Nalin Dahyabhai
909ac318c3
Use %%{?_isa} when hard-coding deps on krb5-libs
...
- specify dependencies on the same arch of krb5-libs by using the %%{?_isa}
suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155 )
2013-07-01 11:48:17 -04:00
Nalin Dahyabhai
d00d276a47
Bring back "Back out the krb5-1.11-run_user_0.patch"
...
This reverts commit 8a5a8d492c
.
Special-case /run/user/0, attempting to create it when resolving a
directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235 ).
2013-06-13 13:23:54 -04:00
Nalin Dahyabhai
7b66f600ef
update to 1.11.3
...
- update to 1.11.3
- drop patch for RT#7605, fixed in this release
- drop patch for CVE-2002-2443, fixed in this release
- drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
2013-06-04 11:13:25 -04:00
Nalin Dahyabhai
ff0ee94342
Respin with updated version of patch for RT#7650
...
Respin with updated version of patch for RT#7650, and don't forget to
keep track of the bug ID (#969331 ).
2013-05-31 14:29:57 -04:00
Nalin Dahyabhai
8a5a8d492c
Back out the krb5-1.11-run_user_0.patch
...
It's not a complete fix, and it may only muddy things further on systems
that are having the kind of trouble it's trying to avoid, so hold off.
For now, at least.
2013-05-30 15:10:35 -04:00
Nalin Dahyabhai
202006a85f
Pull a fix for kinit going on an only-masters path
...
- pull in proposed fix for attempts to get initial creds, which end up
following referrals, incorrectly trying to always use master KDCs if
they talked to a master at any point (should fix RT#7650)
2013-05-30 12:32:10 -04:00
Nalin Dahyabhai
dc293b3d84
Add a hackish attempt at a workaround for #961235
...
Add a patch to create /run/user/0 if we're trying to resolve a
DIR: ccache somewhere below it and neither the target location
nor /run/user/0 exist yet.
The better workaround is to set the location's owner to "linger"
via logind, since even after we do what we're doing here, if
the user logs in and logs back out, our location is still removed.
2013-05-30 12:26:42 -04:00
Nalin Dahyabhai
559c78a30a
Label DIR: ccache directories when we create them
...
- don't forget to set the SELinux label when creating the directory for
a DIR: ccache
2013-05-30 09:18:15 -04:00
Nalin Dahyabhai
11a4bca1fa
Turn off some tests that master stopped doing
...
- pull in patches from master to not test GSSRPC-over-UDP and to not
depend on the portmapper, which are areas where our build systems
often give us trouble, too
2013-05-30 08:53:30 -04:00
Nalin Dahyabhai
bafcf02fa5
Actually bump the release number
2013-05-28 18:18:55 -04:00
Nalin Dahyabhai
e98d94d2bc
Add proposed fix for handling AS client clock skew
...
In addition to basing the contents of an encrypted-timestamp preauth
data item on the server's idea of the current time, go ahead and do the
same for the times in the request.
2013-05-28 18:18:23 -04:00
Nalin Dahyabhai
827a48f7cc
Fix handling of empty passwords in get-init-creds
2013-05-28 17:21:45 -04:00
Nalin Dahyabhai
2fdc61e398
Fix transited realm checks in GSSAPI servers
...
- backport fix for not being able to verify the list of transited realms
in GSS acceptors (RT#7639, #959685 )
2013-05-28 17:16:52 -04:00
Nalin Dahyabhai
325dca9ce4
Note the corresponding EL6 bug ID for reference
2013-05-28 17:13:23 -04:00
Nalin Dahyabhai
ee36e9e6b4
fix to make some use of DIR::... KRB5CCNAME values
...
- pull in upstream fix to start treating a KRB5CCNAME value that begins
with DIR:: the same as it would a DIR: value with just one ccache file
in it (RT#7172, #965574 )
2013-05-21 13:51:51 -04:00
Nalin Dahyabhai
fbd06d348b
pull up fix for kpasswd service ping-pong attack
...
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
#962531,#962534)
2013-05-13 18:32:51 -04:00
Nathaniel McCallum
c0d2f3b96d
Update otp patch; add keycheck patch
2013-05-03 17:04:40 -04:00
Nalin Dahyabhai
fcc98d5403
make the default ccname change affect f19, too
...
- pull the changing of the compiled-in default ccache location to
DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and
the most recent pam_krb5 build
2013-04-23 17:39:34 -04:00
Nalin Dahyabhai
d54b8d87c6
correct some configuration file paths
...
Correct some configuration file paths which the KDC_DIR patch
inadvertently changed.
