File krb5.changes of Package krb5
1850
1
-------------------------------------------------------------------2
Mon Nov 9 10:58:51 UTC 2020 - Samuel Cabrero <scabrero@suse.de>3
4
- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);5
(bsc#1178512);6
- Added patches:7
* 0012-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch8
9
-------------------------------------------------------------------10
Mon Aug 5 15:26:39 UTC 2019 - Samuel Cabrero <scabrero@suse.de>11
12
- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);13
(bsc#1144047);14
15
-------------------------------------------------------------------16
Fri Jan 18 16:36:16 UTC 2019 - Samuel Cabrero <scabrero@suse.de>17
18
- Fix flaws in LDAP DN checking; (CVE-2018-5729); (CVE-2018-5730);19
(bsc#1083926); (bsc#1083927)20
- Added patches:21
* 0011-Fix-flaws-in-LDAP-DN-checking.patch22
23
-------------------------------------------------------------------24
Tue Jan 8 10:19:13 UTC 2019 - Samuel Cabrero <scabrero@suse.de>25
26
- Remove incorrect KDC assertion; (CVE-2018-20217); (bsc#1120489);27
- Added patches:28
* 0010-Remove-incorrect-KDC-assertion.patch29
30
-------------------------------------------------------------------31
Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com32
33
- Replace references to /var/adm/fillup-templates with new 34
%_fillupdir macro (boo#1069468)35
36
-------------------------------------------------------------------37
Mon Nov 6 10:23:00 UTC 2017 - hguo@suse.com38
39
- Remove build dependency doxygen, python-Cheetah, python-Sphinx,40
python-libxml2, python-lxml, most of which are python 2 programs.41
Consequently remove -doc subpackage. Users are encouraged to use42
online documentation. (bsc#1066461)43
44
-------------------------------------------------------------------45
Mon Oct 2 22:53:28 UTC 2017 - jengelh@inai.de46
47
- Update package descriptions.48
49
-------------------------------------------------------------------50
Mon Sep 25 19:45:05 UTC 2017 - michael@stroeder.com51
52
- Upgrade to 1.15.253
* Fix a KDC denial of service vulnerability caused by unset status54
strings [CVE-2017-11368]55
* Preserve GSS contexts on init/accept failure [CVE-2017-11462]56
* Fix kadm5 setkey operation with LDAP KDB module57
* Use a ten-second timeout after successful connection for HTTPS KDC58
requests, as we do for TCP requests59
* Fix client null dereference when KDC offers encrypted challenge60
without FAST61
* Ignore dotfiles when processing profile includedir directive62
* Improve documentation63
64
-------------------------------------------------------------------65
Fri Aug 18 08:27:26 UTC 2017 - hguo@suse.com66
67
- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf68
in order to improve client security in handling service principle69
names. (bsc#1054028)70
71
-------------------------------------------------------------------72
Fri Aug 11 09:08:58 UTC 2017 - hguo@suse.com73
74
- Prevent kadmind.service startup failure caused by absence of75
LDAP service. (bsc#903543)76
77
-------------------------------------------------------------------78
Tue Jun 6 13:36:34 UTC 2017 - hguo@suse.com79
80
- There is no change made about the package itself, this is only81
copying over some changelog texts from SLE package:82
- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-535583
krb5: denial of service in krb5_read_message84
- bug#912002 owned by varkoly@suse.com: VUL-085
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:86
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token87
- bug#910458 owned by varkoly@suse.com: VUL-188
CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries89
- bug#928978 owned by varkoly@suse.com: VUL-090
CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading91
to requires_preauth bypass92
- bug#910457 owned by varkoly@suse.com: VUL-193
CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy94
name as a password policy name95
- bug#991088 owned by hguo@suse.com: VUL-196
CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted97
- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires98
- [fate#320326](https://fate.suse.com/320326)99
- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference100
from \cite101
102
-------------------------------------------------------------------103
Thu Apr 6 12:58:53 CEST 2017 - kukuk@suse.de104
105
- Remove wrong PreRequires from krb5106
107
-------------------------------------------------------------------108
Thu Mar 9 20:58:42 UTC 2017 - michael@stroeder.com109
110
- use HTTPS project and source URLs111
112
-------------------------------------------------------------------113
Thu Mar 9 16:31:41 UTC 2017 - meissner@suse.com114
115
- use source urls.116
- krb5.keyring: Added Greg Hudson117
118
-------------------------------------------------------------------119
Sat Mar 4 21:29:34 UTC 2017 - michael@stroeder.com120
121
- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch122
- Upgrade to 1.15.1123
* Allow KDB modules to determine how the e_data field of principal124
fields is freed125
* Fix udp_preference_limit when the KDC location is configured with126
SRV records127
* Fix KDC and kadmind startup on some IPv4-only systems128
* Fix the processing of PKINIT certificate matching rules which have129
two components and no explicit relation130
* Improve documentation131
132
-------------------------------------------------------------------133
Fri Jan 27 14:50:39 UTC 2017 - bwiedemann@suse.com134
135
- remove useless environment.pickle to make build-compare happy136
137
-------------------------------------------------------------------138
Thu Jan 19 15:59:38 UTC 2017 - asn@cryptomilk.org139
140
- Introduce patch141
krb5-1.15-fix_kdb_free_principal_e_data.patch142
to fix freeing of e_data in the kdb principal143
144
-------------------------------------------------------------------145
Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com146
147
- Upgrade to 1.15148
- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2149
- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since150
file is not available in upstream source anymore151
- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15152
153
- Upgrade from 1.14.4 to 1.15 - major changes:154
Administrator experience:155
* Add support to kadmin for remote extraction of current keys without156
changing them (requires a special kadmin permission that is excluded157
from the wildcard permission), with the exception of highly158
protected keys.159
* Add a lockdown_keys principal attribute to prevent retrieval of the160
principal's keys (old or new) via the kadmin protocol. In newly161
created databases, this attribute is set on the krbtgt and kadmin162
principals.163
* Restore recursive dump capability for DB2 back end, so sites can164
more easily recover from database corruption resulting from power165
failure events.166
* Add DNS auto-discovery of KDC and kpasswd servers from URI records,167
in addition to SRV records. URI records can convey TCP and UDP168
servers and master KDC status in a single DNS lookup, and can also169
point to HTTPS proxy servers.170
* Add support for password history to the LDAP back end.171
* Add support for principal renaming to the LDAP back end.172
* Use the getrandom system call on supported Linux kernels to avoid173
blocking problems when getting entropy from the operating system.174
* In the PKINIT client, use the correct DigestInfo encoding for PKCS175
#1 signatures, so that some especially strict smart cards will work.176
Code quality:177
* Clean up numerous compilation warnings.178
* Remove various infrequently built modules, including some preauth179
modules that were not built by default.180
Developer experience:181
* Add support for building with OpenSSL 1.1.182
* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of183
authenticators in the replay cache. This helps sites that must184
build with FIPS 140 conformant libraries that lack MD5.185
Protocol evolution:186
* Add support for the AES-SHA2 enctypes, which allows sites to conform187
to Suite B crypto requirements.188
189
- Upgrade from 1.14.3 to 1.14.4 - major changes:190
* Fix some rare btree data corruption bugs191
* Fix numerous minor memory leaks192
* Improve portability (Linux-ppc64el, FreeBSD)193
* Improve some error messages194
* Improve documentation195
196
-------------------------------------------------------------------197
Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de198
199
- add pam configuration file required for ksu 200
just use a copy of "su" one from Tumbleweed 201
202
-------------------------------------------------------------------203
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com204
205
- Upgrade from 1.14.2 to 1.14.3:206
* Improve some error messages207
* Improve documentation208
* Allow a principal with nonexistent policy to bypass the minimum209
password lifetime check, consistent with other aspects of210
nonexistent policies211
* Fix a rare KDC denial of service vulnerability when anonymous client212
principals are restricted to obtaining TGTs only [CVE-2016-3120]213
214
-------------------------------------------------------------------215
Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com216
217
- Remove comments breaking post scripts. 218
219
-------------------------------------------------------------------220
Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com221
222
- Do no use systemd_requires macros in main package, it adds223
unneeded dependencies which pulls systemd into minimal chroot.224
- Only call %insserv_prereq when building for pre-systemd225
distributions.226
- Optimise some %post/%postun when only /sbin/ldconfig is called.227
228
------------------------------------------------------------------229
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com230
231
- Remove source file ccapi/common/win/OldCC/autolock.hxx232
that is not needed and does not carry an acceptable license.233
(bsc#968111)234
235
-------------------------------------------------------------------236
Thu Apr 28 20:27:37 UTC 2016 - michael@stroeder.com237
238
- removed obsolete patches:239
* 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch240
* krb5-mechglue_inqure_attrs.patch241
- Upgrade from 1.14.1 to 1.14.2:242
* Fix a moderate-severity vulnerability in the LDAP KDC back end that243
could be exploited by a privileged kadmin user [CVE-2016-3119]244
* Improve documentation245
* Fix some interactions with GSSAPI interposer mechanisms246
247
-------------------------------------------------------------------248
Fri Apr 1 07:45:13 UTC 2016 - hguo@suse.com249
250
- Upgrade from 1.14 to 1.14.1:251
* Remove expired patches:252
0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch253
0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch254
0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch255
krbdev.mit.edu-8301.patch256
* Replace source archives:257
krb5-1.14.tar.gz ->258
krb5-1.14.1.tar.gz259
krb5-1.14.tar.gz.asc ->260
krb5-1.14.1.tar.gz.asc261
* Adjust line numbers in:262
krb5-fix_interposer.patch263
264
-------------------------------------------------------------------265
Wed Mar 23 13:02:48 UTC 2016 - hguo@suse.com266
267
- Introduce patch268
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch269
to fix CVE-2016-3119 (bsc#971942)270
271
-------------------------------------------------------------------272
Thu Feb 11 15:06:31 UTC 2016 - hguo@suse.com273
274
- Remove krb5-mini pieces from spec file.275
Hence remove pre_checkin.sh276
- Remove expired macros and other minor clean-ups in spec file.277
278
-------------------------------------------------------------------279
Tue Feb 2 08:41:13 UTC 2016 - hguo@suse.com280
281
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character282
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch283
(bsc#963968)284
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request285
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch286
(bsc#963975)287
- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask288
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch289
(bsc#963964)290
291
-------------------------------------------------------------------292
Mon Jan 11 12:33:54 UTC 2016 - idonmez@suse.com293
294
- Add two patches from Fedora, fixing two crashes:295
* krb5-fix_interposer.patch296
* krb5-mechglue_inqure_attrs.patch297
298
-------------------------------------------------------------------299
Tue Dec 8 20:40:26 UTC 2015 - michael@stroeder.com300
301
- Update to 1.14302
- dropped krb5-kvno-230379.patch303
- added krbdev.mit.edu-8301.patch fixing wrong function call304
305
Major changes in 1.14 (2015-11-20)306
==================================307
308
Administrator experience:309
310
* Add a new kdb5_util tabdump command to provide reporting-friendly311
tabular dump formats (tab-separated or CSV) for the KDC database.312
Unlike the normal dump format, each output table has a fixed number313
of fields. Some tables include human-readable forms of data that314
are opaque in ordinary dump files. This format is also suitable for315
importing into relational databases for complex queries.316
* Add support to kadmin and kadmin.local for specifying a single317
command line following any global options, where the command318
arguments are split by the shell--for example, "kadmin getprinc319
principalname". Commands issued this way do not prompt for320
confirmation or display warning messages, and exit with non-zero321
status if the operation fails.322
* Accept the same principal flag names in kadmin as we do for the323
default_principal_flags kdc.conf variable, and vice versa. Also324
accept flag specifiers in the form that kadmin prints, as well as325
hexadecimal numbers.326
* Remove the triple-DES and RC4 encryption types from the default327
value of supported_enctypes, which determines the default key and328
salt types for new password-derived keys. By default, keys will329
only created only for AES128 and AES256. This mitigates some types330
of password guessing attacks.331
* Add support for directory names in the KRB5_CONFIG and332
KRB5_KDC_PROFILE environment variables.333
* Add support for authentication indicators, which are ticket334
annotations to indicate the strength of the initial authentication.335
Add support for the "require_auth" string attribute, which can be336
set on server principal entries to require an indicator when337
authenticating to the server.338
* Add support for key version numbers larger than 255 in keytab files,339
and for version numbers up to 65535 in KDC databases.340
* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC341
during pre-authentication, corresponding to the client's most342
preferred encryption type.343
* Add support for server name identification (SNI) when proxying KDC344
requests over HTTPS.345
* Add support for the err_fmt profile parameter, which can be used to346
generate custom-formatted error messages.347
348
Code quality:349
350
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that351
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]352
[CVE-2015-2698]353
* Fix build_principal memory bug that could cause a KDC354
crash. [CVE-2015-2697]355
356
Developer experience:357
358
* Change gss_acquire_cred_with_password() to acquire credentials into359
a private memory credential cache. Applications can use360
gss_store_cred() to make the resulting credentials visible to other361
processes.362
* Change gss_acquire_cred() and SPNEGO not to acquire credentials for363
IAKERB or for non-standard variants of the krb5 mechanism OID unless364
explicitly requested. (SPNEGO will still accept the Microsoft365
variant of the krb5 mechanism OID during negotiation.)366
* Change gss_accept_sec_context() not to accept tokens for IAKERB or367
for non-standard variants of the krb5 mechanism OID unless an368
acceptor credential is acquired for those mechanisms.369
* Change gss_acquire_cred() to immediately resolve credentials if the370
time_rec parameter is not NULL, so that a correct expiration time371
can be returned. Normally credential resolution is delayed until372
the target name is known.373
* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,374
which can be used by plugin modules or applications to add prefixes375
to existing detailed error messages.376
* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which377
implement the RFC 6113 PRF+ operation and key derivation using PRF+.378
* Add support for pre-authentication mechanisms which use multiple379
round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error380
code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth381
interface; these callbacks can be used to save marshalled state382
information in an encrypted cookie for the next request.383
* Add a client_key() callback to the kdcpreauth interface to retrieve384
the chosen client key, corresponding to the ETYPE-INFO2 entry sent385
by the KDC.386
* Add an add_auth_indicator() callback to the kdcpreauth interface,387
allowing pre-authentication modules to assert authentication388
indicators.389
* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to390
suppress sending the confidentiality and integrity flags in GSS391
initiator tokens unless they are requested by the caller. These392
flags control the negotiated SASL security layer for the Microsoft393
GSS-SPNEGO SASL mechanism.394
* Make the FILE credential cache implementation less prone to395
corruption issues in multi-threaded programs, especially on396
platforms with support for open file description locks.397
398
Performance:399
400
* On slave KDCs, poll the master KDC immediately after processing a401
full resync, and do not require two full resyncs after the master402
KDC's log file is reset.403
404
User experience:405
406
* Make gss_accept_sec_context() accept tickets near their expiration407
but within clock skew tolerances, rather than rejecting them408
immediately after the server's view of the ticket expiration time.409
410
-------------------------------------------------------------------411
Mon Dec 7 08:04:45 UTC 2015 - michael@stroeder.com412
413
- Update to 1.13.3414
- removed patches for security fixes now in upstream source:415
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch416
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch417
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch418
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch419
420
Major changes in 1.13.3 (2015-12-04)421
====================================422
423
This is a bug fix release. The krb5-1.13 release series is in424
maintenance, and for new deployments, installers should prefer the425
