From 658f28f754efb14ddd0a8b2dcc54c8e7f3f3e6d5 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 8 Jan 2019 19:15:01 +0000 Subject: [PATCH] New upstream version (1.17) --- .gitignore | 3 + Add-tests-for-KCM-ccache-type.patch | 2 +- Address-some-optimized-out-memset-calls.patch | 2 +- Become-FIPS-aware.patch | 2 +- ...-plaintext-fallback-for-RC4-usages-a.patch | 2 +- Remove-incorrect-KDC-assertion.patch | 61 ------------------- Use-openssl-s-PRNG-in-FIPS-mode.patch | 2 +- krb5-1.11-kpasswdtest.patch | 2 +- krb5-1.11-run_user_0.patch | 2 +- krb5-1.12-api.patch | 2 +- krb5-1.12-ksu-path.patch | 2 +- krb5-1.12-ktany.patch | 2 +- krb5-1.12.1-pam.patch | 6 +- krb5-1.13-dirsrv-accountlock.patch | 2 +- krb5-1.15-beta1-buildconf.patch | 2 +- krb5-1.17-beta1-selinux-label.patch | 8 +-- krb5-1.3.1-dns.patch | 2 +- krb5-1.9-debuginfo.patch | 2 +- krb5.spec | 8 ++- sources | 6 +- 20 files changed, 32 insertions(+), 88 deletions(-) delete mode 100644 Remove-incorrect-KDC-assertion.patch diff --git a/.gitignore b/.gitignore index 7d8ad15..523856e 100644 --- a/.gitignore +++ b/.gitignore @@ -172,3 +172,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.17-beta2.tar.gz /krb5-1.17-beta2.tar.gz.asc /krb5-1.17-beta2-pdfs.tar +/krb5-1.17-pdfs.tar +/krb5-1.17.tar.gz +/krb5-1.17.tar.gz.asc diff --git a/Add-tests-for-KCM-ccache-type.patch b/Add-tests-for-KCM-ccache-type.patch index ef9b875..fac526f 100644 --- a/Add-tests-for-KCM-ccache-type.patch +++ b/Add-tests-for-KCM-ccache-type.patch @@ -1,4 +1,4 @@ -From b361f6bbc2873bd54963076738dc3ae6224261a0 Mon Sep 17 00:00:00 2001 +From 528f9ef3842ef5caba0990568e3cd7104e640c52 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Nov 2018 00:27:35 -0500 Subject: [PATCH] Add tests for KCM ccache type diff --git a/Address-some-optimized-out-memset-calls.patch b/Address-some-optimized-out-memset-calls.patch index 781d14a..099f238 100644 --- a/Address-some-optimized-out-memset-calls.patch +++ b/Address-some-optimized-out-memset-calls.patch @@ -1,4 +1,4 @@ -From 0d83197140d2040d47ca79f006126e503680f661 Mon Sep 17 00:00:00 2001 +From 028ed9cee24159b25ecb8f62e8d171b850ed0a41 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 30 Dec 2018 16:40:28 -0500 Subject: [PATCH] Address some optimized-out memset() calls diff --git a/Become-FIPS-aware.patch b/Become-FIPS-aware.patch index 20c211d..9c4bb5f 100644 --- a/Become-FIPS-aware.patch +++ b/Become-FIPS-aware.patch @@ -1,4 +1,4 @@ -From 6e1f7b50b36e0036838c91841c83360fdd567ec5 Mon Sep 17 00:00:00 2001 +From ebcee0c8dc5f3055597e0b574d98cbe65f55319e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] Become FIPS-aware diff --git a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch index 78fb0d9..b34aed1 100644 --- a/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch +++ b/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch @@ -1,4 +1,4 @@ -From 2bd85da058d2d73eb2818a8e64656fec9b21b3c3 Mon Sep 17 00:00:00 2001 +From 1caf8246184211e06708e01a106632e26d9a84a8 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 31 Jul 2018 13:47:26 -0400 Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint diff --git a/Remove-incorrect-KDC-assertion.patch b/Remove-incorrect-KDC-assertion.patch deleted file mode 100644 index f951269..0000000 --- a/Remove-incorrect-KDC-assertion.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 5ab44ff3ecdf362a792f193cf18df42866b70f80 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 15 Dec 2018 11:56:36 +0200 -Subject: [PATCH] Remove incorrect KDC assertion - -The assertion in return_enc_padata() is reachable because -kdc_make_s4u2self_rep() may have previously added encrypted padata. -It is no longer necessary because the code uses add_pa_data_element() -instead of allocating a new list. - -CVE-2018-20217: - -In MIT krb5 1.8 or later, an authenticated user who can obtain a TGT -using an older encryption type (DES, DES3, or RC4) can cause an -assertion failure in the KDC by sending an S4U2Self request. - -[ghudson@mit.edu: rewrote commit message with CVE description] - -ticket: 8767 (new) -tags: pullup -target_version: 1.17 -target_version: 1.16-next -target_version: 1.15-next - -(cherry picked from commit 94e5eda5bb94d1d44733a49c3d9b6d1e42c74def) ---- - src/kdc/kdc_preauth.c | 1 - - src/tests/gssapi/t_s4u.py | 8 ++++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 74953c99f..caf133c14 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -1683,7 +1683,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt, - krb5_error_code code = 0; - /* This should be initialized and only used for Win2K compat and other - * specific standardized uses such as FAST negotiation. */ -- assert(reply_encpart->enc_padata == NULL); - if (is_referral) { - code = return_referral_enc_padata(context, reply_encpart, server); - if (code) -diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py -index fd29e1a27..f02c2fd13 100755 ---- a/src/tests/gssapi/t_s4u.py -+++ b/src/tests/gssapi/t_s4u.py -@@ -139,6 +139,14 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out: - - realm.stop() - -+mark('S4U2Self with various enctypes') -+for realm in multipass_realms(create_host=False, get_creds=False): -+ service1 = 'service/1@%s' % realm.realm -+ realm.addprinc(service1) -+ realm.extract_keytab(service1, realm.keytab) -+ realm.kinit(service1, None, ['-k']) -+ realm.run(['./t_s4u', 'e:user', '-']) -+ - # Test cross realm S4U2Self using server referrals. - mark('cross-realm S4U2Self') - testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'}, diff --git a/Use-openssl-s-PRNG-in-FIPS-mode.patch b/Use-openssl-s-PRNG-in-FIPS-mode.patch index c9aa284..29cceff 100644 --- a/Use-openssl-s-PRNG-in-FIPS-mode.patch +++ b/Use-openssl-s-PRNG-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From 643b5e486624989acddf66ac7ce2cf71b3816fda Mon Sep 17 00:00:00 2001 +From a81c558f4fc75ef988a283729fd9c7e79e9df70f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 4 Jan 2019 17:00:15 -0500 Subject: [PATCH] Use openssl's PRNG in FIPS mode diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index c5dc157..0a9fff6 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From 6e8f8054396459c1f53c838801b0a75d235fdabb Mon Sep 17 00:00:00 2001 +From d4035585df4b3132d1897067d6c452cc06aa16dd Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index d8dd892..705af96 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From ac7370914ab1646ac79475399ff5e9ca4ec58737 Mon Sep 17 00:00:00 2001 +From 3d09297c65f27033cce8abbab2e50716abdae48f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 1ec3e8c..159ad57 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From eaaca3b6e9eb279ba7c50af95f0c84068927da16 Mon Sep 17 00:00:00 2001 +From f267d34d0dea6778c700036b89156fc17ca506e9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 773b134..4b990ce 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,4 +1,4 @@ -From b4804625f0b778ceaabdcc4fb448e7b5ba1523a5 Mon Sep 17 00:00:00 2001 +From e62b5022c129229e86f40f97d2e1c71a01d7227b Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index b0691dc..8049432 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,4 +1,4 @@ -From 001a4204b41823b939ca7f6ff82cc55c084e69d9 Mon Sep 17 00:00:00 2001 +From c93c099e3d3e0a78393e7445fe17d58cf1abc666 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:33:53 -0400 Subject: [PATCH] krb5-1.12-ktany.patch diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index e89f2b0..10892d4 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,4 +1,4 @@ -From c734e307fb5cf75d2a54147ffe9b14b0c8a0558b Mon Sep 17 00:00:00 2001 +From c8f2e321b2d8471feee69bbca3179e675228bd8a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch @@ -756,10 +756,10 @@ index 000000000..0ab76569c +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.in b/src/configure.in -index 84529c120..5d5f148ca 100644 +index 61ef738dc..e9a12ac16 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1348,6 +1348,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index cfdd2d8..7faa245 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,4 +1,4 @@ -From 6ac22c213525b704183106053e7a49d7a18f3903 Mon Sep 