New upstream prerelease (1.16-beta2)
This commit is contained in:
parent
17620d4f26
commit
6f4f842e5f
3
.gitignore
vendored
3
.gitignore
vendored
@ -157,3 +157,6 @@ krb5-1.8.3-pdf.tar.gz
|
||||
/krb5-1.16-beta1-pdfs.tar
|
||||
/krb5-1.16-beta1.tar.gz
|
||||
/krb5-1.16-beta1.tar.gz.asc
|
||||
/krb5-1.16-beta2.tar.gz
|
||||
/krb5-1.16-beta2.tar.gz.asc
|
||||
/krb5-1.16-beta2-pdfs.tar
|
||||
|
@ -1,103 +0,0 @@
|
||||
From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 24 Oct 2017 15:09:57 -0400
|
||||
Subject: [PATCH] Fix PKINIT cert matching data construction
|
||||
|
||||
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
|
||||
allocation and to perform proper error checking.
|
||||
|
||||
(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
|
||||
---
|
||||
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
|
||||
1 file changed, 19 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index f7640baf1..9fa20a8b2 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -5002,33 +5002,23 @@ out:
|
||||
return retval;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Return a string format of an X509_NAME in buf where
|
||||
- * size is an in/out parameter. On input it is the size
|
||||
- * of the buffer, and on output it is the actual length
|
||||
- * of the name.
|
||||
- * If buf is NULL, returns the length req'd to hold name
|
||||
- */
|
||||
-static char *
|
||||
-X509_NAME_oneline_ex(X509_NAME * a,
|
||||
- char *buf,
|
||||
- unsigned int *size,
|
||||
- unsigned long flag)
|
||||
+static krb5_error_code
|
||||
+rfc2253_name(X509_NAME *name, char **str_out)
|
||||
{
|
||||
- BIO *out = NULL;
|
||||
+ BIO *b = NULL;
|
||||
+ char *str;
|
||||
|
||||
- out = BIO_new(BIO_s_mem ());
|
||||
- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
|
||||
- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {
|
||||
- memset(buf, 0, *size);
|
||||
- BIO_read(out, buf, (int) BIO_number_written(out));
|
||||
- }
|
||||
- else {
|
||||
- *size = BIO_number_written(out);
|
||||
- }
|
||||
- }
|
||||
- BIO_free(out);
|
||||
- return (buf);
|
||||
+ *str_out = NULL;
|
||||
+ b = BIO_new(BIO_s_mem());
|
||||
+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
|
||||
+ return ENOMEM;
|
||||
+ str = calloc(BIO_number_written(b) + 1, 1);
|
||||
+ if (str == NULL)
|
||||
+ return ENOMEM;
|
||||
+ BIO_read(b, str, BIO_number_written(b));
|
||||
+ BIO_free(b);
|
||||
+ *str_out = str;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
|
||||
pkinit_cert_matching_data *md = NULL;
|
||||
krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
|
||||
size_t i, j;
|
||||
- char buf[DN_BUF_LEN];
|
||||
- unsigned int bufsize = sizeof(buf);
|
||||
|
||||
*md_out = NULL;
|
||||
|
||||
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
|
||||
if (md == NULL)
|
||||
goto cleanup;
|
||||
|
||||
- /* Get the subject name (in rfc2253 format). */
|
||||
- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
|
||||
- XN_FLAG_SEP_COMMA_PLUS);
|
||||
- md->subject_dn = strdup(buf);
|
||||
- if (md->subject_dn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
|
||||
+ if (ret)
|
||||
goto cleanup;
|
||||
- }
|
||||
-
|
||||
- /* Get the issuer name (in rfc2253 format). */
|
||||
- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
|
||||
- XN_FLAG_SEP_COMMA_PLUS);
|
||||
- md->issuer_dn = strdup(buf);
|
||||
- if (md->issuer_dn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
|
||||
+ if (ret)
|
||||
goto cleanup;
|
||||
- }
|
||||
|
||||
/* Get the SAN data. */
|
||||
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
@ -1,35 +0,0 @@
|
||||
From 697f19c5bfd4470c167d35c7af43c82a32660b82 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 1 Mar 2017 17:46:22 -0500
|
||||
Subject: [PATCH] Use GSSAPI fallback skiptest
|
||||
|
||||
Also-authored-by: Matt Rogers <mrogers@redhat.com>
|
||||
[rharwood@redhat.com: Adjusted patch to apply]
|
||||
---
|
||||
src/appl/gss-sample/Makefile.in | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/appl/gss-sample/Makefile.in b/src/appl/gss-sample/Makefile.in
|
||||
index 28e59f90f..9806fd327 100644
|
||||
--- a/src/appl/gss-sample/Makefile.in
|
||||
+++ b/src/appl/gss-sample/Makefile.in
|
||||
@@ -6,6 +6,8 @@ SRCS= $(srcdir)/gss-client.c $(srcdir)/gss-misc.c $(srcdir)/gss-server.c
|
||||
|
||||
OBJS= gss-client.o gss-misc.o gss-server.o
|
||||
|
||||
+LBITS = $(shell /usr/bin/getconf LONG_BIT)
|
||||
+
|
||||
all-unix: gss-server gss-client
|
||||
|
||||
##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc
|
||||
@@ -43,7 +45,9 @@ clean-unix::
|
||||
$(RM) gss-server gss-client
|
||||
|
||||
check-pytests:
|
||||
- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS)
|
||||
+ if ! [ $(LBITS) -eq 32 ]; then \
|
||||
+ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS); \
|
||||
+ fi
|
||||
|
||||
install-unix:
|
||||
$(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client
|
@ -1,8 +1,9 @@
|
||||
