed Jan 19 14:42:27 CET 2011 - mc@suse.de954
955
- Fix kpropd denial of service956
(MITKRB5-SA-2011-001, bnc#662665)957
CVE-2010-4022958
- Fix KDC denial of service attacks with LDAP back end959
(MITKRB5-SA-2011-002, bnc#663619)960
CVE-2011-0281, CVE-2011-0282 961
962
-------------------------------------------------------------------963
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de964
965
- Fix multiple checksum handling vulnerabilities 966
(MITKRB5-SA-2010-007, bnc#650650)967
CVE-2010-1324968
* krb5 GSS-API applications may accept unkeyed checksums969
* krb5 application services may accept unkeyed PAC checksums970
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums971
CVE-2010-1323972
* krb5 clients may accept unkeyed SAM-2 challenge checksums973
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys974
CVE-2010-4020975
* krb5 may accept authdata checksums with low-entropy derived keys976
CVE-2010-4021977
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery 978
979
-------------------------------------------------------------------980
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de981
982
- fix csh profile (bnc#649856) 983
984
-------------------------------------------------------------------985
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de986
987
- update to krb5-1.8.3988
* remove patches which are now upstrem989
- krb5-1.7-MITKRB5-SA-2010-004.dif 990
- krb5-1.8.1-gssapi-error-table.dif 991
- krb5-MITKRB5-SA-2010-005.dif 992
993
-------------------------------------------------------------------994
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de995
996
- change environment variable PATH directly for csh997
(bnc#642080)998
999
-------------------------------------------------------------------1000
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de1001
1002
- fix a dereference of an uninitialized pointer while processing1003
authorization data. 1004
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)1005
1006
-------------------------------------------------------------------1007
Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com1008
1009
- add correct error table when initializing gss-krb5 (bnc#606584,1010
bnc#608295)1011
1012
-------------------------------------------------------------------1013
Wed May 19 14:27:19 CEST 2010 - mc@suse.de1014
1015
- fix GSS-API library null pointer dereference1016
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) 1017
1018
-------------------------------------------------------------------1019
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de1020
1021
- fix a double free vulnerability in the KDC 1022
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)1023
1024
-------------------------------------------------------------------1025
Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de1026
1027
- update to version 1.8.11028
* include krb5-1.8-POST.dif1029
* include MITKRB5-SA-2010-002 1030
1031
-------------------------------------------------------------------1032
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de1033
1034
- update krb5-1.8-POST.dif 1035
1036
-------------------------------------------------------------------1037
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de1038
1039
- fix a bug where an unauthenticated remote attacker could cause1040
a GSS-API application including the Kerberos administration1041
daemon (kadmind) to crash.1042
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 1043
1044
-------------------------------------------------------------------1045
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de1046
1047
- add post 1.8 fixes1048
* Add IPv6 support to changepw.c1049
* fix two problems in kadm5_get_principal mask handling 1050
* Ignore improperly encoded signedpath AD elements1051
* handle NT_SRV_INST in service principal referrals1052
* dereference options while checking 1053
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT1054
* Fix the kpasswd fallback from the ccache principal name1055
* Document the ticket_lifetime libdefaults setting1056
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 5121057
1058
-------------------------------------------------------------------1059
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de1060
1061
- update to version 1.81062
* Increase code quality 1063
* Move toward improved KDB interface1064
* Investigate and remedy repeatedly-reported performance 1065
bottlenecks.1066
* Reduce DNS dependence by implementing an interface that allows1067
client library to track whether a KDC supports service 1068
principal referrals.1069
* Disable DES by default 1070
* Account lockout for repeated login failures1071
* Bridge layer to allow Heimdal HDB modules to act as KDB 1072
backend modules1073
* FAST enhancements1074
* Microsoft Services for User (S4U) compatibility1075
* Anonymous PKINIT1076
- fix KDC denial of service1077
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)1078
- fix KDC denial of service in cross-realm referral processing1079
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)1080
- fix integer underflow in AES and RC4 decryption1081
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)1082
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl1083
1084
-------------------------------------------------------------------1085
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de1086
1087
- add baselibs.conf as a source1088
1089
