New upstream version (1.17)

2019-01-08 19:15:01 +00:00 · 2019-01-08 19:15:01 +00:00 · 658f28f754
commit 658f28f754
parent 7e29fac83e
20 changed files with 32 additions and 88 deletions
--- a/.gitignore
+++ b/.gitignore
@ -172,3 +172,6 @@ krb5-1.8.3-pdf.tar.gz
 /krb5-1.17-beta2.tar.gz
 /krb5-1.17-beta2.tar.gz.asc
 /krb5-1.17-beta2-pdfs.tar
+/krb5-1.17-pdfs.tar
+/krb5-1.17.tar.gz
+/krb5-1.17.tar.gz.asc
--- a/Add-tests-for-KCM-ccache-type.patch
+++ b/Add-tests-for-KCM-ccache-type.patch
@ -1,4 +1,4 @@
-From b361f6bbc2873bd54963076738dc3ae6224261a0 Mon Sep 17 00:00:00 2001
+From 528f9ef3842ef5caba0990568e3cd7104e640c52 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Nov 2018 00:27:35 -0500
 Subject: [PATCH] Add tests for KCM ccache type
--- a/Address-some-optimized-out-memset-calls.patch
+++ b/Address-some-optimized-out-memset-calls.patch
@ -1,4 +1,4 @@
-From 0d83197140d2040d47ca79f006126e503680f661 Mon Sep 17 00:00:00 2001
+From 028ed9cee24159b25ecb8f62e8d171b850ed0a41 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Sun, 30 Dec 2018 16:40:28 -0500
 Subject: [PATCH] Address some optimized-out memset() calls
--- a/Become-FIPS-aware.patch
+++ b/Become-FIPS-aware.patch
@ -1,4 +1,4 @@
-From 6e1f7b50b36e0036838c91841c83360fdd567ec5 Mon Sep 17 00:00:00 2001
+From ebcee0c8dc5f3055597e0b574d98cbe65f55319e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 9 Nov 2018 15:12:21 -0500
 Subject: [PATCH] Become FIPS-aware
--- a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
+++ b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
@ -1,4 +1,4 @@
-From 2bd85da058d2d73eb2818a8e64656fec9b21b3c3 Mon Sep 17 00:00:00 2001
+From 1caf8246184211e06708e01a106632e26d9a84a8 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 31 Jul 2018 13:47:26 -0400
 Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint
--- a/Remove-incorrect-KDC-assertion.patch
+++ b/Remove-incorrect-KDC-assertion.patch
@ -1,61 +0,0 @@
-From 5ab44ff3ecdf362a792f193cf18df42866b70f80 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Sat, 15 Dec 2018 11:56:36 +0200
-Subject: [PATCH] Remove incorrect KDC assertion
-
-The assertion in return_enc_padata() is reachable because
-kdc_make_s4u2self_rep() may have previously added encrypted padata.
-It is no longer necessary because the code uses add_pa_data_element()
-instead of allocating a new list.
-
-CVE-2018-20217:
-
-In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT
-using an older encryption type (DES, DES3, or RC4) can cause an
-assertion failure in the KDC by sending an S4U2Self request.
-
-[ghudson@mit.edu: rewrote commit message with CVE description]
-
-ticket: 8767 (new)
-tags: pullup
-target_version: 1.17
-target_version: 1.16-next
-target_version: 1.15-next
-
-(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def)
---
- src/kdc/kdc_preauth.c     | 1 -
- src/tests/gssapi/t_s4u.py | 8 ++++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
-index 74953c99f..caf133c14 100644
--- a/src/kdc/kdc_preauth.c
-+++ b/src/kdc/kdc_preauth.c
-@@ -1683,7 +1683,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt,
-     krb5_error_code code = 0;
-     /* This should be initialized and only used for Win2K compat and other
-      * specific standardized uses such as FAST negotiation. */
-    assert(reply_encpart->enc_padata == NULL);