From 3e94cf1accf2b33bd0c8cf54eb58b4777f411cc6 Mon Sep 17 00:00:00 2001
|
||||
From f92f616e67909fe76f7628fa0fd1e28320c7e4c3 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:52:01 -0400
|
||||
Subject: [PATCH] krb5-1.11-kpasswdtest.patch
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/kadmin/testing/proto/krb5.conf.proto | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 9e7e92ae1dcd242044f2dfe3b89926ddddb6a221 Mon Sep 17 00:00:00 2001
|
||||
From 1940160be747f4c62ff00b95bc7d34301cf313d2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:57 -0400
|
||||
Subject: [PATCH] krb5-1.11-run_user_0.patch
|
||||
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.11-run_user_0.patch
|
||||
A hack: if we're looking at creating a ccache directory directly below
|
||||
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
|
||||
it, too.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/lib/krb5/ccache/cc_dir.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 9a6cfaaecd1a37e74dba285decd03bb4a3382f9a Mon Sep 17 00:00:00 2001
|
||||
From f872d1b9d44ae48846641dab97b546665fbc1c33 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:00 -0400
|
||||
Subject: [PATCH] krb5-1.12-api.patch
|
||||
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-api.patch
|
||||
Reference docs don't define what happens if you call krb5_realm_compare() with
|
||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||
crashing if applications don't check ahead of time.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/lib/krb5/krb/princ_comp.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
@ -1,9 +1,11 @@
|
||||
From 7b3bdbc0ca882325291caad391c4d328f174a614 Mon Sep 17 00:00:00 2001
|
||||
From 5bcd5fc7c793f1345d8e052c9242a93e17562ad6 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:32:09 -0400
|
||||
Subject: [PATCH] krb5-1.12-ksu-path.patch
|
||||
|
||||
Set the default PATH to the one set by login.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/clients/ksu/Makefile.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 1ede8564105568182e3cf6f273ab820453e2f025 Mon Sep 17 00:00:00 2001
|
||||
From 690b710e3cdf40cb9b9184ed6883f26c0d5d0d39 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:33:53 -0400
|
||||
Subject: [PATCH] krb5-1.12-ktany.patch
|
||||
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.12-ktany.patch
|
||||
Adds an "ANY" keytab type which is a list of other keytab locations to search
|
||||
when searching for a specific entry. When iterated through, it only presents
|
||||
the contents of the first keytab.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/lib/krb5/keytab/Makefile.in | 3 +
|
||||
src/lib/krb5/keytab/kt_any.c | 292 ++++++++++++++++++++++++++++++++++++++++
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 385194db1a08c1b923f9eb75e9602b56720fd50e Mon Sep 17 00:00:00 2001
|
||||
From 42f20ac00a2f71dcef166b0cbf2db58d02f117c8 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH] krb5-1.12.1-pam.patch
|
||||
@ -16,6 +16,8 @@ When enabled, ksu gains a dependency on libpam.
|
||||
Originally RT#5939, though it's changed since then to perform the account
|
||||
and session management before dropping privileges, and to apply on top of
|
||||
changes we're proposing for how it handles cache collections.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/aclocal.m4 | 67 ++++++++
|
||||
src/clients/ksu/Makefile.in | 8 +-
|
||||
|
@ -1,10 +1,12 @@
|
||||
From 850689009f9aeddc0b63051a3e2883d02b05387e Mon Sep 17 00:00:00 2001
|
||||
From fd3013f4dec1dfdfa40a8161cfdfea87aaac8e35 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:47:44 -0400
|
||||
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
|
||||
|
||||
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
|
||||
original version filed as RT#5891.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/aclocal.m4 | 9 +++++++++
|
||||
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 285eaffa69e9c2ff7f0adf017d192b5e7afb7002 Mon Sep 17 00:00:00 2001
|
||||
From e4103ccd0ad37297c64440ce9153e3dd355e1d5a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
||||
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
|
||||
@ -8,6 +8,8 @@ and install shared libraries with the execute bit set on them. Prune out
|
||||
the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||
apps which just want to link with the libraries. FIXME: needs to check and
|
||||
not just assume that the compiler supports using these flags.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/build-tools/krb5-config.in | 7 +++++++
|
||||
src/config/pre.in | 2 +-
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d38588a165302d915eb6b4da0c2755601547bcd1 Mon Sep 17 00:00:00 2001
|
||||
From 36874eb7b52ccc606f705029d6a5c83f77cea2c4 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:30:53 -0400
|
||||
Subject: [PATCH] krb5-1.15.1-selinux-label.patch
|
||||
@ -35,6 +35,8 @@ stomp all over us.