-------------------------------------------------------------------1090
Fri Nov 13 16:51:37 CET 2009 - mc@suse.de1091
1092
- enhance '$PATH' only if the directories are available1093
and not empty (bnc#544949)1094
1095
-------------------------------------------------------------------1096
Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com1097
1098
- readd lost baselibs.conf1099
1100
-------------------------------------------------------------------1101
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de1102
1103
- update to final 1.7 release 1104
1105
-------------------------------------------------------------------1106
Wed May 13 11:30:42 CEST 2009 - mc@suse.de1107
1108
- update to version 1.7 Beta2 1109
* Incremental propagation support for the KDC database.1110
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation1111
framework that can protect the AS exchange from dictionary attack.1112
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which1113
allows a GSS application to request credential delegation only if1114
permitted by KDC policy.1115
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --1116
various vulnerabilities in SPNEGO and ASN.1 code.1117
1118
-------------------------------------------------------------------1119
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de1120
1121
- update to pre 1.7 version 1122
* Remove support for version 4 of the Kerberos protocol (krb4).1123
* New libdefaults configuration variable "allow_weak_crypto".1124
* Client library now follows client principal referrals, for1125
compatibility with Windows.1126
* KDC can issue realm referrals for service principals based on domain1127
names.1128
* Encryption algorithm negotiation (RFC 4537).1129
* In the replay cache, use a hash over the complete ciphertext to1130
avoid false-positive replay indications.1131
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is1132
similar to the equivalent SSPI functionality.1133
* DCE RPC, including three-leg GSS context setup and unencapsulated1134
GSS tokens.1135
* NTLM recognition support in GSS-API, to facilitate dropping in an1136
NTLM implementation.1137
* KDC support for principal aliases, if the back end supports them.1138
* Microsoft set/change password (RFC 3244) protocol in kadmind.1139
* Master key rollover support.1140
1141
-------------------------------------------------------------------1142
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de1143
1144
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit1145
1146
-------------------------------------------------------------------1147
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de1148
1149
- do not query IPv6 addresses if no IPv6 address exists on this host1150
[bnc#449143] 1151
1152
-------------------------------------------------------------------1153
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de1154
1155
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade1156
(bnc#437293)1157
1158
-------------------------------------------------------------------1159
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de1160
1161
- obsolete old -XXbit packages (bnc#437293)1162
1163
-------------------------------------------------------------------1164
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de1165
1166
- in case we use ldap as database backend, ldap should be1167
started before krb5kdc 1168
1169
-------------------------------------------------------------------1170
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de1171
1172
- add new fixes to post 1.6.3 patch1173
* fix mem leak in krb5_gss_accept_sec_context()1174
* keep minor_status1175
* kadm5_decrypt_key: A ktype of -1 is documented as meaning 1176
"to be ignored" 1177
* Reject socket fds > FD_SETSIZE1178
1179
-------------------------------------------------------------------1180
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de1181
1182
- add patches from SVN post 1.6.31183
* krb5_string_to_keysalts: Fix an infinite loop1184
* fix some mutex issues1185
* better recovery from corrupt rcache files1186
* some more small fixes1187
1188
-------------------------------------------------------------------1189
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de1190
1191
- add case-insensitive.dif (FATE#300771)1192
- minor fixes for ktutil man page1193
- reduce rpmlint warnings 1194
1195
-------------------------------------------------------------------1196
Wed May 14 17:44:59 CEST 2008 - mc@suse.de1197
1198
- Fall back to TCP on kdc-unresolvable/unreachable errors.1199
- restore valid sequence number before generating requests1200
(fix changing passwords in mixed ipv4/ipv6 enviroments) 1201
1202
-------------------------------------------------------------------1203
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de1204
1205
- added baselibs.conf file to build xxbit packages1206
for multilib support1207
1208
-------------------------------------------------------------------1209
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de1210
1211
- modify krb5-config to not output rpath and cflags in --libs 1212
(bnc#378270)1213
1214
-------------------------------------------------------------------1215
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de1216
1217
- fix two security bugs:1218
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)1219
fix double free [bnc#361373]1220
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)1221
Memory corruption while too many open file descriptors1222