krb5-1.14 release series or later.426
427
* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that428
could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]429
[CVE-2015-2698]430
* Fix build_principal memory bug that could cause a KDC431
crash. [CVE-2015-2697]432
* Allow an iprop slave to receive full resyncs from KDCs running433
krb5-1.10 or earlier.434
435
-------------------------------------------------------------------436
Tue Nov 10 14:57:01 UTC 2015 - hguo@suse.com437
438
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch439
to fix a memory corruption regression introduced by resolution of440
CVE-2015-2698. bsc#954204441
442
-------------------------------------------------------------------443
Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com444
445
- Make kadmin.local man page available without having to install krb5-client. bsc#948011446
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch447
to fix build_principal memory bug [CVE-2015-2697] bsc#952190448
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch449
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189450
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch451
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188452
453
-------------------------------------------------------------------454
Mon Jun 1 07:31:52 UTC 2015 - hguo@suse.com455
456
- Let server depend on libev (module of libverto). This was the457
preferred implementation before the seperation of libverto from krb.458
459
-------------------------------------------------------------------460
Thu May 28 08:01:00 UTC 2015 - dimstar@opensuse.org461
462
- Drop libverto and libverto-libev Requires from the -server463
package: those package names don't exist and the shared libs464
are pulled in automatically.465
466
-------------------------------------------------------------------467
Wed May 27 10:59:13 UTC 2015 - dimstar@opensuse.org468
469
- Unconditionally buildrequire libverto-devel: krb5-mini also470
depends on it.471
472
-------------------------------------------------------------------473
Fri May 22 09:27:11 UTC 2015 - meissner@suse.com474
475
- pre_checkin.sh aligned changes between krb5/krb5-mini476
- added krb5.keyring477
478
-------------------------------------------------------------------479
Tue May 12 07:48:18 UTC 2015 - michael@stroeder.com480
481
- update to krb5 1.13.2482
483
- DES transition484
==============485
486
The Data Encryption Standard (DES) is widely recognized as weak. The487
krb5-1.7 release contains measures to encourage sites to migrate away488
- From using single-DES cryptosystems. Among these is a configuration489
variable that enables "weak" enctypes, which defaults to "false"490
beginning with krb5-1.8.491
492
493
Major changes in 1.13.2 (2015-05-08)494
====================================495
496
This is a bug fix release.497
498
* Fix a minor vulnerability in krb5_read_message, which is primarily499
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]500
501
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.502
[CVE-2015-2694]503
504
* Fix some issues with the LDAP KDC database back end.505
506
* Fix an iteration-related memory leak in the DB2 KDC database back507
end.508
509
* Fix issues with some less-used kadm5.acl functionality.510
511
* Improve documentation.512
513
-------------------------------------------------------------------514
Thu Apr 23 14:13:03 UTC 2015 - hguo@suse.com515
516
- Use externally built libverto517
518
-------------------------------------------------------------------519
Wed Feb 18 11:48:46 UTC 2015 - michael@stroeder.com520
521
- update to krb5 1.13.1522
523
Major changes in 1.13.1 (2015-02-11)524
====================================525
526
This is a bug fix release.527
528
* Fix multiple vulnerabilities in the LDAP KDC back end.529
[CVE-2014-5354] [CVE-2014-5353]530
531
* Fix multiple kadmind vulnerabilities, some of which are based in the532
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421533
CVE-2014-9422 CVE-2014-9423]534
535
-------------------------------------------------------------------536
Tue Jan 6 07:12:29 UTC 2015 - mlin@suse.com537
538
- Update to krb5 1.13539
* Add support for accessing KDCs via an HTTPS proxy server using the540
MS-KKDCP protocol.541
* Add support for hierarchical incremental propagation, where slaves542
can act as intermediates between an upstream master and other downstream543
slaves.544
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf545
files in addition to /etc/gss/mech.546
* Add support to the LDAP KDB module for binding to the LDAP server using547
SASL.548
* The KDC listens for TCP connections by default.549
* Fix a minor key disclosure vulnerability where using the "keepold" option550
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]551
* Add client support for the Kerberos Cache Manager protocol. If the host552
is running a Heimdal kcm daemon, caches served by the daemon can be553
accessed with the KCM: cache type.554
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,555
unless overridden by command-line options or krb5-config values.556
* Add support for doing unlocked database dumps for the DB2 KDC back end,557
which would allow the KDC and kadmind to continue accessing the database558
during lengthy database dumps.559
- Removed patches, useless or upstreamed560
* krb5-1.9-kprop-mktemp.patch561
* krb5-1.10-ksu-access.patch562
* krb5-1.12-doxygen.patch563
* bnc#897874-CVE-2014-5351.diff564
* krb5-1.13-work-around-replay-cache-creation-race.patch565
* krb5-1.10-kpasswd_tcp.patch566
- Refreshed patches567
* krb5-1.12-pam.patch568
* krb5-1.12-selinux-label.patch569
* krb5-1.7-doublelog.patch570
571
-------------------------------------------------------------------572
Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com573
574
- Work around replay cache creation race; (bnc#898439).575
krb5-1.13-work-around-replay-cache-creation-race.patch576
577
-------------------------------------------------------------------578
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com579
580
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 581
- added patches:582
* bnc#897874-CVE-2014-5351.diff583
-------------------------------------------------------------------584
Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de585
586
- krb5 5.12.2:587
* Work around a gcc optimizer bug that could cause DB2 KDC588
database operations to spin in an infinite loop589
* Fix a backward compatibility problem with the LDAP KDB schema590
that could prevent krb5-1.11 and later from decoding entries591
created by krb5-1.6.592
* Avoid an infinite loop under some circumstances when the GSS593
mechglue loads a dynamic mechanism.594
* Fix krb5kdc argument parsing so "-w" and "-r" options work595
togetherreliably.596
- Vulnerability fixes previously fixed in package via patches:597
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid598
invalid memory reference vulnerabilities. [CVE-2014-4341599
CVE-2014-4342]600
* Fix memory management vulnerabilities in GSSAPI SPNEGO.601
[CVE-2014-4343 CVE-2014-4344]602
* Fix buffer overflow vulnerability in LDAP KDB back end.603
[CVE-2014-4345]604
- updated patches:605
* krb5-1.7-doublelog.patch for context change606
* krb5-1.6.3-ktutil-manpage.dif, same607
- removed patches, in upstream:608
* krb5-master-keyring-kdcsync.patch609
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch610
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch611
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch612
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch613
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch614
from upstream615
616
-------------------------------------------------------------------617
Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com618
619
- buffer overrun in kadmind with LDAP backend620
CVE-2014-4345 (bnc#891082)621
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 622
623
-------------------------------------------------------------------624
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com625
626
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)627
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch628
Fix null deref in SPNEGO acceptor [CVE-2014-4344]629
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch630
631
-------------------------------------------------------------------632
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com633
634
- Do not depend of insserv if systemd is used 635
636
-------------------------------------------------------------------637
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com638
639
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)640
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch641
- start krb5kdc after slapd (bnc#886102)642
643
-------------------------------------------------------------------644
Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com645
646
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)647
similar functionality is provided by krb5-plugin-preauth-pkinit648
649
-------------------------------------------------------------------650
Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com651
652
- don't deliver SysV init files to systemd distributions653
654
-------------------------------------------------------------------655
Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com656
657
- update to version 1.12.1658
* Make KDC log service principal names more consistently during659
some error conditions, instead of "<unknown server>"660
* Fix several bugs related to building AES-NI support on less661
common configurations662
* Fix several bugs related to keyring credential caches663
- upstream obsoletes:664
krb5-1.12-copy_context.patch665
krb5-1.12-enable-NX.patch666
krb5-1.12-pic-aes-ni.patch667
krb5-master-no-malloc0.patch668
krb5-master-ignore-empty-unnecessary-final-token.patch669
krb5-master-gss_oid_leak.patch670
krb5-master-keytab_close.patch671
krb5-master-spnego_error_messages.patch672
- Fix Get time offsets for all keyring ccaches673
krb5-master-keyring-kdcsync.patch (RT#7820)674
675
-------------------------------------------------------------------676
Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com677
678
- update to version 1.12679
* Add GSSAPI extensions for constructing MIC tokens using IOV lists680
* Add a FAST OTP preauthentication module for the KDC which uses681
RADIUS to validate OTP token values.682
* The AES-based encryption types will use AES-NI instructions683
when possible for improved performance.684
- revert dependency on libcom_err-mini-devel since it's not yet685
available686
- update and rebase patches687
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch688
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch689
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch690
* krb5-1.8-api.patch -> krb5-1.12-api.patch691
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch692
* krb5-1.9-debuginfo.patch693
* krb5-1.9-kprop-mktemp.patch694
* krb5-kvno-230379.patch695
- added upstream patches696
- Fix krb5_copy_context697
* krb5-1.12-copy_context.patch698
- Mark AESNI files as not needing executable stacks699
* krb5-1.12-enable-NX.patch700
* krb5-1.12-pic-aes-ni.patch701
- Fix memory leak in SPNEGO initiator702
* krb5-master-gss_oid_leak.patch703
- Fix SPNEGO one-hop interop against old IIS704
* krb5-master-ignore-empty-unnecessary-final-token.patch705
- Fix GSS krb5 acceptor acquire_cred error handling 706
* krb5-master-keytab_close.patch707
- Avoid malloc(0) in SPNEGO get_input_token708
* krb5-master-no-malloc0.patch709
- Test SPNEGO error message in t_s4u.py710
* krb5-master-spnego_error_messages.patch711
712
-------------------------------------------------------------------713
Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com714
715
- Reduce build dependencies for krb5-mini by removing716
doxygen and changing libcom_err-devel to717
libcom_err-mini-devel718
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.719
720
-------------------------------------------------------------------721
Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com722
723
- update to version 1.11.4724
- Fix a KDC null pointer dereference [CVE-2013-1417] that could725
affect realms with an uncommon configuration.726
- Fix a KDC null pointer dereference [CVE-2013-1418] that could727
affect KDCs that serve multiple realms.728
- Fix a number of bugs related to KDC master key rollover.729
730
-------------------------------------------------------------------731
Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com732
733
- install and enable systemd service files also in -mini package734
735
-------------------------------------------------------------------736
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org737
738
- remove fstack-protector-all from CFLAGS, just use the 739
lighter/fast version already present in %optflags740
741
- Use LFS_CFLAGS to build in 32 bit archs.742
743
-------------------------------------------------------------------744
Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com745
746
- update to version 1.11.3747
- Fix a UDP ping-pong vulnerability in the kpasswd748
(password changing) service. [CVE-2002-2443]749
- Improve interoperability with some Windows native PKINIT clients.750
- install translation files751
- remove outdated configure options752
753
-------------------------------------------------------------------754
Tue May 28 17:08:01 UTC 2013 - mc@suse.com755
756
- cleanup systemd files (remove syslog.target)757
758
-------------------------------------------------------------------759
Fri May 3 09:43:47 CEST 2013 - mc@suse.de760
761
- let krb5-mini conflict with all main packages762
763
-------------------------------------------------------------------764
Thu May 2 16:43:16 CEST 2013 - mc@suse.de765
766
- add conflicts between krb5-mini and krb5-server767
768
-------------------------------------------------------------------769
Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de770
771
- update to version 1.11.2772
* Incremental propagation could erroneously act as if a slave's773
database were current after the slave received a full dump774
that failed to load.775
* gss_import_sec_context incorrectly set internal state that776
identifies whether an imported context is from an interposer777
mechanism or from the underlying mechanism. 778
- upstream fix obsolete krb5-lookup_etypes-leak.patch779
780
-------------------------------------------------------------------781
Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de782
783
- add conflicts between krb5-mini-devel and krb5-devel784
785
-------------------------------------------------------------------786
Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de787
788
- add conflicts between krb5-mini and krb5 and krb5-client789
790
-------------------------------------------------------------------791
Wed Mar 27 11:36:00 CET 2013 - mc@suse.de792
793
- enable selinux and set openssl as crypto implementation794
795
-------------------------------------------------------------------796
Fri Mar 22 10:34:55 CET 2013 - mc@suse.de797
798
- fix path to executables in service files799
(bnc#810926)800
801
-------------------------------------------------------------------802
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de803
804
- update to version 1.11.1805
* Improve ASN.1 support code, making it table-driven for806
decoding as well as encoding807
* Refactor parts of KDC808
* Documentation consolidation809
* build docs in the main package810
* bugfixing811
- changes of patches:812
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:813
upstream814
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:815
upstream816
* krb5-1.10-gcc47.patch: upstream817
* krb5-1.10-selinux-label.patch replaced by818
krb5-1.11-selinux-label.patch819
* krb5-1.10-spin-loop.patch: upstream820
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream821
* krb5-1.8-pam.patch replaced by822
krb5-1.11-pam.patch823
824
-------------------------------------------------------------------825
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de826
827
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()828
CVE-2012-1016 (bnc#807556)829
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif830
831
-------------------------------------------------------------------832
Mon Mar 4 11:23:10 CET 2013 - mc@suse.de833
834
- fix PKINIT null pointer deref835
CVE-2013-1415 (bnc#806715)836
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif837
838
-------------------------------------------------------------------839
Fri Jan 25 15:29:37 CET 2013 - mc@suse.de840
841
- package missing file (bnc#794784)842
843
-------------------------------------------------------------------844
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com845
846
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc847
(bnc#793336)848
849
-------------------------------------------------------------------850
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com851
852
- revert the -p usage in %postun to fix SLE build853
854
-------------------------------------------------------------------855
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com856
857
- buildrequire systemd by pkgconfig provide to get systemd-mini858
859
-------------------------------------------------------------------860
Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com861
862
- do not require systemd in krb5-mini863
864
-------------------------------------------------------------------865
Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de866
867
- add systemd service files for kadmind, krb5kdc and kpropd868
- add sysconfig templates for kadmind and krb5kdc869
870
-------------------------------------------------------------------871
Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com872
873
- fix %files section for krb5-mini874
875
-------------------------------------------------------------------876
Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de877
878
- fix gcc47 issues879
880
-------------------------------------------------------------------881
Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de882
883
- update to version 1.10.2884
obsolte patches:885
* krb5-1.7-nodeplibs.patch886
* krb5-1.9.1-ai_addrconfig.patch887
* krb5-1.9.1-ai_addrconfig2.patch888
* krb5-1.9.1-sendto_poll.patch889
* krb5-1.9-canonicalize-fallback.patch890
* krb5-1.9-paren.patch891
* krb5-klist_s.patch892
* krb5-pkinit-cms2.patch893
* krb5-trunk-chpw-err.patch894
* krb5-trunk-gss_delete_sec.patch895
* krb5-trunk-kadmin-oldproto.patch896
* krb5-1.9-MITKRB5-SA-2011-006.dif897
