* Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
- Update to krb5-1.13.1 - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 - Minor spec cleanup
This commit is contained in:
Roland Mainz
parent
c74e97faa9
commit
03981c354e
63
krb5.spec
63
krb5.spec
@ -42,19 +42,19 @@
|
|||||||
|
|
||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.13
|
Version: 1.13.1
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.1-signed.tar
|
||||||
# - The sources below are stored in a lookaside cache. Upload with
|
# - The sources below are stored in a lookaside cache. Upload with
|
||||||
# $ fedpkg upload krb5-1.13.tar.gz krb5-1.13.tar.gz.asc # (and don't remove,
|
# $ fedpkg upload krb5-1.13.1.tar.gz krb5-1.13.1.tar.gz.asc # (and don't
|
||||||
# otherwise you can't go back or branch from a previous point)
|
# remove, otherwise you can't go back or branch from a previous point)
|
||||||
Source0: krb5-%{version}%{prerelease}.tar.gz
|
Source0: krb5-%{version}%{prerelease}.tar.gz
|
||||||
Source1: krb5-%{version}%{prerelease}.tar.gz.asc
|
Source1: krb5-%{version}%{prerelease}.tar.gz.asc
|
||||||
# Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then
|
# Use a dummy krb5-%{version}-pdf.pax.xz the first time through, then
|
||||||
# tar cvJf $RPM_SOURCE_DIR/krb5-%%{version}-pdf.tar.xz build-pdf/*.pdf
|
# $ pax -wv -x ustar build-pdf/*.pdf | xz -9 >"krb5-%{version}-pdf.pax.xz.new" #
|
||||||
# after the build phase finishes.
|
# after the build phase finishes.
|
||||||
Source3: krb5-%{version}%{prerelease}-pdf.tar.xz
|
Source3: krb5-%{version}%{prerelease}-pdf.pax.xz
|
||||||
Source2: kprop.service
|
Source2: kprop.service
|
||||||
Source4: kadmin.service
|
Source4: kadmin.service
|
||||||
Source5: krb5kdc.service
|
Source5: krb5kdc.service
|
||||||
@ -94,11 +94,7 @@ Patch105: krb5-kvno-230379.patch
|
|||||||
Patch129: krb5-1.11-run_user_0.patch
|
Patch129: krb5-1.11-run_user_0.patch
|
||||||
Patch134: krb5-1.11-kpasswdtest.patch
|
Patch134: krb5-1.11-kpasswdtest.patch
|
||||||
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
||||||
Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
|
|
||||||
Patch138: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
|
|
||||||
Patch139: krb5-1.13_kinit_C_loop_krb5bug243.patch
|
|
||||||
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
|
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
|
||||||
Patch141: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_fixed_whitespaces.patch
|
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -320,18 +316,14 @@ ln NOTICE LICENSE
|
|||||||
%patch136 -p1
|
%patch136 -p1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%patch137 -p1
|
|
||||||
%patch138 -p1
|
|
||||||
%patch139 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243
|
|
||||||
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
|
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
|
||||||
%patch141 -p1 -b .krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_fixed_whitespaces