2013-04-17 10:42:46 -04:00
Nalin Dahyabhai
3ba00c4edc
keep track of the message type of FAST requests
...
- pull in fix for keeping track of the message type when parsing FAST requests
in the KDC (RT#7605, #951843 )
2013-04-15 11:06:55 -04:00
Nalin Dahyabhai
61043181c7
update to 1.11.2
...
- update to 1.11.2
- drop pulled in patch for RT#7586, included in this release
- drop pulled in patch for RT#7592, included in this release
2013-04-15 11:06:15 -04:00
Nalin Dahyabhai
fd7717242f
set DEFCCNAME to DIR:/run/user/%{uid}/krb5cc
...
- move the compiled-in default ccache location from the previous default of
FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588 )
2013-04-12 09:24:16 -04:00
Nathaniel McCallum
8d291c8c0a
Update otp plugin backport patches
2013-04-09 14:06:33 -04:00
Nalin Dahyabhai
ffcebd6c2b
trying to get more of the tests to run on builders
...
- when testing the RPC library, treat denials from the local portmapper the
same as a portmapper-not-running situation, to allow other library tests
to be run while building the package
2013-04-03 17:23:58 -04:00
Nalin Dahyabhai
46d5c735d6
add RT number for most recent patch
2013-04-01 10:23:20 -04:00
Nalin Dahyabhai
7b92138ee8
teach gss_acquire_cred_from() about "client_keytab"
...
- pull in Simo's patch to recognize "client_keytab" as a key type which can
be passed in to gss_acquire_cred_from()
2013-03-28 16:13:41 -04:00
Nalin Dahyabhai
30e39857ae
package the right client keytab directory
...
- create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user,
since that's what the libraries actually look for
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
to run properly during builds
2013-03-28 16:12:30 -04:00
Nalin Dahyabhai
e7b662f81f
pull in arm 64 (aarch64) build tweaks
...
- go back to using reconf to run autoconf and autoheader (part of #925640 )
- add temporary patch to use newer config.guess/config.sub (more of #925640 )
2013-03-26 16:48:29 -04:00
Nalin Dahyabhai
9d52c1d370
specify backup suffixes, like we do
2013-03-26 16:34:37 -04:00
Nalin Dahyabhai
c761eb0da7
pull up patch to mark imported gss contexts right
...
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
contexts (RT#7592)
2013-03-26 16:32:29 -04:00
Nalin Dahyabhai
557835fdb3
tweak buildrequires conditionals for el7 builds
...
- fix a version comparison to expect newer texlive build requirements when
%%{_rhel} > 6 rather than when it's > 7
2013-03-18 10:28:51 -04:00
Nathaniel McCallum
0efba32c47
first round of the otp plugin
2013-03-11 16:26:50 -04:00
Nalin Dahyabhai
6fdbb463fc
fix a memory leak when obtaining creds via keytabs
...
- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110 )
2013-02-28 16:37:33 -05:00
Nalin Dahyabhai
abff2e5117
escape uses of macros in comments (more of 884065)
...
escape uses of macros in comments (more of #884065 )
2013-02-27 18:16:30 -05:00
Nalin Dahyabhai
a47a2acb30
drop the kerberos-iv portreserve file
...
drop the kerberos-iv portreserve file (long overdue), and drop the rest
on systemd systems, since we don't currently poke portreserve when we're
starting a service
2013-02-27 18:15:26 -05:00
Nalin Dahyabhai
460c5ab8b7
prebuild PDF docs to reduce multilib differences
...
prebuild PDF docs to reduce multilib differences (internal tooling, #884065 )
2013-02-27 14:59:35 -05:00
Nalin Dahyabhai
0c2dcfe3ef
update to 1.11.1
...
update to 1.11.1
- drop patch for noticing negative timeouts being passed to the poll()
wrapper in the client transmit functions
2013-02-25 12:44:43 -05:00
Nalin Dahyabhai
977a60b72c
set "rdns = false" in the default krb5.conf
...
set "rdns = false" in the default krb5.conf (#908323 )
2013-02-08 10:29:14 -05:00
Nalin Dahyabhai
0597014fa8
update to 1.11 release
...
- update to the 1.11 final release
- drop the rawbuild tag from a couple of patches which we don't actually
need to apply to get things to compile the way the package expects
2012-12-18 10:37:36 -05:00
Nalin Dahyabhai
9e98fec59e
update to 1.11 beta 2
2012-12-13 10:57:00 -05:00
Nalin Dahyabhai
38b95e7b3e
move a non-system libverto to the -libs subpackage
...