[bnc#363151]1223
- change default config file. Comment out the examples. 1224
1225
-------------------------------------------------------------------1226
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de1227
1228
- fix several security bugs:1229
* CVE-2007-5894 apparent uninit length1230
* CVE-2007-5902 integer overflow1231
* CVE-2007-5971 free of non-heap pointer and double-free1232
* CVE-2007-5972 double fclose()1233
[#346745, #346748, #346746, #346749, #346747]1234
1235
-------------------------------------------------------------------1236
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de1237
1238
- improve GSSAPI error messages 1239
1240
-------------------------------------------------------------------1241
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de1242
1243
- add coreutils to PreReq 1244
1245
-------------------------------------------------------------------1246
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de1247
1248
- update to krb5 version 1.6.31249
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow1250
* fix CVE-2007-4000 modify_policy vulnerability1251
* Add PKINIT support1252
- remove patches which are upstream now1253
- enhance init scripts and xinetd profiles1254
1255
-------------------------------------------------------------------1256
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de1257
1258
- update krb5-1.6.2-post.dif1259
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that 1260
that the client library will not failover to the next KDC. 1261
[#310540]1262
1263
-------------------------------------------------------------------1264
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de1265
1266
- update krb5-1.6.2-post.dif1267
* new -S sname option for kvno1268
* read_entropy_from_device on partial read will not fill buffer1269
* Bail out if encoded "ticket" doesn't decode correctly.1270
* patch for referrals loop 1271
1272
-------------------------------------------------------------------1273
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de1274
1275
- fix a problem with the originally published patch1276
for MITKRB5-SA-2007-006 - CVE-2007-39991277
[#302377]1278
1279
-------------------------------------------------------------------1280
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de1281
1282
- fix execute arbitrary code1283
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)1284
[#302377]1285
1286
-------------------------------------------------------------------1287
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de1288
1289
- add krb5-1.6.2-post.dif1290
* during the referrals loop, check to see if the1291
session key enctype of a returned credential for the final 1292
service is among the enctypes explicitly selected by the 1293
application, and retry with old_use_conf_ktypes if it is not. 1294
* If mkstemp() is available, the new ccache file gets created but 1295
the subsequent open(O_CREAT|O_EXCL) call fails because the file1296
was already created by mkstemp(). Apply patch from Apple to keep1297
the file descriptor open.1298
1299
-------------------------------------------------------------------1300
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de1301
1302
- update to version 1.6.21303
- remove krb5-1.6.1-post.dif all fixes are included in this release 1304
1305
-------------------------------------------------------------------1306
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de1307
1308
- change requires to libcom_err-devel1309
1310
-------------------------------------------------------------------1311
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de1312
1313
- update krb5-1.6.1-post.dif1314
* fix leak in krb5_walk_realm_tree1315
* rd_req_decoded needs to deal with referral realms 1316
* fix buffer overflow in kadmind1317
(MITKRB5-SA-2007-005 - CVE-2007-2798)1318
[#278689]1319
* fix kadmind code execution bug1320
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)1321
[#271191]1322
1323
-------------------------------------------------------------------1324
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de1325
1326
- fix unstripped-binary-or-object rpmlint warning 1327
1328
-------------------------------------------------------------------1329
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de1330
1331
- fixing rpmlint warnings and errors:1332
* merged logrotate scripts kadmin and krb5kdc into a single file1333
krb5-server. 1334
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl1335
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.1336
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.1337
* added surpression filter for1338
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"1339
(see [#147912]).1340
* set default runlevel of init scripts in chkconfig line to 3 and1341
51342
1343
-------------------------------------------------------------------1344
Wed May 9 15:30:53 CEST 2007 - mc@suse.de1345
1346
- fix uninitialized salt length 1347
- add extra check for keytab file1348
1349
-------------------------------------------------------------------1350
Thu May 3 12:11:29 CEST 2007 - mc@suse.de1351
1352
- adding krb5-1.6.1-post.dif1353
* fix segfault in krb5_get_init_creds_password 1354
* remove debug output in ftp client1355
* profile stores empty string values without double quotes1356
1357
-------------------------------------------------------------------1358
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de1359
