From 102adf5edf477b0cd64bd208064b1c9680343750 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 22 May 2020 14:22:05 -0400 Subject: [PATCH] New upstream release (1.18.2) --- .gitignore | 2 ++ ...finalization-safety-check-to-com_err.patch | 2 +- ...tauth-modules-to-set-hw-authent-flag.patch | 2 +- ...y-import-service-GSS-host-based-name.patch | 2 +- ...ion-warnings-for-all-init_creds-APIs.patch | 2 +- ...edundant-PKINIT-responder-invocation.patch | 2 +- Fix-SPNEGO-acceptor-mech-filtering.patch | 32 ------------------- Fix-typo-in-in-in-the-ksu-man-page.patch | 4 +-- ...ndicator-check-for-S4U2Self-requests.patch | 2 +- Pass-gss_localname-through-SPNEGO.patch | 4 +-- ...ly-acquired-creds-from-client-keytab.patch | 2 +- downstream-Adjust-build-configuration.patch | 2 +- ...am-FIPS-with-PRNG-and-RADIUS-and-MD4.patch | 2 +- downstream-Remove-3des-support.patch | 4 +-- downstream-SELinux-integration.patch | 2 +- ...ackported-version-of-OpenSSL-3-KDF-i.patch | 2 +- downstream-fix-debuginfo-with-y.tab.c.patch | 2 +- downstream-ksu-pam-integration.patch | 2 +- downstream-netlib-and-dns.patch | 2 +- krb5.spec | 8 +++-- sources | 4 +-- 21 files changed, 29 insertions(+), 57 deletions(-) delete mode 100644 Fix-SPNEGO-acceptor-mech-filtering.patch diff --git a/.gitignore b/.gitignore index 5de4b79..ecff9ea 100644 --- a/.gitignore +++ b/.gitignore @@ -185,3 +185,5 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.18.tar.gz.asc /krb5-1.18.1.tar.gz /krb5-1.18.1.tar.gz.asc +/krb5-1.18.2.tar.gz +/krb5-1.18.2.tar.gz.asc diff --git a/Add-finalization-safety-check-to-com_err.patch b/Add-finalization-safety-check-to-com_err.patch index 0dc7663..531bbf5 100644 --- a/Add-finalization-safety-check-to-com_err.patch +++ b/Add-finalization-safety-check-to-com_err.patch @@ -1,4 +1,4 @@ -From c7a37d3e87132864ebc44710baf1d50a69682b5c Mon Sep 17 00:00:00 2001 +From 9b28e9bbadb775cf790092bc0b0fe9f6c880d215 Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err diff --git a/Allow-certauth-modules-to-set-hw-authent-flag.patch b/Allow-certauth-modules-to-set-hw-authent-flag.patch index 6fdb430..ebadb9b 100644 --- a/Allow-certauth-modules-to-set-hw-authent-flag.patch +++ b/Allow-certauth-modules-to-set-hw-authent-flag.patch @@ -1,4 +1,4 @@ -From d23b2ed4f06fa77cd021814834dd1391ef6f452f Mon Sep 17 00:00:00 2001 +From 5413039348c612716fb5e33347814b7608778646 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Feb 2020 15:58:59 -0500 Subject: [PATCH] Allow certauth modules to set hw-authent flag diff --git a/Correctly-import-service-GSS-host-based-name.patch b/Correctly-import-service-GSS-host-based-name.patch index 523ebaf..754bc89 100644 --- a/Correctly-import-service-GSS-host-based-name.patch +++ b/Correctly-import-service-GSS-host-based-name.patch @@ -1,4 +1,4 @@ -From dd4364d76925ce1fe21c2ab995554d6af3a2ea12 Mon Sep 17 00:00:00 2001 +From e8c6f76079bac021e30e89e12b547cc73f71ec36 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 30 Mar 2020 15:26:02 -0400 Subject: [PATCH] Correctly import "service@" GSS host-based name diff --git a/Do-expiration-warnings-for-all-init_creds-APIs.patch b/Do-expiration-warnings-for-all-init_creds-APIs.patch index 3dbe1f5..24062a0 100644 --- a/Do-expiration-warnings-for-all-init_creds-APIs.patch +++ b/Do-expiration-warnings-for-all-init_creds-APIs.patch @@ -1,4 +1,4 @@ -From