17 00:00:00 2001 +From 3da19a991cce8861c092ed1341d9cd7837b2f6f7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index 9dcbd9a..5725758 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From ee22f82b9a68f39a7c02b8eb75981c978d0f6e8c Mon Sep 17 00:00:00 2001 +From 7b457b5b4130208745b8c592e53e42c10f356e27 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch diff --git a/krb5-1.17-beta1-selinux-label.patch b/krb5-1.17-beta1-selinux-label.patch index 4895fec..bf5d4eb 100644 --- a/krb5-1.17-beta1-selinux-label.patch +++ b/krb5-1.17-beta1-selinux-label.patch @@ -1,4 +1,4 @@ -From 08e57eb589daa83dcbada0d1f81d5fb8dbe31fc4 Mon Sep 17 00:00:00 2001 +From e1c4f8894d22da9c157bfcf31e28f9ceaeebe39e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] krb5-1.17-beta1-selinux-label.patch @@ -172,10 +172,10 @@ index ce87e21ca..917357df9 100644 GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! diff --git a/src/configure.in b/src/configure.in -index 5d5f148ca..16e785017 100644 +index e9a12ac16..93aec682e 100644 --- a/src/configure.in +++ b/src/configure.in -@@ -1350,6 +1350,8 @@ AC_PATH_PROG(GROFF, groff) +@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -631,7 +631,7 @@ index 24e41fb80..0dcb6b543 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index b1842daf9..82d08943c 100644 +index db7b030b8..321672bcb 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in @@ -69,6 +69,7 @@ IPC_SYMS= \ diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index a03312f..d213d71 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From fdfee89c7e849d8aa9d69fb453d87d1dcf750b84 Mon Sep 17 00:00:00 2001 +From 40259729fa4fbec2b22e9ca8043202ac914cca24 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 7594a6c..6b1c220 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From a766fdb8929635483ae7b8f7ff13ad105571f8c1 Mon Sep 17 00:00:00 2001 +From d6758af31afecc3835043a8e599302f372fcef82 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch diff --git a/krb5.spec b/krb5.spec index 16f2ba5..8da9d25 100644 --- a/krb5.spec +++ b/krb5.spec @@ -9,7 +9,7 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} # leave empty or set to e.g., -beta2 -%global prerelease -beta2 +%global prerelease %{nil} # Should be in form 5.0, 6.1, etc. %global kdbversion 7.0 @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 1.beta2.6%{?dist} +Release: 2 # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -63,7 +63,6 @@ Patch36: krb5-1.11-kpasswdtest.patch Patch88: Become-FIPS-aware.patch Patch89: In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch Patch90: Add-tests-for-KCM-ccache-type.patch -Patch91: Remove-incorrect-KDC-assertion.patch Patch92: Address-some-optimized-out-memset-calls.patch Patch93: Use-openssl-s-PRNG-in-FIPS-mode.patch @@ -713,6 +712,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Jan 08 2019 Robbie Harwood - 1.17-2 +- New upstream version (1.17) + * Fri Jan 04 2019 Robbie Harwood - 1.17-1.beta2.6 - Use openssl's PRNG in FIPS mode diff --git a/sources b/sources index 5a03b5d..3517dec 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (krb5-1.17-beta2.tar.gz) = 4611e2091c74e6de7fe5a3e57c44c4afcc2ebd590dcc1fe99f73fac95aec64574b06bb636acb4cd694e49db76ccdee5448202ab4c653c4330b40b9e42cc1d206 -SHA512 (krb5-1.17-beta2.tar.gz.asc) = cfb826cd69701071411270b75ed8241487e2aef032ae407f866e63c7871dbb23103b02fec73ab8ee4ae085b03216c91e688ad0b77e068054e4b1d3a625fcfc8b -SHA512 (krb5-1.17-beta2-pdfs.tar) = 24140822150a32ed3efa855741da7c220c8cf5875b4517fa48591d4c90454653d70558e2a31461a2c32d21b801eac7c96c0a75a5cd6989dbabe6454a802002dd +SHA512 (krb5-1.17-pdfs.tar) = 89a5a709720ee9028e9bfbcbc808eec436c4b9c6e105888b37660e97cff48e190bc77affa9809353de9cf2f39e517e8a6ab22792263978b403a4a6317ac24a46 +SHA512 (krb5-1.17.tar.gz) = 7462a578b936bd17f155a362dbb5d388e157a80a096549028be6c55400b11361c7f8a28e424fd5674801873651df4e694d536cae66728b7ae5e840e532358c52 +SHA512 (krb5-1.17.tar.gz.asc) = 7ee81ccd05559ca1ff945619165297db251010db7c0205855f89ae66a73bc78e98f5e28ea154dcb752f5d4afb9349a293dcf8f64858d2129a869295fa8946e0f