* krb5-1.9-gss_display_status-iakerb.patch898
* krb5-1.9.1-sendto_poll2.patch899
* krb5-1.9.1-sendto_poll3.patch900
* krb5-1.9-MITKRB5-SA-2011-007.dif901
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain902
Controllers.903
- Update a workaround for a glibc bug that would cause DNS PTR queries904
to occur even when rdns = false.905
- Fix a kadmind denial of service issue (null pointer dereference),906
which could only be triggered by an administrator with the "create"907
privilege. [CVE-2012-1013]908
- Fix access controls for KDB string attributes [CVE-2012-1012]909
- Make the ASN.1 encoding of key version numbers interoperate with910
Windows Read-Only Domain Controllers911
- Avoid generating spurious password expiry warnings in cases where912
the KDC sends an account expiry time without a password expiry time913
- Make PKINIT work with FAST in the client library.914
- Add the DIR credential cache type, which can hold a collection of915
credential caches.916
- Enhance kinit, klist, and kdestroy to support credential cache917
collections if the cache type supports it.918
- Add the kswitch command, which changes the selected default cache919
within a collection.920
- Add heuristic support for choosing client credentials based on921
the service realm.922
- Add support for $HOME/.k5identity, which allows credential923
choice based on configured rules.924
925
-------------------------------------------------------------------926
Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de927
928
- add autoconf macro to devel subpackage929
930
-------------------------------------------------------------------931
Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de932
933
- fix license in krb5-mini934
935
-------------------------------------------------------------------936
Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com937
938
- add autoconf as buildrequire to avoid implicit dependency939
940
-------------------------------------------------------------------941
Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com942
943
- remove call to suse_update_config, very old work around944
945
-------------------------------------------------------------------946
Mon Nov 21 11:24:12 CET 2011 - mc@suse.de947
948
- fix KDC null pointer dereference in TGS handling949
(MITKRB5-SA-2011-007, bnc#730393)950
CVE-2011-1530951
952
-------------------------------------------------------------------953
Mon Nov 21 11:11:54 CET 2011 - mc@suse.de954
955
- fix KDC HA feature introduced with implementing KDC poll956
(RT#6951, bnc#731648)957
958
-------------------------------------------------------------------959
Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de960
961
- fix minor error messages for the IAKERB GSSAPI mechanism962
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)963
964
-------------------------------------------------------------------965
Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de966
967
- fix kdc remote denial of service968
(MITKRB5-SA-2011-006, bnc#719393)969
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529970
971
-------------------------------------------------------------------972
Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de973
974
- use --without-pam to build krb5-mini975
976
-------------------------------------------------------------------977
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com978
979
- add patches from Fedora and upstream 980
- fix init scripts (bnc#689006)981
982
-------------------------------------------------------------------983
Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com984
985
- update to version 1.9.1986
* obsolete patches:987
MITKRB5-SA-2010-007-1.8.dif988
krb5-1.8-MITKRB5-SA-2010-006.dif989
krb5-1.8-MITKRB5-SA-2011-001.dif990
krb5-1.8-MITKRB5-SA-2011-002.dif991
krb5-1.8-MITKRB5-SA-2011-003.dif992
krb5-1.8-MITKRB5-SA-2011-004.dif993
krb5-1.4.3-enospc.dif994
* replace krb5-1.6.1-compile_pie.dif995
-------------------------------------------------------------------996
Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de997
998
- fix kadmind invalid pointer free()999
(MITKRB5-SA-2011-004, bnc#687469)1000
CVE-2011-02851001
1002
-------------------------------------------------------------------1003
Tue Mar 1 12:43:22 CET 2011 - mc@suse.de1004
1005
- Fix vulnerability to a double-free condition in KDC daemon1006
(MITKRB5-SA-2011-003, bnc#671717)1007
CVE-2011-02841008
1009
-------------------------------------------------------------------1010
Wed Jan 19 14:42:27 CET 2011 - mc@suse.de1011
1012
- Fix kpropd denial of service1013
(MITKRB5-SA-2011-001, bnc#662665)1014
CVE-2010-40221015
- Fix KDC denial of service attacks with LDAP back end1016
(MITKRB5-SA-2011-002, bnc#663619)1017
CVE-2011-0281, CVE-2011-0282 1018
1019
-------------------------------------------------------------------1020
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de1021
1022
- Fix multiple checksum handling vulnerabilities 1023
(MITKRB5-SA-2010-007, bnc#650650)1024
CVE-2010-13241025
* krb5 GSS-API applications may accept unkeyed checksums1026
* krb5 application services may accept unkeyed PAC checksums1027
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums1028
CVE-2010-13231029
* krb5 clients may accept unkeyed SAM-2 challenge checksums1030
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys1031
CVE-2010-40201032
* krb5 may accept authdata checksums with low-entropy derived keys1033
CVE-2010-40211034
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery 1035
1036
-------------------------------------------------------------------1037
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de1038
1039
- fix csh profile (bnc#649856) 1040
1041
-------------------------------------------------------------------1042
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de1043
1044
- update to krb5-1.8.31045
* remove patches which are now upstrem1046
- krb5-1.7-MITKRB5-SA-2010-004.dif 1047
- krb5-1.8.1-gssapi-error-table.dif 1048
- krb5-MITKRB5-SA-2010-005.dif 1049
1050
-------------------------------------------------------------------1051
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de1052
1053
- change environment variable PATH directly for csh1054
(bnc#642080)1055
1056
-------------------------------------------------------------------1057
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de1058
1059
- fix a dereference of an uninitialized pointer while processing1060
authorization data. 1061
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)1062
1063
-------------------------------------------------------------------1064
Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com1065
1066
- add correct error table when initializing gss-krb5 (bnc#606584,1067
bnc#608295)1068
1069
-------------------------------------------------------------------1070
Wed May 19 14:27:19 CEST 2010 - mc@suse.de1071
1072
- fix GSS-API library null pointer dereference1073
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) 1074
1075
-------------------------------------------------------------------1076
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de1077
1078
- fix a double free vulnerability in the KDC 1079
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)1080
1081
-------------------------------------------------------------------1082
Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de1083
1084
- update to version 1.8.11085
* include krb5-1.8-POST.dif1086
* include MITKRB5-SA-2010-002 1087
1088
-------------------------------------------------------------------1089
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de1090
1091
- update krb5-1.8-POST.dif 1092
1093
-------------------------------------------------------------------1094
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de1095
1096
- fix a bug where an unauthenticated remote attacker could cause1097
a GSS-API application including the Kerberos administration1098
daemon (kadmind) to crash.1099
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) 1100
1101
-------------------------------------------------------------------1102
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de1103
1104
- add post 1.8 fixes1105
* Add IPv6 support to changepw.c1106
* fix two problems in kadm5_get_principal mask handling 1107
* Ignore improperly encoded signedpath AD elements1108
* handle NT_SRV_INST in service principal referrals1109
* dereference options while checking 1110
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT1111
* Fix the kpasswd fallback from the ccache principal name1112
* Document the ticket_lifetime libdefaults setting1113
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 5121114
1115
-------------------------------------------------------------------1116
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de1117
1118
- update to version 1.81119
* Increase code quality 1120
* Move toward improved KDB interface1121
* Investigate and remedy repeatedly-reported performance 1122
bottlenecks.1123
* Reduce DNS dependence by implementing an interface that allows1124
client library to track whether a KDC supports service 1125
principal referrals.1126
* Disable DES by default 1127
* Account lockout for repeated login failures1128
* Bridge layer to allow Heimdal HDB modules to act as KDB 1129
backend modules1130
