diff --git a/.cvsignore b/.cvsignore index 0c0dfa0..4a4cded 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1 @@ -2003-004-krb4_patchkit.tar.gz -krb5-1.2.4.tar.gz +krb5-1.2.5.tar.gz diff --git a/kdc.conf b/kdc.conf index e55ee00..4c0b74a 100644 --- a/kdc.conf +++ b/kdc.conf @@ -7,5 +7,5 @@ [realms] EXAMPLE.COM = { master_key_type = des-cbc-crc - supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm + supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4 des-cbc-raw:afs3 des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm } diff --git a/krb5-1.2.7-reject-bad-transited.patch b/krb5-1.2.7-reject-bad-transited.patch deleted file mode 100644 index b4c26b0..0000000 --- a/krb5-1.2.7-reject-bad-transited.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- krb5-1.2.7/src/config-files/kdc.conf.M 2003-02-04 13:04:21.000000000 -0500 -+++ krb5-1.2.7/src/config-files/kdc.conf.M 2003-02-04 13:04:11.000000000 -0500 -@@ -138,6 +138,15 @@ - strings specifies the default key/salt combinations of principals for this - realm. - -+.IP reject_bad_transit -+This -+.B boolean string -+specifies whether or not the KDC should reject cross-realm TGS requests if the -+request's list of transited realms names realms which would not be included -+in the transit path if the path were to be computed using the KDC's krb5.conf -+file, or if the client requests that the KDC not perform such a check. The -+default is for this option to be enabled. -+ - .SH FILES - /usr/local/lib/krb5kdc/kdc.conf - diff --git a/krb5.csh b/krb5.csh index 04ef510..1985c32 100755 --- a/krb5.csh +++ b/krb5.csh @@ -1,7 +1,7 @@ -if ( /usr/kerberos/bin !~ "${path}" ) then +if ( "${path}" !~ */usr/kerberos/bin* ) then set path = ( /usr/kerberos/bin $path ) endif -if ( /usr/kerberos/sbin !~ "${path}" ) then +if ( "${path}" !~ */usr/kerberos/sbin* ) then if ( `id -u` == 0 ) then set path = ( /usr/kerberos/sbin $path ) endif diff --git a/krb5.spec b/krb5.spec index 3da098a..33afd23 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,31 +1,30 @@ %define prefix %{_prefix}/kerberos -%define statglue 1 +%define statglue 0 Summary: The Kerberos network authentication system. Name: krb5 -Version: 1.2.4 -Release: 11 +Version: 1.2.5 +Release: 5 Source0: krb5-%{version}.tar.gz -Source1: kpropd.init -Source2: krb524d.init -Source3: kadmind.init -Source4: krb5kdc.init -Source5: krb5.conf -Source6: krb5.sh -Source7: krb5.csh -Source8: kdcrotate -Source9: kdc.conf -Source10: kadm5.acl -Source11: krsh -Source12: krlogin -Source13: eklogin.xinetd -Source14: klogin.xinetd -Source15: kshell.xinetd -Source16: krb5-telnet.xinetd -Source17: gssftp.xinetd +Source1: krb5-%{version}.tar.gz.asc +Source2: kpropd.init +Source3: krb524d.init +Source4: kadmind.init +Source5: krb5kdc.init +Source6: krb5.conf +Source7: krb5.sh +Source8: krb5.csh +Source9: kdcrotate +Source10: kdc.conf +Source11: kadm5.acl +Source12: krsh +Source13: krlogin +Source14: eklogin.xinetd +Source15: klogin.xinetd +Source16: kshell.xinetd +Source17: krb5-telnet.xinetd +Source18: gssftp.xinetd Source19: statglue.c -Source20: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz -Source21: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.sig Patch0: krb5-1.1-db.patch Patch1: krb5-1.1.1-tiocgltc.patch Patch2: krb5-1.1.1-libpty.patch @@ -49,19 +48,7 @@ Patch20: krb5-1.2.2-by-address.patch Patch21: http://lite.mit.edu/krb5-1.2.2-ktany.patch Patch22: krb5-1.2.2-logauth.patch Patch23: krb5-1.2.2-size.patch -Patch24: http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt -Patch25: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt -Patch26: gssftp-patch -Patch27: krb5-1.2.6-dnsparse.patch -Patch28: krb5-1.2.7-errno.patch -Patch29: krb5-SA-2003-001-1.patch -Patch30: krb5-SA-2003-001-4.patch -Patch32: krb5-1.2.7-reject-bad-transited.patch -Patch33: krb5-crawford.patch -Patch34: krb5-1.2.4-princ_size.patch -Patch35: krb5-1.2.7-underrun.patch -Patch36: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt -Patch37: krb5-1.2.2-krb524-double-free.patch +Patch24: krb5-1.2.5-db2-configure.patch License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -123,49 +110,21 @@ network uses Kerberos, this package should be installed on every workstation. %changelog -* Fri Mar 21 2003 Nalin Dahyabhai 1.2.4-11 -- fix double-free of enc_part2 in krb524d -- update to latest patch kit for MITKRB5-SA-2003-004 +* Tue Jul 23 2002 Nalin Dahyabhai 1.2.5-5 +- fix bug in krb5.csh which would cause the path check to always succeed -* Wed Mar 19 2003 Nalin Dahyabhai 1.2.4-10 -- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) +* Fri Jul 19 2002 Jakub Jelinek 1.2.5-4 +- build even libdb.a with -fPIC and $RPM_OPT_FLAGS. -* Mon Mar 17 2003 Nalin Dahyabhai 1.2.4-9 -- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and - CAN-2003-0139) +* Fri Jun 21 2002 Tim Powers +- automated rebuild -* Thu Mar 6 2003 Nalin Dahyabhai 1.2.4-8 -- fix buffer underrun in unparsing certain principals (CAN-2003-0082) +* Sun May 26 2002 Tim Powers +- automated rebuild -* Wed Feb 26 2003 Nalin Dahyabhai 1.2.4-7 -- add patch to fix server-side crashes when principals have no - components (CAN-2003-0072) - -* Mon Feb 24 2003 Nalin Dahyabhai 1.2.4-6 -- add patch from Matt Crawford for encoding transited realms properly - -* Wed Feb 5 2003 Nalin Dahyabhai 1.2.4-5 -- sync compiler flags for configure and make with other versions - -* Tue Feb 4 2003 Nalin Dahyabhai -- add patch to document the reject-bad-transited option in kdc.conf - -* Thu Jan 30 2003 Nalin Dahyabhai -- add candidate backport for MITKRB5-SA-2003-001 parts 1,4 -- add candidate backports for CAN-2002-0036, CAN-2002-059 - (CAN-2002-058 was fixed in 1.2.3, CAN-2002-060 was fixed in 1.1.1-7 or so) - -* Thu Jan 23 2003 Nalin Dahyabhai 1.2.4-4 -- add patch from Mark Cox for exploitable bugs in ftp client -- add patch to avoid buffer read overruns when configuring via DNS -- add patch to properly include - -* Wed Oct 23 2002 Nalin Dahyabhai 1.2.4-3 -- add patch from Tom Yu for exploitable bugs in kadmind4 -- remove raw keys from the default kdc.conf - -* Fri Aug 2 2002 Nalin Dahyabhai 1.2.4-2 -- add patch from Tom Yu for exploitable bugs in rpc code used in kadmind +* Wed May 1 2002 Nalin Dahyabhai 1.2.5-1 +- update to 1.2.5 +- disable statglue * Fri Mar 1 2002 Nalin Dahyabhai 1.2.4-1 - update to 1.2.4 @@ -511,7 +470,7 @@ workstation. - added --force to makeinfo commands to skip errors during build %prep -%setup -q -a 20 +%setup -q %patch0 -p0 -b .db %patch1 -p0 -b .tciogltc %patch2 -p0 -b .libpty @@ -537,27 +496,9 @@ workstation. %patch21 -p1 -b .ktany %patch22 -p1 -b .logauth %patch23 -p1 -b .size -pushd src/lib/rpc -%patch24 -p0 -b .xdr -popd -pushd src/kadmin/v4server -%patch25 -p0 -b .kadmind -popd -%patch26 -p1 -b .gssftp-patch -%patch27 -p1 -b .dnsparse -%patch28 -p1 -b .errno -%patch29 -p1 -b .krb5-SA-2003-001-1 -%patch30 -p1 -b .krb5-SA-2003-001-4 -%patch32 -p1 -b .reject-bad-transited -%patch33 -p1 -b .crawford -%patch34 -p1 -b .princ_size -%patch35 -p1 -b .underrun -patch -sp0 -b -z .2003-004-krb4 < 2003-004-krb4_patchkit/patch.1.2.0 -pushd src/lib/rpc -%patch36 -p0 -b .2003-003 -popd -%patch37 -p1 -b .double-free +%patch24 -p1 -b .db2-configure +(cd src/util/db2; autoconf ) %if %{statglue} cp $RPM_SOURCE_DIR/statglue.c src/util/profile/statglue.c %endif diff --git a/sources b/sources index d511114..5729676 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -88d770f2de2c1bd842b511f47002a807 2003-004-krb4_patchkit.tar.gz -663add9b5942be74a86fa860a3fa4167 krb5-1.2.4.tar.gz +980c7935b27281e65367c538366776ab krb5-1.2.5.tar.gz