From e438a6ddbdc37459cee6fedaa2e6cf3a15cb0e8b Mon Sep 17 00:00:00 2001 From: cvsdist Date: Thu, 9 Sep 2004 07:11:54 +0000 Subject: [PATCH] auto-import krb5-1.2.4-11 from krb5-1.2.4-11.src.rpm --- .cvsignore | 1 + krb5-1.2.7-reject-bad-transited.patch | 18 +++++++++ krb5.spec | 58 ++++++++++++++++++++++++++- sources | 1 + 4 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 krb5-1.2.7-reject-bad-transited.patch diff --git a/.cvsignore b/.cvsignore index d1d3343..0c0dfa0 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ +2003-004-krb4_patchkit.tar.gz krb5-1.2.4.tar.gz diff --git a/krb5-1.2.7-reject-bad-transited.patch b/krb5-1.2.7-reject-bad-transited.patch new file mode 100644 index 0000000..b4c26b0 --- /dev/null +++ b/krb5-1.2.7-reject-bad-transited.patch @@ -0,0 +1,18 @@ +--- krb5-1.2.7/src/config-files/kdc.conf.M 2003-02-04 13:04:21.000000000 -0500 ++++ krb5-1.2.7/src/config-files/kdc.conf.M 2003-02-04 13:04:11.000000000 -0500 +@@ -138,6 +138,15 @@ + strings specifies the default key/salt combinations of principals for this + realm. + ++.IP reject_bad_transit ++This ++.B boolean string ++specifies whether or not the KDC should reject cross-realm TGS requests if the ++request's list of transited realms names realms which would not be included ++in the transit path if the path were to be computed using the KDC's krb5.conf ++file, or if the client requests that the KDC not perform such a check. The ++default is for this option to be enabled. ++ + .SH FILES + /usr/local/lib/krb5kdc/kdc.conf + diff --git a/krb5.spec b/krb5.spec index 33ff9f8..3da098a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -4,7 +4,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.2.4 -Release: 4 +Release: 11 Source0: krb5-%{version}.tar.gz Source1: kpropd.init Source2: krb524d.init @@ -24,6 +24,8 @@ Source15: kshell.xinetd Source16: krb5-telnet.xinetd Source17: gssftp.xinetd Source19: statglue.c +Source20: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz +Source21: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.sig Patch0: krb5-1.1-db.patch Patch1: krb5-1.1.1-tiocgltc.patch Patch2: krb5-1.1.1-libpty.patch @@ -52,6 +54,14 @@ Patch25: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.tx Patch26: gssftp-patch Patch27: krb5-1.2.6-dnsparse.patch Patch28: krb5-1.2.7-errno.patch +Patch29: krb5-SA-2003-001-1.patch +Patch30: krb5-SA-2003-001-4.patch +Patch32: krb5-1.2.7-reject-bad-transited.patch +Patch33: krb5-crawford.patch +Patch34: krb5-1.2.4-princ_size.patch +Patch35: krb5-1.2.7-underrun.patch +Patch36: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt +Patch37: krb5-1.2.2-krb524-double-free.patch License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -113,6 +123,38 @@ network uses Kerberos, this package should be installed on every workstation. %changelog +* Fri Mar 21 2003 Nalin Dahyabhai 1.2.4-11 +- fix double-free of enc_part2 in krb524d +- update to latest patch kit for MITKRB5-SA-2003-004 + +* Wed Mar 19 2003 Nalin Dahyabhai 1.2.4-10 +- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028) + +* Mon Mar 17 2003 Nalin Dahyabhai 1.2.4-9 +- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and + CAN-2003-0139) + +* Thu Mar 6 2003 Nalin Dahyabhai 1.2.4-8 +- fix buffer underrun in unparsing certain principals (CAN-2003-0082) + +* Wed Feb 26 2003 Nalin Dahyabhai 1.2.4-7 +- add patch to fix server-side crashes when principals have no + components (CAN-2003-0072) + +* Mon Feb 24 2003 Nalin Dahyabhai 1.2.4-6 +- add patch from Matt Crawford for encoding transited realms properly + +* Wed Feb 5 2003 Nalin Dahyabhai 1.2.4-5 +- sync compiler flags for configure and make with other versions + +* Tue Feb 4 2003 Nalin Dahyabhai +- add patch to document the reject-bad-transited option in kdc.conf + +* Thu Jan 30 2003 Nalin Dahyabhai +- add candidate backport for MITKRB5-SA-2003-001 parts 1,4 +- add candidate backports for CAN-2002-0036, CAN-2002-059 + (CAN-2002-058 was fixed in 1.2.3, CAN-2002-060 was fixed in 1.1.1-7 or so) + * Thu Jan 23 2003 Nalin Dahyabhai 1.2.4-4 - add patch from Mark Cox for exploitable bugs in ftp client - add patch to avoid buffer read overruns when configuring via DNS @@ -469,7 +511,7 @@ workstation. - added --force to makeinfo commands to skip errors during build %prep -%setup -q +%setup -q -a 20 %patch0 -p0 -b .db %patch1 -p0 -b .tciogltc %patch2 -p0 -b .libpty @@ -504,6 +546,18 @@ popd %patch26 -p1 -b .gssftp-patch %patch27 -p1 -b .dnsparse %patch28 -p1 -b .errno +%patch29 -p1 -b .krb5-SA-2003-001-1 +%patch30 -p1 -b .krb5-SA-2003-001-4 +%patch32 -p1 -b .reject-bad-transited +%patch33 -p1 -b .crawford +%patch34 -p1 -b .princ_size +%patch35 -p1 -b .underrun +patch -sp0 -b -z .2003-004-krb4 < 2003-004-krb4_patchkit/patch.1.2.0 +pushd src/lib/rpc +%patch36 -p0 -b .2003-003 +popd +%patch37 -p1 -b .double-free + %if %{statglue} cp $RPM_SOURCE_DIR/statglue.c src/util/profile/statglue.c %endif diff --git a/sources b/sources index eb2a426..d511114 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ +88d770f2de2c1bd842b511f47002a807 2003-004-krb4_patchkit.tar.gz 663add9b5942be74a86fa860a3fa4167 krb5-1.2.4.tar.gz