c136cfe050d203c910624573a33247fde2889b09 Mon Sep 17 00:00:00 2001 +From 0083381a1dc008c6a1a437393045f82ec06423f8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 28 Feb 2020 10:11:49 +0100 Subject: [PATCH] Do expiration warnings for all init_creds APIs diff --git a/Eliminate-redundant-PKINIT-responder-invocation.patch b/Eliminate-redundant-PKINIT-responder-invocation.patch index 92bc1ab..4234ffd 100644 --- a/Eliminate-redundant-PKINIT-responder-invocation.patch +++ b/Eliminate-redundant-PKINIT-responder-invocation.patch @@ -1,4 +1,4 @@ -From 4a05805eb39ba088c07f782fb52a6538ec3f2db6 Mon Sep 17 00:00:00 2001 +From 43d09ed10d495e78c786f5468455f16a63a99532 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 23 Mar 2020 19:10:03 -0400 Subject: [PATCH] Eliminate redundant PKINIT responder invocation diff --git a/Fix-SPNEGO-acceptor-mech-filtering.patch b/Fix-SPNEGO-acceptor-mech-filtering.patch deleted file mode 100644 index 3f07637..0000000 --- a/Fix-SPNEGO-acceptor-mech-filtering.patch +++ /dev/null @@ -1,32 +0,0 @@ -From b8a19522f0169be3b4a2f539e28c89755cd85d6f Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Thu, 21 May 2020 14:15:25 -0400 -Subject: [PATCH] Fix SPNEGO acceptor mech filtering - -Commit c2ca2f26eaf817a6a7ed42257c380437ab802bd9 (ticket 8851) -accidentally changed the SPNEGO acceptor code to filter mechanisms by -the obtainability of initiator credentials rather than acceptor -credentials, when the default acceptor credential is used. - -ticket: 8908 (new) -tags: pullup -target_version: 1.18-next - -(cherry picked from commit e25918cb9efd7361aa78d2d96cd097dd34fdf35d) ---- - src/lib/gssapi/spnego/spnego_mech.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 8d36a05e8..255db6e30 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -1379,7 +1379,7 @@ acc_ctx_new(OM_uint32 *minor_status, - goto cleanup; - } - -- ret = get_negotiable_mechs(minor_status, sc, spcred, GSS_C_INITIATE); -+ ret = get_negotiable_mechs(minor_status, sc, spcred, GSS_C_ACCEPT); - if (ret != GSS_S_COMPLETE) { - *return_token = NO_TOKEN_SEND; - goto cleanup; diff --git a/Fix-typo-in-in-in-the-ksu-man-page.patch b/Fix-typo-in-in-in-the-ksu-man-page.patch index 2a93038..5196a90 100644 --- a/Fix-typo-in-in-in-the-ksu-man-page.patch +++ b/Fix-typo-in-in-in-the-ksu-man-page.patch @@ -1,4 +1,4 @@ -From 5eed1579142640363302f27e41abb354461d3030 Mon Sep 17 00:00:00 2001 +From 8de669742ae4190542741f0dc61119a6a0dad666 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 14 May 2020 15:01:18 -0400 Subject: [PATCH] Fix typo ("in in") in the ksu man page @@ -23,7 +23,7 @@ index 8d6c7ef79..933738229 100644 diff --git a/src/man/ksu.man b/src/man/ksu.man -index 6660e0937..9c8cf75ff 100644 +index 81e34815d..8d4c6a359 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -176,7 +176,7 @@ wrong password is typed in, ksu fails. diff --git a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch index b1b1908..6ca7931 100644 --- a/Omit-KDC-indicator-check-for-S4U2Self-requests.patch +++ b/Omit-KDC-indicator-check-for-S4U2Self-requests.patch @@ -1,4 +1,4 @@ -From 442f1fa5b2e4034954a51048414cc0863b914379 Mon Sep 17 00:00:00 2001 +From 6d132f1019b2f1b6f54bae25ed0ea9122c87a190 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 May 2020 16:03:13 -0400 Subject: [PATCH] Omit KDC indicator check for S4U2Self requests