-     if (is_referral) {
-         code = return_referral_enc_padata(context, reply_encpart, server);
-         if (code)
-diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
-index fd29e1a27..f02c2fd13 100755
--- a/src/tests/gssapi/t_s4u.py
-+++ b/src/tests/gssapi/t_s4u.py
-@@ -139,6 +139,14 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out:
- 
- realm.stop()
- 
-+mark('S4U2Self with various enctypes')
-+for realm in multipass_realms(create_host=False, get_creds=False):
-+    service1 = 'service/1@%s' % realm.realm
-+    realm.addprinc(service1)
-+    realm.extract_keytab(service1, realm.keytab)
-+    realm.kinit(service1, None, ['-k'])
-+    realm.run(['./t_s4u', 'e:user', '-'])
-+
- # Test cross realm S4U2Self using server referrals.
- mark('cross-realm S4U2Self')
- testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
--- a/Use-openssl-s-PRNG-in-FIPS-mode.patch
+++ b/Use-openssl-s-PRNG-in-FIPS-mode.patch
@ -1,4 +1,4 @@
-From 643b5e486624989acddf66ac7ce2cf71b3816fda Mon Sep 17 00:00:00 2001
+From a81c558f4fc75ef988a283729fd9c7e79e9df70f Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 4 Jan 2019 17:00:15 -0500
 Subject: [PATCH] Use openssl's PRNG in FIPS mode
--- a/krb5-1.11-kpasswdtest.patch
+++ b/krb5-1.11-kpasswdtest.patch
@ -1,4 +1,4 @@
-From 6e8f8054396459c1f53c838801b0a75d235fdabb Mon Sep 17 00:00:00 2001
+From d4035585df4b3132d1897067d6c452cc06aa16dd Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:52:01 -0400
 Subject: [PATCH] krb5-1.11-kpasswdtest.patch
--- a/krb5-1.11-run_user_0.patch
+++ b/krb5-1.11-run_user_0.patch
@ -1,4 +1,4 @@
-From ac7370914ab1646ac79475399ff5e9ca4ec58737 Mon Sep 17 00:00:00 2001
+From 3d09297c65f27033cce8abbab2e50716abdae48f Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:57 -0400
 Subject: [PATCH] krb5-1.11-run_user_0.patch
--- a/krb5-1.12-api.patch
+++ b/krb5-1.12-api.patch
@ -1,4 +1,4 @@
-From eaaca3b6e9eb279ba7c50af95f0c84068927da16 Mon Sep 17 00:00:00 2001
+From f267d34d0dea6778c700036b89156fc17ca506e9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:00 -0400
 Subject: [PATCH] krb5-1.12-api.patch
--- a/krb5-1.12-ksu-path.patch
+++ b/krb5-1.12-ksu-path.patch
@ -1,4 +1,4 @@
-From b4804625f0b778ceaabdcc4fb448e7b5ba1523a5 Mon Sep 17 00:00:00 2001
+From e62b5022c129229e86f40f97d2e1c71a01d7227b Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:32:09 -0400
 Subject: [PATCH] krb5-1.12-ksu-path.patch
--- a/krb5-1.12-ktany.patch
+++ b/krb5-1.12-ktany.patch
@ -1,4 +1,4 @@
-From 001a4204b41823b939ca7f6ff82cc55c084e69d9 Mon Sep 17 00:00:00 2001
+From c93c099e3d3e0a78393e7445fe17d58cf1abc666 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:33:53 -0400
 Subject: [PATCH] krb5-1.12-ktany.patch
--- a/krb5-1.12.1-pam.patch
+++ b/krb5-1.12.1-pam.patch
@ -1,4 +1,4 @@
-From c734e307fb5cf75d2a54147ffe9b14b0c8a0558b Mon Sep 17 00:00:00 2001
+From c8f2e321b2d8471feee69bbca3179e675228bd8a Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH] krb5-1.12.1-pam.patch
@ -756,10 +756,10 @@ index 000000000..0ab76569c
 +void appl_pam_cleanup(void);
 +#endif
 diff --git a/src/configure.in b/src/configure.in
-index 84529c120..5d5f148ca 100644
+index 61ef738dc..e9a12ac16 100644
 --- a/src/configure.in
 +++ b/src/configure.in
-@@ -1348,6 +1348,8 @@ AC_SUBST([VERTO_VERSION])
+@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
 