- when building with our bundled copy of libverto, package it in with -libs
rather than with -server (#886049 )
2012-12-13 10:27:19 -05:00
Nalin Dahyabhai
78b3a524da
update to 1.11 beta 1
2012-11-21 15:56:57 -05:00
Nalin Dahyabhai
282fb3c1e0
packaging tweaks
...
- handle releases where texlive packaging wasn't yet as complicated as it
is in Fedora 18
- fix an uninitialized-variable error building one of the test programs
2012-11-16 17:19:59 -05:00
Nalin Dahyabhai
8cf49572ea
more tweaks to try to get doc building working
2012-11-16 15:58:51 -05:00
Nalin Dahyabhai
d97833d1ef
just drop package-level deps on tex altogether
2012-11-16 14:56:42 -05:00
Nalin Dahyabhai
b1e19fe613
sure, okay.
2012-11-16 14:51:53 -05:00
Nalin Dahyabhai
5816919080
require pdflatex and makeindex
2012-11-16 14:36:59 -05:00
Nalin Dahyabhai
d8fb585c09
don't dummy up required stylesheets, require them
2012-11-16 13:35:21 -05:00
Nalin Dahyabhai
9f497eac9f
also note the multilib impact in the docs
2012-11-16 13:14:55 -05:00
Nalin Dahyabhai
7404a3c685
more packaging fixups
...
- move the rather large pile of html and pdf docs to -workstation, so
that just having something that links to the libraries won't drag
them onto a system
- actually create %%{_var}/kerberos/kdc/user, so that it can be packaged
- correct the list of packaged man pages
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
777f196e39
drop patches to fixup paths in man pages
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
d0f6217945
own /var/kerberos/kdc/user
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
18bdbb99e3
drop the only-weak-keys checker
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
0efe966105
update heed-nsaccountlock patch
...
We lost explicit support for eDirectory per se, so just add a toggle to
enable heeding the one native attribute that 389 adds to the mix.
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
8a943cb6b5
update selinux labeling patch
2012-11-16 13:01:55 -05:00
Nalin Dahyabhai
423d0d2f67
update the paths-in-man-pages patch
2012-11-15 18:03:30 -05:00
Nalin Dahyabhai
34c8bac7e3
drop backported fix for clock skew errors
...
- drop backported fix for avoiding spurious clock skew when a TGT is
decrypted long after the KDC sent it to the client which decrypts it
2012-11-15 15:23:18 -05:00
Nalin Dahyabhai
e5f60e0625
drop backports of patch for keytab-based kinit
...
- drop backported patches to make keytab-based authentication attempts
work better when the client tells the KDC that it supports a particular
cipher, but doesn't have a key for it in the keytab
2012-11-15 15:21:19 -05:00
Nalin Dahyabhai
b47c708afc
drop backported PKINIT fix: directly-trusted KDCs
...
- drop backported fix for teaching PKINIT clients which trust the KDC's
certificate directly to verify signed-data messages that are signed with
the KDC's certificate, when the blobs don't include a copy of the KDC's
certificate
2012-11-15 15:19:00 -05:00
Nalin Dahyabhai
f1f0baeb82
drop backported patch for disabling replay caches
...
- drop backported fix for disabling use of a replay cache when verifying
initial credentials
2012-11-15 15:18:12 -05:00
Nalin Dahyabhai
e4244fc907
drop backported build patch
2012-11-15 15:15:47 -05:00
Nalin Dahyabhai
d86f9ffaaf
the new docs system generates PDFs, so we can stop
2012-11-15 15:14:28 -05:00
Nalin Dahyabhai
03522e1559
drop backported patches for RT #7406,#7407,#7408
...
- drop backported patch for RT #7406
- drop backported patch for RT #7407
- drop backported patch for RT #7408
2012-11-15 15:04:38 -05:00
Nalin Dahyabhai
6baa28a80d
start moving to 1.11
2012-11-15 15:03:00 -05:00
Nalin Dahyabhai
c7b12ecdfa
tag a couple more patches for %%{?_rawbuild}
...
- tag a couple of other patches which we still need to be applied during
%%{?_rawbuild} builds (zmraz)
2012-10-17 17:36:50 -04:00
Nalin Dahyabhai
51b608140a
- actually pull up the patch for RT#7063, and not some other ticket ( #773496 )
2012-09-25 02:02:35 -04:00
Nalin Dahyabhai
3e1f3982d4
revise Filip's patch so that it more closely mimics the select() path
2012-09-10 18:47:48 -04:00
Nalin Dahyabhai
a4ad97ae22
abort the current transmit attempt if our timeout is negative
...