diff --git a/Pass-gss_localname-through-SPNEGO.patch b/Pass-gss_localname-through-SPNEGO.patch index 37aef38..eff3733 100644 --- a/Pass-gss_localname-through-SPNEGO.patch +++ b/Pass-gss_localname-through-SPNEGO.patch @@ -1,4 +1,4 @@ -From 646212314a580a8cdffdacda9cb3c8f806471b08 Mon Sep 17 00:00:00 2001 +From dce745bbdf95ddfa733bc306c57afe5fcab74479 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 26 Apr 2020 19:55:54 -0400 Subject: [PATCH] Pass gss_localname() through SPNEGO @@ -30,7 +30,7 @@ index a93763314..066ec736f 100644 ( OM_uint32 *minor_status, diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 8e0c3a348..8d36a05e8 100644 +index ec0bae6a4..594fc5894 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -237,7 +237,7 @@ static struct gss_config spnego_mechanism = diff --git a/Refresh-manually-acquired-creds-from-client-keytab.patch b/Refresh-manually-acquired-creds-from-client-keytab.patch index cb20c44..d67d9b4 100644 --- a/Refresh-manually-acquired-creds-from-client-keytab.patch +++ b/Refresh-manually-acquired-creds-from-client-keytab.patch @@ -1,4 +1,4 @@ -From 685aada9eae420cb5156ca7b71c2c7614c0b6e2c Mon Sep 17 00:00:00 2001 +From 13e085a996ac53484fa308f3ef7a2b66c05ccdfa Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab diff --git a/downstream-Adjust-build-configuration.patch b/downstream-Adjust-build-configuration.patch index f15a4a2..47f6c31 100644 --- a/downstream-Adjust-build-configuration.patch +++ b/downstream-Adjust-build-configuration.patch @@ -1,4 +1,4 @@ -From 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9 Mon Sep 17 00:00:00 2001 +From 30ece66508c8e10f704cd2860dfd421ebee15897 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] [downstream] Adjust build configuration diff --git a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch index e6a0a64..b304c47 100644 --- a/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch +++ b/downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch @@ -1,4 +1,4 @@ -From a721df13d09b5fdad32de15e6aa973b732727aa9 Mon Sep 17 00:00:00 2001 +From 15056939ae1e52b9c0b4e0f4ac59772b0d942647 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] [downstream] FIPS with PRNG and RADIUS and MD4 diff --git a/downstream-Remove-3des-support.patch b/downstream-Remove-3des-support.patch index 01d9338..570762d 100644 --- a/downstream-Remove-3des-support.patch +++ b/downstream-Remove-3des-support.patch @@ -1,4 +1,4 @@ -From e9cd83237b54e2f6010a063f523217b0a442ecbf Mon Sep 17 00:00:00 2001 +From c920b585b8400ef44684c673c54264657195f3ce Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] [downstream] Remove 3des support @@ -365,7 +365,7 @@ index 8a4b87de1..d7f1d076b 100644 + supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-sha2:normal aes128-sha2:normal } diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index e5898ea63..973976fd9 100644 +index ba0ce0b71..e3352f9cc 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1103,8 +1103,6 @@ enctype_name(krb5_enctype ktype, char *buf, size_t buflen) diff --git a/downstream-SELinux-integration.patch b/downstream-SELinux-integration.patch index 3d3bd08..e5322af 100644 --- a/downstream-SELinux-integration.patch +++ b/downstream-SELinux-integration.patch @@ -1,4 +1,4 @@ -From 0f8851a23a7b6fa0e195e01d0475e9e55707adf2 Mon Sep 17 00:00:00 2001 +From