 AC_PATH_PROG(GROFF, groff)
 
--- a/krb5-1.13-dirsrv-accountlock.patch
+++ b/krb5-1.13-dirsrv-accountlock.patch
@ -1,4 +1,4 @@
-From 6ac22c213525b704183106053e7a49d7a18f3903 Mon Sep 17 00:00:00 2001
+From 3da19a991cce8861c092ed1341d9cd7837b2f6f7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:47:44 -0400
 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
--- a/krb5-1.15-beta1-buildconf.patch
+++ b/krb5-1.15-beta1-buildconf.patch
@ -1,4 +1,4 @@
-From ee22f82b9a68f39a7c02b8eb75981c978d0f6e8c Mon Sep 17 00:00:00 2001
+From 7b457b5b4130208745b8c592e53e42c10f356e27 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:45:26 -0400
 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
--- a/krb5-1.17-beta1-selinux-label.patch
+++ b/krb5-1.17-beta1-selinux-label.patch
@ -1,4 +1,4 @@
-From 08e57eb589daa83dcbada0d1f81d5fb8dbe31fc4 Mon Sep 17 00:00:00 2001
+From e1c4f8894d22da9c157bfcf31e28f9ceaeebe39e Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:30:53 -0400
 Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch
@ -172,10 +172,10 @@ index ce87e21ca..917357df9 100644
 GSS_LIBS	= $(GSS_KRB5_LIB)
 # needs fixing if ever used on macOS!
 diff --git a/src/configure.in b/src/configure.in
-index 5d5f148ca..16e785017 100644
+index e9a12ac16..93aec682e 100644
 --- a/src/configure.in
 +++ b/src/configure.in
-@@ -1350,6 +1350,8 @@ AC_PATH_PROG(GROFF, groff)
+@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
 
 KRB5_WITH_PAM
 
@ -631,7 +631,7 @@ index 24e41fb80..0dcb6b543 100644
         retval = errno;
         if (retval == 0)
 diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
-index b1842daf9..82d08943c 100644
+index db7b030b8..321672bcb 100644
 --- a/src/util/support/Makefile.in
 +++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
--- a/krb5-1.3.1-dns.patch
+++ b/krb5-1.3.1-dns.patch
@ -1,4 +1,4 @@
-From fdfee89c7e849d8aa9d69fb453d87d1dcf750b84 Mon Sep 17 00:00:00 2001
+From 40259729fa4fbec2b22e9ca8043202ac914cca24 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:46:21 -0400
 Subject: [PATCH] krb5-1.3.1-dns.patch
--- a/krb5-1.9-debuginfo.patch
+++ b/krb5-1.9-debuginfo.patch
@ -1,4 +1,4 @@
-From a766fdb8929635483ae7b8f7ff13ad105571f8c1 Mon Sep 17 00:00:00 2001
+From d6758af31afecc3835043a8e599302f372fcef82 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:49:25 -0400
 Subject: [PATCH] krb5-1.9-debuginfo.patch
--- a/krb5.spec
+++ b/krb5.spec
@ -9,7 +9,7 @@
 %global configured_default_ccache_name KEYRING:persistent:%%{uid}

 # leave empty or set to e.g., -beta2
-%global prerelease -beta2
+%global prerelease %{nil}

 # Should be in form 5.0, 6.1, etc.
 %global kdbversion 7.0
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 1.beta2.6%{?dist}
+Release: 2

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -63,7 +63,6 @@ Patch36: krb5-1.11-kpasswdtest.patch
 Patch88: Become-FIPS-aware.patch
 Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch
 Patch90: Add-tests-for-KCM-ccache-type.patch
-Patch91: Remove-incorrect-KDC-assertion.patch
 Patch92: Address-some-optimized-out-memset-calls.patch
 Patch93: Use-openssl-s-PRNG-in-FIPS-mode.patch

@ -713,6 +712,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Tue Jan 08 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-2
+- New upstream version (1.17)
+
 * Fri Jan 04 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-1.beta2.6
 - Use openssl's PRNG in FIPS mode

--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (krb5-1.17-beta2.tar.gz) = 4611e2091c74e6de7fe5a3e57c44c4afcc2ebd590dcc1fe99f73fac95aec64574b06bb636acb4cd694e49db76ccdee5448202ab4c653c4330b40b9e42cc1d206
-SHA512 (krb5-1.17-beta2.tar.gz.asc) = cfb826cd69701071411270b75ed8241487e2aef032ae407f866e63c7871dbb23103b02fec73ab8ee4ae085b03216c91e688ad0b77e068054e4b1d3a625fcfc8b
-SHA512 (krb5-1.17-beta2-pdfs.tar) = 24140822150a32ed3efa855741da7c220c8cf5875b4517fa48591d4c90454653d70558e2a31461a2c32d21b801eac7c96c0a75a5cd6989dbabe6454a802002dd
+SHA512 (krb5-1.17-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46
+SHA512 (krb5-1.17.tar.gz) = 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52
+SHA512 (krb5-1.17.tar.gz.asc) = 7ee81ccd05559ca1ff945619165297db251010db7c0205855f89ae66a73bc78e98f5e28ea154dcb752f5d4afb9349a293dcf8f64858d2129a869295fa8946e0f