- New upstream version (1.21.3)
- CVE-2024-37370 CVE-2024-37371
Fix vulnerabilities in GSS message token handling
Resolves: RHEL-45387 RHEL-45378
- Fix memory leak in GSSAPI interface
Resolves: RHEL-47284
- Fix memory leak in PMAP RPC interface
Resolves: RHEL-47287
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-47285
- Make TCP waiting time configurable
Resolves: RHEL-47278
- Do not include files with "~" termination in krb5-tests
Resolves: RHEL-45995
Signed-off-by: Julien Rische <jrische@redhat.com>
- Add missing SPDX license identifiers
Resolves: RHEL-44383
Some MIT krb5 licenses where not registered by the SPDX project. They
were recently added to the official list. The SPDX expression is
complete at this point.
Signed-off-by: Julien Rische <jrische@redhat.com>
By default, dnf5 does not download the filelists repository metadata
required to resolve file dependencies outside of /usr/(s)bin or /etc.
This causes the krb5-server file to become uninstallable.
$ dnf5 install krb5-server
Repositories loaded.
Failed to resolve the transaction:
Problem: conflicting requests
- nothing provides /usr/share/dict/words needed by krb5-server-1.21-1.fc39.x86_64
This change aligns with the Fedora packaging guidelines, as stated here:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_dependencies
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216903
Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2214297
Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2214300
Allow to set PAC ticket signature as optional
Resolves: rhbz#2181311
Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
Fix syntax error in aclocal.m4
Resolves: rhbz#2143306
Signed-off-by: Julien Rische <jrische@redhat.com>
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Signed-off-by: Julien Rische <jrische@redhat.com>
Also set "supportedCMSTypes" to SHA-512/256 with RSA encryption
Resolves: rhbz#2124463
Resolves: rhbz#2114766
Signed-off-by: Julien Rische <jrische@redhat.com>
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0. Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.
Change the initial high value to the be the "invalid" value
(time_t)-1. Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.
Signed-off-by: Julien Rische <jrische@redhat.com>
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2082189
Signed-off-by: Julien Rische <jrische@redhat.com>
change_set_password() was changed to prefer TCP. However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Resolves: rhbz#2076965
Signed-off-by: Julien Rische <jrische@redhat.com>