* FAST enhancements1131
* Microsoft Services for User (S4U) compatibility1132
* Anonymous PKINIT1133
- fix KDC denial of service1134
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)1135
- fix KDC denial of service in cross-realm referral processing1136
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)1137
- fix integer underflow in AES and RC4 decryption1138
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)1139
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl1140
1141
-------------------------------------------------------------------1142
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de1143
1144
- add baselibs.conf as a source1145
1146
-------------------------------------------------------------------1147
Fri Nov 13 16:51:37 CET 2009 - mc@suse.de1148
1149
- enhance '$PATH' only if the directories are available1150
and not empty (bnc#544949)1151
1152
-------------------------------------------------------------------1153
Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com1154
1155
- readd lost baselibs.conf1156
1157
-------------------------------------------------------------------1158
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de1159
1160
- update to final 1.7 release 1161
1162
-------------------------------------------------------------------1163
Wed May 13 11:30:42 CEST 2009 - mc@suse.de1164
1165
- update to version 1.7 Beta2 1166
* Incremental propagation support for the KDC database.1167
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation1168
framework that can protect the AS exchange from dictionary attack.1169
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which1170
allows a GSS application to request credential delegation only if1171
permitted by KDC policy.1172
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --1173
various vulnerabilities in SPNEGO and ASN.1 code.1174
1175
-------------------------------------------------------------------1176
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de1177
1178
- update to pre 1.7 version 1179
* Remove support for version 4 of the Kerberos protocol (krb4).1180
* New libdefaults configuration variable "allow_weak_crypto".1181
* Client library now follows client principal referrals, for1182
compatibility with Windows.1183
* KDC can issue realm referrals for service principals based on domain1184
names.1185
* Encryption algorithm negotiation (RFC 4537).1186
* In the replay cache, use a hash over the complete ciphertext to1187
avoid false-positive replay indications.1188
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is1189
similar to the equivalent SSPI functionality.1190
* DCE RPC, including three-leg GSS context setup and unencapsulated1191
GSS tokens.1192
* NTLM recognition support in GSS-API, to facilitate dropping in an1193
NTLM implementation.1194
* KDC support for principal aliases, if the back end supports them.1195
* Microsoft set/change password (RFC 3244) protocol in kadmind.1196
* Master key rollover support.1197
1198
-------------------------------------------------------------------1199
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de1200
1201
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit1202
1203
-------------------------------------------------------------------1204
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de1205
1206
- do not query IPv6 addresses if no IPv6 address exists on this host1207
[bnc#449143] 1208
1209
-------------------------------------------------------------------1210
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de1211
1212
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade1213
(bnc#437293)1214
1215
-------------------------------------------------------------------1216
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de1217
1218
- obsolete old -XXbit packages (bnc#437293)1219
1220
-------------------------------------------------------------------1221
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de1222
1223
- in case we use ldap as database backend, ldap should be1224
started before krb5kdc 1225
1226
-------------------------------------------------------------------1227
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de1228
1229
- add new fixes to post 1.6.3 patch1230
* fix mem leak in krb5_gss_accept_sec_context()1231
* keep minor_status1232
* kadm5_decrypt_key: A ktype of -1 is documented as meaning 1233
"to be ignored" 1234
* Reject socket fds > FD_SETSIZE1235
1236
-------------------------------------------------------------------1237
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de1238
1239
- add patches from SVN post 1.6.31240
* krb5_string_to_keysalts: Fix an infinite loop1241
* fix some mutex issues1242
* better recovery from corrupt rcache files1243
* some more small fixes1244
1245
-------------------------------------------------------------------1246
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de1247
1248
- add case-insensitive.dif (FATE#300771)1249
- minor fixes for ktutil man page1250
- reduce rpmlint warnings 1251
1252
-------------------------------------------------------------------1253
Wed May 14 17:44:59 CEST 2008 - mc@suse.de1254
1255
- Fall back to TCP on kdc-unresolvable/unreachable errors.1256
- restore valid sequence number before generating requests1257
(fix changing passwords in mixed ipv4/ipv6 enviroments) 1258
1259
-------------------------------------------------------------------1260
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de1261
1262
- added baselibs.conf file to build xxbit packages1263
for multilib support1264
1265
-------------------------------------------------------------------1266
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de1267
1268
- modify krb5-config to not output rpath and cflags in --libs 1269
(bnc#378270)1270
1271
-------------------------------------------------------------------1272
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de1273
1274
- fix two security bugs:1275
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)1276
fix double free [bnc#361373]1277
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)1278
Memory corruption while too many open file descriptors1279
[bnc#363151]1280
- change default config file. Comment out the examples. 1281
1282
-------------------------------------------------------------------1283
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de1284
1285
- fix several security bugs:1286
* CVE-2007-5894 apparent uninit length1287
* CVE-2007-5902 integer overflow1288
* CVE-2007-5971 free of non-heap pointer and double-free1289
* CVE-2007-5972 double fclose()1290
[#346745, #346748, #346746, #346749, #346747]1291
1292
-------------------------------------------------------------------1293
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de1294
1295
- improve GSSAPI error messages 1296
1297
-------------------------------------------------------------------1298
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de1299
1300
- add coreutils to PreReq 1301
1302
-------------------------------------------------------------------1303
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de1304
1305
- update to krb5 version 1.6.31306
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow1307
* fix CVE-2007-4000 modify_policy vulnerability1308
* Add PKINIT support1309
- remove patches which are upstream now1310
- enhance init scripts and xinetd profiles1311
1312
-------------------------------------------------------------------1313
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de1314
1315
- update krb5-1.6.2-post.dif1316
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that 1317
that the client library will not failover to the next KDC. 1318
[#310540]1319
1320
-------------------------------------------------------------------1321
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de1322
1323
- update krb5-1.6.2-post.dif1324
* new -S sname option for kvno1325
* read_entropy_from_device on partial read will not fill buffer1326
* Bail out if encoded "ticket" doesn't decode correctly.1327
* patch for referrals loop 1328
1329
-------------------------------------------------------------------1330
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de1331
1332
- fix a problem with the originally published patch1333
for MITKRB5-SA-2007-006 - CVE-2007-39991334
[#302377]1335
1336
-------------------------------------------------------------------1337
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de1338
1339
- fix execute arbitrary code1340
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)1341
[#302377]1342
1343
-------------------------------------------------------------------1344
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de1345
1346
- add krb5-1.6.2-post.dif1347
* during the referrals loop, check to see if the1348
session key enctype of a returned credential for the final 1349
service is among the enctypes explicitly selected by the 1350
application, and retry with old_use_conf_ktypes if it is not. 1351
* If mkstemp() is available, the new ccache file gets created but 1352
the subsequent open(O_CREAT|O_EXCL) call fails because the file1353
was already created by mkstemp(). Apply patch from Apple to keep1354
the file descriptor open.1355
1356
-------------------------------------------------------------------1357
