diff --git a/.cvsignore b/.cvsignore index 6d90815..7de173a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -36,3 +36,6 @@ krb5-1.8.tar.gz.asc krb5-appl-1.0.tar.gz krb5-appl-1.0.tar.gz.asc krb5-1.8-pdf.tar.gz +krb5-1.8.1.tar.gz +krb5-1.8.1.tar.gz.asc +krb5-1.8.1-pdf.tar.gz diff --git a/2010-002-patch.txt b/2010-002-patch.txt deleted file mode 100644 index 325ba93..0000000 --- a/2010-002-patch.txt +++ /dev/null @@ -1,73 +0,0 @@ -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c (revision 23717) -+++ src/lib/gssapi/spnego/spnego_mech.c (working copy) -@@ -1570,7 +1570,7 @@ - spnego_gss_ctx_id_t sc = NULL; - spnego_gss_cred_id_t spcred = NULL; - OM_uint32 mechstat = GSS_S_FAILURE; -- int sendTokenInit = 0; -+ int sendTokenInit = 0, tmpret; - - mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER; - -@@ -1603,7 +1603,6 @@ - if (delegated_cred_handle != NULL) - *delegated_cred_handle = GSS_C_NO_CREDENTIAL; - if (input_token->length == 0) { -- sendTokenInit = 1; - ret = acc_ctx_hints(minor_status, - context_handle, spcred, - &mic_out, -@@ -1611,6 +1610,7 @@ - &return_token); - if (ret != GSS_S_COMPLETE) - goto cleanup; -+ sendTokenInit = 1; - ret = GSS_S_CONTINUE_NEEDED; - } else { - /* Can set negState to REQUEST_MIC */ -@@ -1658,29 +1658,23 @@ - &negState, &return_token); - } - cleanup: -- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- /* For acceptor-sends-first send a tokenInit */ -- int tmpret; -- -+ if (return_token == INIT_TOKEN_SEND && sendTokenInit) { - assert(sc != NULL); -- -- if (sendTokenInit) { -- tmpret = make_spnego_tokenInit_msg(sc, -- 1, -- mic_out, -- 0, -- GSS_C_NO_BUFFER, -- return_token, -- output_token); -- } else { -- tmpret = make_spnego_tokenTarg_msg(negState, -- sc ? sc->internal_mech : GSS_C_NO_OID, -- &mechtok_out, mic_out, -- return_token, -- output_token); -- } -+ tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0, -+ GSS_C_NO_BUFFER, -+ return_token, output_token); - if (tmpret < 0) - ret = GSS_S_FAILURE; -+ } else if (return_token != NO_TOKEN_SEND && -+ return_token != CHECK_MIC) { -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : -+ GSS_C_NO_OID, -+ &mechtok_out, mic_out, -+ return_token, -+ output_token); -+ if (tmpret < 0) -+ ret = GSS_S_FAILURE; - } - if (ret == GSS_S_COMPLETE) { - *context_handle = (gss_ctx_id_t)sc->ctx_handle; diff --git a/krb5-1.8-kpasswd_ccache.patch b/krb5-1.8-kpasswd_ccache.patch deleted file mode 100644 index 6dc8ce6..0000000 --- a/krb5-1.8-kpasswd_ccache.patch +++ /dev/null @@ -1,50 +0,0 @@ -If we encounter any errors reading the user's principal name from the default -ccache, fall back to the default of using the current user's name. RT#6683 - -Index: src/clients/kpasswd/kpasswd.c -=================================================================== ---- src/clients/kpasswd/kpasswd.c (revision 23818) -+++ src/clients/kpasswd/kpasswd.c (revision 23819) -@@ -47,7 +47,7 @@ - { - krb5_error_code ret; - krb5_context context; -- krb5_principal princ; -+ krb5_principal princ = NULL; - char *pname; - krb5_ccache ccache; - krb5_get_init_creds_opt *opts = NULL; -@@ -84,23 +84,27 @@ - com_err(argv[0], ret, "parsing client name"); - exit(1); - } -- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { -- if (ret) { -+ } else { -+ ret = krb5_cc_default(context, &ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "opening default ccache"); - exit(1); - } - -- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { -+ ret = krb5_cc_get_principal(context, ccache, &princ); -+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { - com_err(argv[0], ret, "getting principal from ccache"); - exit(1); - } - -- if ((ret = krb5_cc_close(context, ccache))) { -+ ret = krb5_cc_close(context, ccache); -+ if (ret != 0) { - com_err(argv[0], ret, "closing ccache"); - exit(1); - } -- } else { -- get_name_from_passwd_file(argv[0], context, &princ); -+ -+ if (princ == NULL) -+ get_name_from_passwd_file(argv[0], context, &princ); - } - - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { diff --git a/krb5-1.8-opte.patch b/krb5-1.8-opte.patch deleted file mode 100644 index f3c0f53..0000000 --- a/krb5-1.8-opte.patch +++ /dev/null @@ -1,33 +0,0 @@ -Fall back to the library default for whether or not to prompt for a password- -change during authentication, if we weren't passed any options. RT#6681 - -diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c ---- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500 -+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500 -@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex - int tries; - krb5_creds chpw_creds; - krb5_get_init_creds_opt *chpw_opts = NULL; -+ krb5_gic_opt_ext *opte = NULL; - krb5_data pw0, pw1; - char banner[1024], pw0array[1024], pw1array[1024]; - krb5_prompt prompt[2]; -@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex - * to prompt. Prompting is only disabled if the option has been set - * and the value has been set to false. - */ -- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) -+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL); -+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; - - /* ok, we have an expired password. Give the user a few chances -@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex - &use_master, &as_reply); - - cleanup: -+ if (opte != options) -+ krb5_get_init_creds_opt_free(context, opte); - krb5int_set_prompt_types(context, 0); - /* if getting the password was successful, then check to see if the - password is about to expire, and warn if so */ diff --git a/krb5-trunk-kpasswd_ipv6.patch b/krb5-trunk-kpasswd_ipv6.patch deleted file mode 100644 index 4923142..0000000 --- a/krb5-trunk-kpasswd_ipv6.patch +++ /dev/null @@ -1,75 +0,0 @@ -Get the client libraries to correctly attempt password changes when using -IPv6. Sumit Bose, RT#6661 - -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c (revision 23766) -+++ src/lib/krb5/os/changepw.c (revision 23767) -@@ -65,20 +65,23 @@ - int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); - - code = krb5int_locate_server (context, realm, addrlist, -- locate_service_kpasswd, sockType, AF_INET); -+ locate_service_kpasswd, sockType, AF_UNSPEC); - - if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { - code = krb5int_locate_server (context, realm, addrlist, - locate_service_kadmin, SOCK_STREAM, -- AF_INET); -+ AF_UNSPEC); - if (!code) { - /* Success with admin_server but now we need to change the - port number to use DEFAULT_KPASSWD_PORT and the socktype. */ - size_t i; - for (i=0; inaddrs; i++) { - struct addrinfo *a = addrlist->addrs[i].ai; -+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); - if (a->ai_family == AF_INET) -- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); -+ sa2sin (a->ai_addr)->sin_port = kpasswd_port; -+ if (a->ai_family == AF_INET6) -+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; - if (sockType != SOCK_STREAM) - a->ai_socktype = sockType; - } -@@ -131,10 +134,16 @@ - /* some brain-dead OS's don't return useful information from - * the getsockname call. Namely, windows and solaris. */ - -- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { -+ if (local_addr.ss_family == AF_INET && -+ ss2sin(&local_addr)->sin_addr.s_addr != 0) { - local_kaddr.addrtype = ADDRTYPE_INET; - local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); - local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; -+ } else if (local_addr.ss_family == AF_INET6 && -+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { -+ local_kaddr.addrtype = ADDRTYPE_INET6; -+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); -+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; - } else { - krb5_address **addrs; - -@@ -278,9 +287,19 @@ - break; - } - -- remote_kaddr.addrtype = ADDRTYPE_INET; -- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ if (remote_addr.ss_family == AF_INET) { -+ remote_kaddr.addrtype = ADDRTYPE_INET; -+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; -+ } else if (remote_addr.ss_family == AF_INET6) { -+ remote_kaddr.addrtype = ADDRTYPE_INET6; -+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); -+ remote_kaddr.contents = -+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; -+ } else { -+ break; -+ } - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, diff --git a/krb5-trunk-tktlifetime.patch b/krb5-trunk-tktlifetime.patch deleted file mode 100644 index ce4d072..0000000 --- a/krb5-trunk-tktlifetime.patch +++ /dev/null @@ -1,33 +0,0 @@ -The 'ticket_lifetime' option isn't documented. RT#6680 - -Index: doc/admin.texinfo -=================================================================== ---- doc/admin.texinfo (revision 23799) -+++ doc/admin.texinfo (working copy) -@@ -583,6 +583,11 @@ - fail if the client machine does not have a keytab. The default for the - flag is @value{DefaultVerifyApReqNofail}. - -+@itemx ticket_lifetime -+The value of this tag is the default lifetime for -+initial tickets. The default value for the tag is -+@value{DefaultTktLifetime}. -+ - @itemx renew_lifetime - The value of this tag is the default renewable lifetime for - initial tickets. The default value for the tag is -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M (revision 23799) -+++ src/config-files/krb5.conf.M (working copy) -@@ -220,6 +220,10 @@ - fail if the client machine does not have a keytab. The default for the - flag is false. - -+.IP ticket_lifetime -+The value of this tag is the default lifetime for initial tickets. The -+default value for the tag is 1 day (1d). -+ - .IP renew_lifetime - The value of this tag is the default renewable lifetime for initial - tickets. The default value for the tag is 0. diff --git a/krb5.spec b/krb5.spec index 5f8a115..498f3ed 100644 --- a/krb5.spec +++ b/krb5.spec @@ -4,10 +4,10 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.8 -Release: 5%{?dist} +Version: 1.8.1 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.8/krb5-1.8.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc Source2: kpropd.init @@ -45,11 +45,6 @@ Patch61: krb5-1.8-manpaths.patch Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.8-dirsrv-accountlock.patch -Patch95: krb5-1.8-opte.patch -Patch98: krb5-1.8-kpasswd_ccache.patch -Patch99: krb5-trunk-kpasswd_ipv6.patch -Patch100: krb5-trunk-tktlifetime.patch -Patch101: http://web.mit.edu/kerberos/advisories/2010-002-patch.txt License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -60,7 +55,7 @@ BuildRequires: autoconf, bison, flex, gawk BuildRequires: libcom_err-devel, libss-devel %endif BuildRequires: gzip, ncurses-devel, rsh, texinfo, texinfo-tex, tar -BuildRequires: tetex-latex +BuildRequires: texlive-latex BuildRequires: keyutils-libs-devel BuildRequires: libselinux-devel BuildRequires: pam-devel @@ -184,11 +179,6 @@ ln -s NOTICE LICENSE %patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock -%patch95 -p1 -b .opte -%patch98 -p0 -b .kpasswd-ccache -%patch99 -p0 -b .kpasswd-ipv6 -%patch100 -p0 -b .tktlifetime -%patch101 -p0 -b .2010-002 gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -622,6 +612,12 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Apr 9 2010 Nalin Dahyabhai 1.8.1-1 +- update to 1.8.1 + - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 +- replace buildrequires on tetex-latex with one on texlive-latex, which is + the package that provides it now + * Thu Apr 8 2010 Nalin Dahyabhai - kdc.conf: no more need to suggest a v4 mode, or listening on the v4 port diff --git a/sources b/sources index e9b1063..bf372ac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz -f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc -32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz +275409c607933d81db69922e68bfab2d krb5-1.8.1.tar.gz +787e4f86775bcfbb90ee8c6e7cb53fc9 krb5-1.8.1.tar.gz.asc +afdfd2e81345e6cd978dd37d76c3b0a2 krb5-1.8.1-pdf.tar.gz