|
||||
The selabel APIs for looking up the context should be thread-safe (per
|
||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||
which we used earlier, is some improvement.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/aclocal.m4 | 49 +++
|
||||
src/build-tools/krb5-config.in | 3 +-
|
||||
|
@ -1,9 +1,11 @@
|
||||
From 4bc124bfff119d436eeb1af7b9d5726e17284d67 Mon Sep 17 00:00:00 2001
|
||||
From 5f9dccda2e9f4637732aa4071d37e76a3526fd6c Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:46:21 -0400
|
||||
Subject: [PATCH] krb5-1.3.1-dns.patch
|
||||
|
||||
We want to be able to use --with-netlib and --enable-dns at the same time.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/aclocal.m4 | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 82f8b63ae3955423456adf15790c10eb1145ec52 Mon Sep 17 00:00:00 2001
|
||||
From 1eeb1b3e0ceb5500e5c1102d2144203352f0d00f Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:49:25 -0400
|
||||
Subject: [PATCH] krb5-1.9-debuginfo.patch
|
||||
@ -6,6 +6,8 @@ Subject: [PATCH] krb5-1.9-debuginfo.patch
|
||||
We want to keep these y.tab.c files around because the debuginfo points to
|
||||
them. It would be more elegant at the end to use symbolic links, but that
|
||||
could mess up people working in the tree on other things.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/kadmin/cli/Makefile.in | 5 +++++
|
||||
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
|
||||
|
@ -9,7 +9,7 @@
|
||||
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
|
||||
|
||||
# leave empty or set to e.g., -beta2
|
||||
%global prerelease -beta1
|
||||
%global prerelease -beta2
|
||||
|
||||
# Should be in form 5.0, 6.1, etc.
|
||||
%global kdbversion 7.0
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.16
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 0.beta1.4%{?dist}
|
||||
Release: 0.beta2.1%{?dist}
|
||||
|
||||
# lookaside-cached sources; two downloads and a build artifact
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -60,8 +60,6 @@ Patch33: krb5-1.13-dirsrv-accountlock.patch
|
||||
Patch34: krb5-1.9-debuginfo.patch
|
||||
Patch35: krb5-1.11-run_user_0.patch
|
||||
Patch36: krb5-1.11-kpasswdtest.patch
|
||||
Patch43: Use-GSSAPI-fallback-skiptest.patch
|
||||
Patch44: Fix-PKINIT-cert-matching-data-construction.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -714,6 +712,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 27 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta2.1
|
||||
- New upstream prerelease (1.16-beta2)
|
||||
|
||||
* Tue Oct 24 2017 Robbie Harwood <rharwood@redhat.com> - 1.16-0.beta1.4
|
||||
- Fix CVE-2017-15088 (Buffer overflow in get_matching_data())
|
||||
|
||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (krb5-1.16-beta1-pdfs.tar) = 79329b7978101723a5c9f55773ac69bd1986c716e6d8b4cd42cbf17a8e85cd49f13b376e0b4b0ccca485b5a5a79d6bce8ace0c22df79b6f0a47a74c387f83ffd
|
||||
SHA512 (krb5-1.16-beta1.tar.gz) = 68dba5212d2dd28ed0bc4961931af8d291bcdf2805baa4e930b0218f7749dc1e4dfe696aacca0529787f274b99fe5a8297f3e13877f724ee983483b399daf2c9
|
||||
SHA512 (krb5-1.16-beta1.tar.gz.asc) = 342272496897b4a4452d73186b7d19bbc3155e38fe39e0e852e03ce4757a3284baefbb1c49653e53d36e96ab587a7acb718e14c8281ccca85cb0de4c7d0b730e
|
||||
SHA512 (krb5-1.16-beta2.tar.gz) = 12dfbac5357e1bfa6acce4ea8ee690015136c0297c08405ed8a77ba219ed1490cbf35eaa3d7ab3cd517cdfcd697dfa6c64efd6270f5419d7e2914ed562338ea7
|
||||
SHA512 (krb5-1.16-beta2.tar.gz.asc) = c653f7babc9baf58528fde523169e971aada520a606ade2afdb22d7aa9c513a7fec2662f6ba4b344bde0ad8ebc1ebd4e7fc90960c50b3ff44867a9c547749613
|
||||
SHA512 (krb5-1.16-beta2-pdfs.tar) = f3791cbe3b6cedbc07af70b2e6c87aabe921a637e419096fa37faff40538e0575237c006ee0df56e5c728988b0677faef41f26e61501e5ab8851591ea12faa3a
|
||||
|
Loading…
Reference in New Issue
Block a user