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de1358
1359
- update to version 1.6.21360
- remove krb5-1.6.1-post.dif all fixes are included in this release 1361
1362
-------------------------------------------------------------------1363
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de1364
1365
- change requires to libcom_err-devel1366
1367
-------------------------------------------------------------------1368
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de1369
1370
- update krb5-1.6.1-post.dif1371
* fix leak in krb5_walk_realm_tree1372
* rd_req_decoded needs to deal with referral realms 1373
* fix buffer overflow in kadmind1374
(MITKRB5-SA-2007-005 - CVE-2007-2798)1375
[#278689]1376
* fix kadmind code execution bug1377
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)1378
[#271191]1379
1380
-------------------------------------------------------------------1381
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de1382
1383
- fix unstripped-binary-or-object rpmlint warning 1384
1385
-------------------------------------------------------------------1386
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de1387
1388
- fixing rpmlint warnings and errors:1389
* merged logrotate scripts kadmin and krb5kdc into a single file1390
krb5-server. 1391
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl1392
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.1393
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.1394
* added surpression filter for1395
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"1396
(see [#147912]).1397
* set default runlevel of init scripts in chkconfig line to 3 and1398
51399
1400
-------------------------------------------------------------------1401
Wed May 9 15:30:53 CEST 2007 - mc@suse.de1402
1403
- fix uninitialized salt length 1404
- add extra check for keytab file1405
1406
-------------------------------------------------------------------1407
Thu May 3 12:11:29 CEST 2007 - mc@suse.de1408
1409
- adding krb5-1.6.1-post.dif1410
* fix segfault in krb5_get_init_creds_password 1411
* remove debug output in ftp client1412
* profile stores empty string values without double quotes1413
1414
-------------------------------------------------------------------1415
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de1416
1417
- update to final 1.6.1 version 1418
1419
-------------------------------------------------------------------1420
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de1421
1422
- add plugin directories to main package 1423
1424
-------------------------------------------------------------------1425
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de1426
1427
- update to version 1.6.1 Beta11428
- remove obsolete patches 1429
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)1430
- rework compile_pie patch1431
1432
-------------------------------------------------------------------1433
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de1434
1435
- update krb5-1.6-post.dif1436
* fix kadmind stack overflow in krb5_klog_syslog1437
(MITKRB5-SA-2007-002 - CVE-2007-0957)1438
[#253548]1439
* fix double free attack in the RPC library1440
(MITKRB5-SA-2007-003 - CVE-2007-1216)1441
[#252487]1442
* fix krb5 telnetd login injection1443
(MIT-SA-2007-001 - CVE-2007-0956)1444
#2477651445
1446
-------------------------------------------------------------------1447
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de1448
1449
- add ncurses-devel and bison to BuildRequires1450
- rework some patches1451
1452
-------------------------------------------------------------------1453
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de1454
1455
- move SuSEFirewall service definitions to 1456
/etc/sysconfig/SuSEfirewall2.d/services 1457
1458
-------------------------------------------------------------------1459
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de1460
1461
- add firewall definition to krb5-server, FATE #3006871462
1463
-------------------------------------------------------------------1464
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de1465
1466
- update krb5-1.6-post.dif1467
- move some applications into the right package 1468
1469
-------------------------------------------------------------------1470
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de1471
1472
- update krb5-1.6-post.dif 1473
1474
-------------------------------------------------------------------1475
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de1476
1477
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif1478
are now upstream. Remove patches.1479
- fix leak in krb5_kt_resolve and krb5_kt_wresolve1480
1481
-------------------------------------------------------------------1482
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de1483
1484
- fix "local variable used before set" in ftp.c1485
[#237684]1486
1487
-------------------------------------------------------------------1488
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de1489
1490
- krb5-devel should require keyutils-devel 1491
1492
-------------------------------------------------------------------1493
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de1494
1495
- update to version 1.61496
* Major changes in 1.6 include 1497
* Partial client implementation to handle server name referrals. 1498
* Pre-authentication plug-in framework, donated by Red Hat. 1499
* LDAP KDB plug-in, donated by Novell. 1500
- remove obsolete patches1501
1502
-------------------------------------------------------------------1503
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de1504
1505
- fix for1506
kadmind (via RPC library) calls uninitialized function pointer1507
(CVE-2006-6143)(Bug #225990)1508
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif1509
- fix for1510
kadmind (via GSS-API mechglue) frees uninitialized pointers1511
(CVE-2006-6144)(Bug #225992)1512
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif1513
1514
-------------------------------------------------------------------1515
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de1516
1517
- Fix Requires in krb5-devel 1518
[Bug #231008]1519
1520
-------------------------------------------------------------------1521
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de1522
1523
- fix "local variable used before set" [#217692]1524
- fix strncat warning 1525
1526
-------------------------------------------------------------------1527
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de1528
1529
- add a default kadm5.dict file1530
- require $network on daemon start1531
1532
-------------------------------------------------------------------1533
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de1534
1535
- fix function call with too few arguments [#203837] 1536
1537
-------------------------------------------------------------------1538
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de1539
1540
- update to version 1.5.11541
- remove obsolete patches which are now included upstream1542
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1543
* trunk-fix-uninitialized-vars.dif 1544
1545
-------------------------------------------------------------------1546
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de1547
1548
- krb5 setuid return check fixes1549
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif1550
[#182351]1551
1552
-------------------------------------------------------------------1553
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de1554
1555
- remove update-messages 1556
1557
-------------------------------------------------------------------1558
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de1559
1560
- add check for krb5_prop in services to kpropd init script.1561
[#192446]1562
1563
-------------------------------------------------------------------1564
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de1565
1566
- update to version 1.51567
* KDB abstraction layer, donated by Novell. 1568
* plug-in architecture, allowing for extension modules to be 1569
loaded at run-time. 1570
* multi-mechanism GSS-API implementation ("mechglue"), 1571
donated by Sun Microsystems 1572
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO") 1573
implementation, donated by Sun Microsystems 1574
- remove obsolete patches and add some new1575
1576
-------------------------------------------------------------------1577
Fri May 26 14:50:00 CEST 2006 - ro@suse.de1578
1579
- libcom is not in e2fsck-devel but in its own package now, change1580
Requires accordingly.1581
1582
-------------------------------------------------------------------1583
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de1584
1585
- add all daemons to %stop_on_removal and %restart_on_update1586
- add reload to kpropd init script1587
- add force-reload to all init scripts 1588
1589
-------------------------------------------------------------------1590
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de1591
1592
- add libgssapi_krb5.so link to main package [#147912] 1593
1594
-------------------------------------------------------------------1595
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de1596
1597
- fix logging section for kadmind in convert script 1598
1599
-------------------------------------------------------------------1600
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de1601