1360
- update to final 1.6.1 version 1361
1362
-------------------------------------------------------------------1363
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de1364
1365
- add plugin directories to main package 1366
1367
-------------------------------------------------------------------1368
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de1369
1370
- update to version 1.6.1 Beta11371
- remove obsolete patches 1372
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)1373
- rework compile_pie patch1374
1375
-------------------------------------------------------------------1376
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de1377
1378
- update krb5-1.6-post.dif1379
* fix kadmind stack overflow in krb5_klog_syslog1380
(MITKRB5-SA-2007-002 - CVE-2007-0957)1381
[#253548]1382
* fix double free attack in the RPC library1383
(MITKRB5-SA-2007-003 - CVE-2007-1216)1384
[#252487]1385
* fix krb5 telnetd login injection1386
(MIT-SA-2007-001 - CVE-2007-0956)1387
#2477651388
1389
-------------------------------------------------------------------1390
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de1391
1392
- add ncurses-devel and bison to BuildRequires1393
- rework some patches1394
1395
-------------------------------------------------------------------1396
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de1397
1398
- move SuSEFirewall service definitions to 1399
/etc/sysconfig/SuSEfirewall2.d/services 1400
1401
-------------------------------------------------------------------1402
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de1403
1404
- add firewall definition to krb5-server, FATE #3006871405
1406
-------------------------------------------------------------------1407
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de1408
1409
- update krb5-1.6-post.dif1410
- move some applications into the right package 1411
1412
-------------------------------------------------------------------1413
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de1414
1415
- update krb5-1.6-post.dif 1416
1417
-------------------------------------------------------------------1418
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de1419
1420
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif1421
are now upstream. Remove patches.1422
- fix leak in krb5_kt_resolve and krb5_kt_wresolve1423
1424
-------------------------------------------------------------------1425
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de1426
1427
- fix "local variable used before set" in ftp.c1428
[#237684]1429
1430
-------------------------------------------------------------------1431
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de1432
1433
- krb5-devel should require keyutils-devel 1434
1435
-------------------------------------------------------------------1436
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de1437
1438
- update to version 1.61439
* Major changes in 1.6 include 1440
* Partial client implementation to handle server name referrals. 1441
* Pre-authentication plug-in framework, donated by Red Hat. 1442
* LDAP KDB plug-in, donated by Novell. 1443
- remove obsolete patches1444
1445
-------------------------------------------------------------------1446
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de1447
1448
- fix for1449
kadmind (via RPC library) calls uninitialized function pointer1450
(CVE-2006-6143)(Bug #225990)1451
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif1452
- fix for1453
kadmind (via GSS-API mechglue) frees uninitialized pointers1454
(CVE-2006-6144)(Bug #225992)1455
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif1456
1457
-------------------------------------------------------------------1458
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de1459
1460
- Fix Requires in krb5-devel 1461
[Bug #231008]1462
1463
-------------------------------------------------------------------1464
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de1465
1466
- fix "local variable used before set" [#217692]1467
- fix strncat warning 1468
1469
-------------------------------------------------------------------1470
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de1471
1472
- add a default kadm5.dict file1473
- require $network on daemon start1474
1475
-------------------------------------------------------------------1476
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de1477
1478
- fix function call with too few arguments [#203837] 1479
1480
-------------------------------------------------------------------1481
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de1482
1483
- update to version 1.5.11484
- remove obsolete patches which are now included upstream1485
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1486
* trunk-fix-uninitialized-vars.dif 1487
1488
-------------------------------------------------------------------1489
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de1490
1491
- krb5 setuid return check fixes1492
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1493
[#182351]1494
1495
-------------------------------------------------------------------1496
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de1497
1498
- remove update-messages 1499
1500
-------------------------------------------------------------------1501
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de1502
1503
- add check for krb5_prop in services to kpropd init script.1504
[#192446]1505