|
|
||||||
|
|
||||||
# Take the execute bit off of documentation.
|
# Take the execute bit off of documentation.
|
||||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||||
|
|
||||||
# Generate an FDS-compatible LDIF file.
|
# Generate an FDS-compatible LDIF file.
|
||||||
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
||||||
cat > 60kerberos.ldif << EOF
|
cat > '60kerberos.ldif' << EOF
|
||||||
# This is a variation on kerberos.ldif which 389 Directory Server will like.
|
# This is a variation on kerberos.ldif which 389 Directory Server will like.
|
||||||
dn: cn=schema
|
dn: cn=schema
|
||||||
EOF
|
EOF
|
||||||
@ -372,15 +364,15 @@ sed -i -e s,7778,`expr "$PORT" + 1`,g $cfg
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
# Go ahead and supply tcl info, because configure doesn't know how to find it.
|
# Go ahead and supply tcl info, because configure doesn't know how to find it.
|
||||||
. %{_libdir}/tclConfig.sh
|
source %{_libdir}/tclConfig.sh
|
||||||
pushd src
|
pushd src
|
||||||
# Keep the old default if the package is built against older releases.
|
# Keep the old default if the package is built against older releases.
|
||||||
%if 0%{?compile_default_ccache_name}
|
%if 0%{?compile_default_ccache_name}
|
||||||
DEFCCNAME=%{compiled_default_ccache_name}; export DEFCCNAME
|
export DEFCCNAME=%{compiled_default_ccache_name}
|
||||||
%endif
|
%endif
|
||||||
# Set this so that configure will have a value even if the current version of
|
# Set this so that configure will have a value even if the current version of
|
||||||
# autoconf doesn't set one.
|
# autoconf doesn't set one.
|
||||||
runstatedir=%{_localstatedir}/run; export runstatedir
|
export runstatedir=%{_localstatedir}/run
|
||||||
# Work out the CFLAGS and CPPFLAGS which we intend to use.
|
# Work out the CFLAGS and CPPFLAGS which we intend to use.
|
||||||
INCLUDES=-I%{_includedir}/et
|
INCLUDES=-I%{_includedir}/et
|
||||||
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
|
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
|
||||||
@ -452,8 +444,8 @@ sphinx-build -a -b latex -t pathsubs doc build-pdf
|
|||||||
for pdf in admin appdev basic build plugindev user ; do
|
for pdf in admin appdev basic build plugindev user ; do
|
||||||
test -s build-pdf/$pdf.pdf || make -C build-pdf
|
test -s build-pdf/$pdf.pdf || make -C build-pdf
|
||||||
done
|
done
|
||||||
# new krb5-%{version}-pdf.tar.xz, see above
|
# new krb5-%{version}-pdf.pax.xz, see above
|
||||||
pax -wv -x ustar build-pdf/*.pdf | xz -9 >"krb5-%{version}-pdf.tar.xz.new"
|
pax -wv -x ustar build-pdf/*.pdf | xz -9 >"krb5-%{version}-pdf.pax.xz.new"
|
||||||
# false
|
# false
|
||||||
|
|
||||||
# Build the test wrappers.
|
# Build the test wrappers.
|
||||||
@ -478,12 +470,12 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Set things up to use the test wrappers.
|
# Set things up to use the test wrappers.
|
||||||
NSS_WRAPPER_HOSTNAME=test.example.com ; export NSS_WRAPPER_HOSTNAME
|
export NSS_WRAPPER_HOSTNAME=test.example.com
|
||||||
NSS_WRAPPER_HOSTS="`pwd`/nss_wrapper/fakehosts" ; export NSS_WRAPPER_HOSTS
|
export NSS_WRAPPER_HOSTS="$PWD/nss_wrapper/fakehosts"
|
||||||
echo 127.0.0.1 $NSS_WRAPPER_HOSTNAME $NSS_WRAPPER_HOSTNAME localhost localhost >"$NSS_WRAPPER_HOSTS"
|
printf '127.0.0.1 %s %s %s %s\n' "$NSS_WRAPPER_HOSTNAME" "$NSS_WRAPPER_HOSTNAME" 'localhost' 'localhost' >"$NSS_WRAPPER_HOSTS"
|
||||||
NOPORT=53,111; export NOPORT
|
export NOPORT='53,111'
|
||||||
SOCKET_WRAPPER_DIR=`pwd`/sockets; mkdir -p $SOCKET_WRAPPER_DIR; export SOCKET_WRAPPER_DIR
|
export SOCKET_WRAPPER_DIR="$PWD/sockets" ; mkdir -p $SOCKET_WRAPPER_DIR
|
||||||
LD_PRELOAD=`pwd`/noport.so:`pwd`/nss_wrapper/build/src/libnss_wrapper.so:`pwd`/socket_wrapper/build/src/libsocket_wrapper.so ; export LD_PRELOAD
|
export LD_PRELOAD="$PWD/noport.so:$PWD/nss_wrapper/build/src/libnss_wrapper.so:$PWD/socket_wrapper/build/src/libsocket_wrapper.so"
|
||||||
|
|
||||||
# Run the test suite. We can't actually run the whole thing in the build
|
# Run the test suite. We can't actually run the whole thing in the build
|
||||||
# system, but we can at least run more than we used to. The build system may
|
# system, but we can at least run more than we used to. The build system may
|
||||||
@ -497,7 +489,7 @@ make -C src/clients check TMPDIR=%{_tmppath}
|
|||||||
keyctl session - make -C src/util check TMPDIR=%{_tmppath}
|
keyctl session - make -C src/util check TMPDIR=%{_tmppath}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- $RPM_BUILD_ROOT