1602
- converted neededforbuild to BuildRequires1603
1604
-------------------------------------------------------------------1605
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de1606
1607
- change the logging defaults 1608
1609
-------------------------------------------------------------------1610
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de1611
1612
- add tools and README for heimdal => MIT update 1613
1614
-------------------------------------------------------------------1615
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de1616
1617
- fix build problems, define _GNU_SOURCE1618
(krb5-1.4.3-set_gnu_source.dif )1619
1620
-------------------------------------------------------------------1621
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de1622
1623
- added "make %{?jobs:-j%jobs}" 1624
1625
-------------------------------------------------------------------1626
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de1627
1628
- update to version 1.4.31629
* some memmory leaks fixed1630
* fix for "AS_REP padata has wrong enctype"1631
* fix for "AS_REP padata missing PA-ETYPE-INFO"1632
* ... and more 1633
1634
-------------------------------------------------------------------1635
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de1636
1637
- don't build as root 1638
1639
-------------------------------------------------------------------1640
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de1641
1642
- update to version 1.4.21643
- remove some obsolet patches 1644
1645
-------------------------------------------------------------------1646
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de1647
1648
- build with --disable-static 1649
1650
-------------------------------------------------------------------1651
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de1652
1653
- remove devel-static subpackage 1654
1655
-------------------------------------------------------------------1656
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de1657
1658
- better patch for princ_comp problem 1659
1660
-------------------------------------------------------------------1661
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de1662
1663
- update to version 1.4.11664
- remove obsolet patches1665
- krb5-1.4-gcc4.dif1666
- krb5-1.4-reduce-namespace-polution.dif1667
- krb5-1.4-VUL-0-telnet.dif1668
1669
-------------------------------------------------------------------1670
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de1671
1672
- fixed krb5 KDC heap corruption by random free1673
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]1674
- fixed krb5 double free()1675
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]1676
- fix krb5 NULL pointer reference while comparing principals1677
[#91600] 1678
1679
-------------------------------------------------------------------1680
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de1681
1682
- fix uninitialized variables 1683
- compile with -fPIE/ link with -pie1684
1685
-------------------------------------------------------------------1686
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de1687
1688
- fixed wrong xinetd files [#77149] 1689
1690
-------------------------------------------------------------------1691
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de1692
1693
- removed krb5-1.4-fix-error_tables.dif patch obsoleted1694
by libcom_err locking patches1695
1696
-------------------------------------------------------------------1697
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de1698
1699
- fixed missing descriptions in init files 1700
[#76164, #76165, #76166, #76169] 1701
1702
-------------------------------------------------------------------1703
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de1704
1705
- enhance $PATH via /etc/profile.d/ [#74018]1706
- remove the "links to important programs" 1707
1708
-------------------------------------------------------------------1709
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de1710
1711
- fixed not running converter script [#72854] 1712
1713
-------------------------------------------------------------------1714
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de1715
1716
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer 1717
Overflow1718
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer 1719
Overflow1720
[#73618]1721
1722
-------------------------------------------------------------------1723
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de1724
1725
- fixed wrong PreReqs [#73020]1726
1727
-------------------------------------------------------------------1728
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de1729
1730
- add a simple krb5.conf converter [#72854]1731
1732
-------------------------------------------------------------------1733
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de1734
1735
- fixed: rckrb5kdc restart gives wrong status with non-running service1736
[#72446] 1737
1738
-------------------------------------------------------------------1739
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de1740
1741
- add requires: e2fsprogs-devel to krb5-devel package [#71732] 1742
1743
-------------------------------------------------------------------1744
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de1745
1746
- fix double free [#66534]1747
krb5-1.4-fix-error_tables.dif 1748
1749
-------------------------------------------------------------------1750
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de1751
1752
- change mode for shared libraries to 755 1753
1754
-------------------------------------------------------------------1755
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de1756
1757
- remove spx.c from tarball because of legal risk1758
- add README.Source which tell the user about this 1759
action.1760
- add a check for spx.c in the spec-file1761
- use rich-text for update-messages [#50250] 1762
1763
-------------------------------------------------------------------1764
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de1765
1766
- add krb5-1.4-reduce-namespace-polution.dif1767
reduce namespace polution in gssapi.h [#50356] 1768
1769
-------------------------------------------------------------------1770
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de1771
1772
- update to version 1.41773
- Add implementation of the RPCSEC_GSS authentication flavor to the1774
RPC library.1775
- Thread safety for krb5 libraries.1776
- Merged Athena telnetd changes for creating a new option for1777
requiring encryption.1778
- The kadmind4 backwards-compatibility admin server and the v5passwdd1779
backwards-compatibility password-changing server have been removed.1780
- Yarrow code now uses AES.1781
- Merged Athena changes to allow ftpd to require encrypted passwords.1782
- Incorporate gss_krb5_set_allowable_enctypes() and1783
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.1784
- remove obsolet patches1785
1786
-------------------------------------------------------------------1787
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de1788
1789
- add proofreaded update-messages 1790
1791
-------------------------------------------------------------------1792
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de1793
1794
- remove Conflicts: and add Provides: 1795
- add some insserv stuff 1796
1797
-------------------------------------------------------------------1798
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de1799
1800
- move vendor files to vendor-files.tar.bz21801
- add obsoletes: heimdal1802
- add %pre and %post sections to detect update1803
from heimdal and backup invalid configuration files1804
- add update-messages for heimdal update1805
1806
-------------------------------------------------------------------1807
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de1808
1809
- update to version 1.3.61810
- fix for: heap buffer overflow in libkadm5srv 1811
[CAN-2004-1189 / MITKRB5-SA-2004-004] 1812
1813
-------------------------------------------------------------------1814
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de1815
1816
- build doc subpackage in an own specfile 1817
- removed unnecessary neededforbuild requirements1818
1819
-------------------------------------------------------------------1820
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de1821
1822
- fix build with gcc 41823
1824
-------------------------------------------------------------------1825
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de1826
1827
- added Conflicts with heimdal*1828
- rename some manpages to avoid conflicts 1829
1830
-------------------------------------------------------------------1831
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de1832
1833
- new init scripts1834
- fix logrotate scripts1835
- add some 64Bit fixes1836
- add default krb5.conf, kdc.conf and kadm5.acl1837
1838
-------------------------------------------------------------------1839
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de1840
1841
- add e2fsprogs to NFB1842
- use system-et and system-ss 1843
- fix includes of com_err.h 1844
1845
-------------------------------------------------------------------1846
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de1847
1848
- Initital checkin 1849
1850