1506
-------------------------------------------------------------------1507
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de1508
1509
- update to version 1.51510
* KDB abstraction layer, donated by Novell. 1511
* plug-in architecture, allowing for extension modules to be 1512
loaded at run-time. 1513
* multi-mechanism GSS-API implementation ("mechglue"), 1514
donated by Sun Microsystems 1515
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO") 1516
implementation, donated by Sun Microsystems 1517
- remove obsolete patches and add some new1518
1519
-------------------------------------------------------------------1520
Fri May 26 14:50:00 CEST 2006 - ro@suse.de1521
1522
- libcom is not in e2fsck-devel but in its own package now, change1523
Requires accordingly.1524
1525
-------------------------------------------------------------------1526
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de1527
1528
- add all daemons to %stop_on_removal and %restart_on_update1529
- add reload to kpropd init script1530
- add force-reload to all init scripts 1531
1532
-------------------------------------------------------------------1533
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de1534
1535
- add libgssapi_krb5.so link to main package [#147912] 1536
1537
-------------------------------------------------------------------1538
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de1539
1540
- fix logging section for kadmind in convert script 1541
1542
-------------------------------------------------------------------1543
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de1544
1545
- converted neededforbuild to BuildRequires1546
1547
-------------------------------------------------------------------1548
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de1549
1550
- change the logging defaults 1551
1552
-------------------------------------------------------------------1553
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de1554
1555
- add tools and README for heimdal => MIT update 1556
1557
-------------------------------------------------------------------1558
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de1559
1560
- fix build problems, define _GNU_SOURCE1561
(krb5-1.4.3-set_gnu_source.dif )1562
1563
-------------------------------------------------------------------1564
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de1565
1566
- added "make %{?jobs:-j%jobs}" 1567
1568
-------------------------------------------------------------------1569
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de1570
1571
- update to version 1.4.31572
* some memmory leaks fixed1573
* fix for "AS_REP padata has wrong enctype"1574
* fix for "AS_REP padata missing PA-ETYPE-INFO"1575
* ... and more 1576
1577
-------------------------------------------------------------------1578
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de1579
1580
- don't build as root 1581
1582
-------------------------------------------------------------------1583
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de1584
1585
- update to version 1.4.21586
- remove some obsolet patches 1587
1588
-------------------------------------------------------------------1589
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de1590
1591
- build with --disable-static 1592
1593
-------------------------------------------------------------------1594
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de1595
1596
- remove devel-static subpackage 1597
1598
-------------------------------------------------------------------1599
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de1600
1601
- better patch for princ_comp problem 1602
1603
-------------------------------------------------------------------1604
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de1605
1606
- update to version 1.4.11607
- remove obsolet patches1608
- krb5-1.4-gcc4.dif1609
- krb5-1.4-reduce-namespace-polution.dif1610
- krb5-1.4-VUL-0-telnet.dif1611
1612
-------------------------------------------------------------------1613
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de1614
1615
- fixed krb5 KDC heap corruption by random free1616
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]1617
- fixed krb5 double free()1618
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]1619
- fix krb5 NULL pointer reference while comparing principals1620
[#91600] 1621
1622
-------------------------------------------------------------------1623
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de1624
1625
- fix uninitialized variables 1626
- compile with -fPIE/ link with -pie1627
1628
-------------------------------------------------------------------1629
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de1630
1631
- fixed wrong xinetd files [#77149] 1632
1633
-------------------------------------------------------------------1634
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de1635
1636
- removed krb5-1.4-fix-error_tables.dif patch obsoleted1637
by libcom_err locking patches1638
1639
-------------------------------------------------------------------1640
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de1641
1642
- fixed missing descriptions in init files 1643
[#76164, #76165, #76166, #76169] 1644
1645
-------------------------------------------------------------------1646
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de1647
1648
- enhance $PATH via /etc/profile.d/ [#74018]1649