f8c70f6190a0573e2aca0b40964cf3b1a73ca8bb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] [downstream] SELinux integration diff --git a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch index 478fd82..56565b1 100644 --- a/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch +++ b/downstream-Use-backported-version-of-OpenSSL-3-KDF-i.patch @@ -1,4 +1,4 @@ -From 3f5875cf859271bca62f07aee6f663787972def9 Mon Sep 17 00:00:00 2001 +From 040dd62418b918adc993b9cc3e1e80fc232286c4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 15 Nov 2019 20:05:16 +0000 Subject: [PATCH] [downstream] Use backported version of OpenSSL-3 KDF diff --git a/downstream-fix-debuginfo-with-y.tab.c.patch b/downstream-fix-debuginfo-with-y.tab.c.patch index 167fcaf..33f61c5 100644 --- a/downstream-fix-debuginfo-with-y.tab.c.patch +++ b/downstream-fix-debuginfo-with-y.tab.c.patch @@ -1,4 +1,4 @@ -From f4002f246332695d8ea12ec803139fcac18fbba2 Mon Sep 17 00:00:00 2001 +From c6e103db0eb02c31a13b8cbcbae296c473074991 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] [downstream] fix debuginfo with y.tab.c diff --git a/downstream-ksu-pam-integration.patch b/downstream-ksu-pam-integration.patch index 220363b..e81f2c1 100644 --- a/downstream-ksu-pam-integration.patch +++ b/downstream-ksu-pam-integration.patch @@ -1,4 +1,4 @@ -From a7322a84657752c886c317a6994a9fc7a4a70ca5 Mon Sep 17 00:00:00 2001 +From 9feb7298b90d3e6a34821fce7315757c0bf81c9e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] [downstream] ksu pam integration diff --git a/downstream-netlib-and-dns.patch b/downstream-netlib-and-dns.patch index d7ceab1..05bddc4 100644 --- a/downstream-netlib-and-dns.patch +++ b/downstream-netlib-and-dns.patch @@ -1,4 +1,4 @@ -From 355dd481511af4d517ee540854f95a6fb12116a9 Mon Sep 17 00:00:00 2001 +From 4254bee1b97edeb0848efce635bcf1b56306f968 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] [downstream] netlib and dns diff --git a/krb5.spec b/krb5.spec index fe42e76..eb99d26 100644 --- a/krb5.spec +++ b/krb5.spec @@ -16,9 +16,9 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.18.1 +Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 6%{?dist} +Release: 1%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -59,7 +59,6 @@ Patch16: Do-expiration-warnings-for-all-init_creds-APIs.patch Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch -Patch20: Fix-SPNEGO-acceptor-mech-filtering.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -632,6 +631,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri May 22 2020 Robbie Harwood - 1.18.2-1 +- New upstream release (1.18.2) + * Fri May 22 2020 Robbie Harwood - 1.18.1-6 - Fix SPNEGO acceptor mech filtering diff --git a/sources b/sources index a2aa017..c61d805 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (krb5-1.18.1.tar.gz) = c96c9ed676c8ccb9b65d17bb1d982c266228c75030a2d8fd5d7952ee8cdf362a22d202e93018d1011a5e7bd9a9fabe69aa1578d1d2e4839a78b9916d8b8019ce -SHA512 (krb5-1.18.1.tar.gz.asc) = e7db98b9f053de793763af734a7b8de81702156d12dfeb7295032c2416a43406840960fb8d16efb6cad911c1cb047da1f6fe17c88289aad28983b5d531f47908 +SHA512 (krb5-1.18.2.tar.gz) = 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c +SHA512 (krb5-1.18.2.tar.gz.asc) = 70775a06104b4d792d278da2efa92e94ddacb4ea319bfe2b253f5afcfec27f3bc5ddd12560294a265e3cf3d4fc74bcbfc3f5eeff8634d66c00d67e18dc93a74a