|
||||||
|
|
||||||
# Sample KDC config files (bundled kdc.conf and kadm5.acl).
|
# Sample KDC config files (bundled kdc.conf and kadm5.acl).
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
|
mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc
|
||||||
@ -522,7 +514,7 @@ mkdir -m 755 -p $RPM_BUILD_ROOT/etc/gss/mech.d
|
|||||||
# If the default configuration needs to start specifying a default cache
|
# If the default configuration needs to start specifying a default cache
|
||||||
# location, add it now, then fixup the timestamp so that it looks the same.
|
# location, add it now, then fixup the timestamp so that it looks the same.
|
||||||
%if 0%{?configure_default_ccache_name}
|
%if 0%{?configure_default_ccache_name}
|
||||||
DEFCCNAME="%{configured_default_ccache_name}"; export DEFCCNAME
|
export DEFCCNAME="%{configured_default_ccache_name}"
|
||||||
awk '{print}
|
awk '{print}
|
||||||
/^# default_realm/{print " default_ccache_name =", ENVIRON["DEFCCNAME"]}' \
|
/^# default_realm/{print " default_ccache_name =", ENVIRON["DEFCCNAME"]}' \
|
||||||
%{SOURCE6} > $RPM_BUILD_ROOT/etc/krb5.conf
|
%{SOURCE6} > $RPM_BUILD_ROOT/etc/krb5.conf
|
||||||
@ -642,7 +634,7 @@ rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr
|
|||||||
%find_lang %{gettext_domain}
|
%find_lang %{gettext_domain}
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- $RPM_BUILD_ROOT
|
||||||
|
|
||||||
%post libs -p /sbin/ldconfig
|
%post libs -p /sbin/ldconfig
|
||||||
|
|
||||||
@ -651,7 +643,7 @@ rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr
|
|||||||
# Triggered roughly on the version where this logic was introduced.
|
# Triggered roughly on the version where this logic was introduced.
|
||||||
# Try to add a default_ccache_name to /etc/krb5.conf, removing the previous
|
# Try to add a default_ccache_name to /etc/krb5.conf, removing the previous
|
||||||
# default which we configured, if we find it.
|
# default which we configured, if we find it.
|
||||||
DEFCCNAME="%{configured_default_ccache_name}"; export DEFCCNAME
|
export DEFCCNAME="%{configured_default_ccache_name}"
|
||||||
tmpfile=`mktemp /etc/krb5.conf.XXXXXX`
|
tmpfile=`mktemp /etc/krb5.conf.XXXXXX`
|
||||||
if test -z "$tmpfile" ; then
|
if test -z "$tmpfile" ; then
|
||||||
# Give up.
|
# Give up.
|
||||||
@ -997,6 +989,13 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
|
||||||
|
- Update to krb5-1.13.1
|
||||||
|
- drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
|
||||||
|
- drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
|
||||||
|
- drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
|
||||||
|
- Minor spec cleanup
|
||||||
|
|
||||||
* Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-8
|
* Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-8
|
||||||
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
|
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
|
||||||
incorrectly frees context (MITKRB5-SA-2015-001)"
|
incorrectly frees context (MITKRB5-SA-2015-001)"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user