diff --git a/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch b/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch index 831e195..14aa1e0 100644 --- a/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch +++ b/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch @@ -242,3 +242,69 @@ index 05d5b40..a18beff 100644 krb5_free_authdata(context, ifrel); krb5_pac_free(context, pac); +From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Fri, 9 Feb 2024 16:36:03 +0100 +Subject: [PATCH] ipd-kdb: Fix some mistakes in + ipadb_check_for_bronze_bit_attack() + +Fixes: https://pagure.io/freeipa/issue/9521 +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb.h | 3 ++- + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +- + daemons/ipa-kdb/ipa_kdb_mspac.c | 5 +++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h +index 621c23591..5de5ea7a5 100644 +--- a/daemons/ipa-kdb/ipa_kdb.h ++++ b/daemons/ipa-kdb/ipa_kdb.h +@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + * status If the call fails and the pointer is not NULL, set it with a + * message describing the cause of the failure. */ + krb5_error_code +-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, ++ipadb_check_for_bronze_bit_attack(krb5_context context, ++ const krb5_kdc_req *request, + bool *supported, bool *detected, + const char **status); + # endif +diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +index 713e9a0c8..44959f3de 100644 +--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +@@ -190,7 +190,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, + krb5_error_code kerr; + bool supported; + +- kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL, ++ kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL, + status); + if (kerr) + return KRB5KDC_ERR_POLICY; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 80350364a..886ed7785 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -3308,13 +3308,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, + #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 + # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + krb5_error_code +-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, ++ipadb_check_for_bronze_bit_attack(krb5_context context, ++ const krb5_kdc_req *request, + bool *supported, bool *detected, + const char **status) + { + krb5_error_code kerr; + const char *st = NULL; +- size_t i, j; ++ size_t i, j = 0; + bool in_supported = true, in_detected = false; + struct ipadb_context *ipactx; + krb5_ticket *evidence_tkt; +-- +2.43.0 + diff --git a/ipa.spec b/ipa.spec index e64edad..c423c90 100644 --- a/ipa.spec +++ b/ipa.spec @@ -1738,21 +1738,22 @@ fi %endif %changelog -* Mon Feb 12 2024 Rafael Jeffman - 4.9.13-5 +* Tue Feb 13 2024 Rafael Jeffman - 4.9.13-5 - kdb: PAC generator: do not fail if canonical principal is missing Resolves: RHEL-23630 - ipa-kdb: Fix memory leak during PAC verification Resolves: RHEL-22644 - Fix session cookie access Resolves: RHEL-23622 -- Do not ignore staged users in sidgen plugin\ +- Do not ignore staged users in sidgen plugin Resovlves: RHEL-23626 - ipa-kdb: Disable Bronze-Bit check if PAC not available Resolves: RHEL-22313 - krb5kdc: Fix start when pkinit and otp auth type are enabled Resolves: RHEL-4874 - hbactest was not collecting or returning messages - Resolvez: RHEL-12780 + Resolves: RHEL-12780 + * Tue Jan 23 2024 Rafael Jeffman - 4.9.13-4 - Improve server affinity for CA-less deployments