- remove the "links to important programs" 1650
1651
-------------------------------------------------------------------1652
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de1653
1654
- fixed not running converter script [#72854] 1655
1656
-------------------------------------------------------------------1657
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de1658
1659
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer 1660
Overflow1661
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer 1662
Overflow1663
[#73618]1664
1665
-------------------------------------------------------------------1666
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de1667
1668
- fixed wrong PreReqs [#73020]1669
1670
-------------------------------------------------------------------1671
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de1672
1673
- add a simple krb5.conf converter [#72854]1674
1675
-------------------------------------------------------------------1676
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de1677
1678
- fixed: rckrb5kdc restart gives wrong status with non-running service1679
[#72446] 1680
1681
-------------------------------------------------------------------1682
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de1683
1684
- add requires: e2fsprogs-devel to krb5-devel package [#71732] 1685
1686
-------------------------------------------------------------------1687
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de1688
1689
- fix double free [#66534]1690
krb5-1.4-fix-error_tables.dif 1691
1692
-------------------------------------------------------------------1693
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de1694
1695
- change mode for shared libraries to 755 1696
1697
-------------------------------------------------------------------1698
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de1699
1700
- remove spx.c from tarball because of legal risk1701
- add README.Source which tell the user about this 1702
action.1703
- add a check for spx.c in the spec-file1704
- use rich-text for update-messages [#50250] 1705
1706
-------------------------------------------------------------------1707
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de1708
1709
- add krb5-1.4-reduce-namespace-polution.dif1710
reduce namespace polution in gssapi.h [#50356] 1711
1712
-------------------------------------------------------------------1713
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de1714
1715
- update to version 1.41716
- Add implementation of the RPCSEC_GSS authentication flavor to the1717
RPC library.1718
- Thread safety for krb5 libraries.1719
- Merged Athena telnetd changes for creating a new option for1720
requiring encryption.1721
- The kadmind4 backwards-compatibility admin server and the v5passwdd1722
backwards-compatibility password-changing server have been removed.1723
- Yarrow code now uses AES.1724
- Merged Athena changes to allow ftpd to require encrypted passwords.1725
- Incorporate gss_krb5_set_allowable_enctypes() and1726
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.1727
- remove obsolet patches1728
1729
-------------------------------------------------------------------1730
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de1731
1732
- add proofreaded update-messages 1733
1734
-------------------------------------------------------------------1735
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de1736
1737
- remove Conflicts: and add Provides: 1738
- add some insserv stuff 1739
1740
-------------------------------------------------------------------1741
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de1742
1743
- move vendor files to vendor-files.tar.bz21744
- add obsoletes: heimdal1745
- add %pre and %post sections to detect update1746
from heimdal and backup invalid configuration files1747
- add update-messages for heimdal update1748
1749
-------------------------------------------------------------------1750
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de1751
1752
- update to version 1.3.61753
- fix for: heap buffer overflow in libkadm5srv 1754
[CAN-2004-1189 / MITKRB5-SA-2004-004] 1755
1756
-------------------------------------------------------------------1757
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de1758
1759
- build doc subpackage in an own specfile 1760
- removed unnecessary neededforbuild requirements1761
1762
-------------------------------------------------------------------1763
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de1764
1765
- fix build with gcc 41766
1767
-------------------------------------------------------------------1768
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de1769
1770
- added Conflicts with heimdal*1771
- rename some manpages to avoid conflicts 1772
1773
-------------------------------------------------------------------1774
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de1775
1776
- new init scripts1777
- fix logrotate scripts1778
- add some 64Bit fixes1779
- add default krb5.conf, kdc.conf and kadm5.acl1780
1781
-------------------------------------------------------------------1782
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de1783
1784
- add e2fsprogs to NFB1785
- use system-et and system-ss 1786
- fix includes of com_err.h 1787
1788
-------------------------------------------------------------------1789
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de1790
1791
- Initital checkin 1792
1793