- add patch from Filip Krska to abort a transmit attempt when we've given
poll() a negative timeout (#838548 )
2012-09-10 16:30:11 -04:00
Nalin Dahyabhai
4c51c8bc7e
more backported fixes for keytab-doesn't-have-all-key-types cases
...
- add a backport of more patches to set the client's list of supported enctypes
when using a keytab to be the list of types of keys in the keytab, plus the
list of other types the client supports but for which it doesn't have keys,
in that order, so that KDCs have a better chance of being able to issue
tickets with session keys of types that the client can use (#837855 )
2012-09-07 16:10:45 -04:00
Nalin Dahyabhai
e39bc82589
pull up patch for RT#7063 - KDC/client time skew
...
- pull up patch for RT#7063, in which not noticing a prompt for a long
time throws the client library's idea of the time difference between it
and the KDC really far out of whack (#773496 )
2012-09-07 14:05:10 -04:00
Nalin Dahyabhai
9a4c3f763b
conflict with broken libsmbclient builds on EL6, so that we don't break them
...
- on EL6, conflict with libsmbclient before 3.5.10-124, which is when it
stopped linking with a symbol which we no longer export (#771687 )
2012-09-07 12:50:09 -04:00
Nalin Dahyabhai
cf693a2998
cut out an extraneous label configuration reload
...
- cut down the number of times we load SELinux labeling configuration from
a minimum of two times to actually one (more of #845125 )
2012-09-06 18:42:40 -04:00
Nalin Dahyabhai
7f06579f48
backport patch from RT#7229
...
- backport patch to disable replay detection in krb5_verify_init_creds()
while reading the AP-REQ that's generated in the same function (RT#7229)
2012-08-30 14:22:23 -04:00
Nalin Dahyabhai
ec0380bcae
merge and conditionalize some EL6isms
...
- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
- reintroduce the init scripts for non-systemd releases
- forward-port %%{_?rawbuild} annotations from EL6 packaging
2012-08-30 14:06:23 -04:00
Nalin Dahyabhai
81ca63cffc
- update to 1.10.3, rolling in MITKRB5-SA-2012-001
2012-08-09 11:11:24 -04:00
Nalin Dahyabhai
5d6308abab
cache the selabel context between uses (dwalsh)
...
- selinux: hang on to the list of selinux contexts, freeing and reloading
it only when the file we read it from is modified, freeing it when the
shared library is being unloaded (#845125 )
2012-08-02 18:50:32 -04:00
Nalin Dahyabhai
38e22af414
undo file-move fixes on Fedora 17
...
- go back to not messing with library file paths on Fedora 17: it breaks
file path dependencies in other packages, and since Fedora 17 is already
released, breaking that is our fault
2012-08-02 11:15:21 -04:00
Nalin Dahyabhai
899e166076
update bug numbers for this update
2012-07-31 14:34:09 -04:00
Nalin Dahyabhai
718a1573e1
fixes for MITKRB5-SA-2012-001 and .so symlinks
...
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
and CVE-2012-1015, #838012 )
- fix a thinko in whether or not we mess around with devel .so symlinks on
systems without a separate /usr (sbose)
2012-07-31 14:14:12 -04:00
Dennis Gilmore
a020fb0304
Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
2012-07-27 00:46:48 -05:00
Nalin Dahyabhai
f60e9ef28c
backport RT#7183
...
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
that's signed with a certificate that isn't in the SignedData, but which
is available as an anchor or intermediate on the client (RT#7183)
2012-06-22 14:07:46 -04:00
Nalin Dahyabhai
16a5c7affc
back out the recent labeling change, per dwalsh
...
- back out this labeling change (dwalsh):
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
2012-06-05 16:24:15 -04:00
Nalin Dahyabhai
6e8c2c396c
add explicit buildrequires: on 'hostname' and 'net-tools'
...
- add explicit buildrequires: on 'hostname', for the tests, on systems where
it's in its own package, and require net-tools, which used to provide the
command, everywhere
2012-06-01 16:31:50 -04:00
Nalin Dahyabhai
f06298144d
no-separate-/usr means we don't have to move shlibs
...
- don't shuffle around any shared libraries on releases with
no-separate-/usr, since /lib and /usr/lib are the same anyway
2012-06-01 15:41:01 -04:00
Nalin Dahyabhai
037ab925da
backport a fix for keytabs which don't have keys for all enctypes
...
- add a backport of Stef's patch to set the client's list of supported
enctypes to match the types of keys that we have when we are using a
keytab to try to get initial credentials, so that a KDC won't send us
an AS reply that we can't encrypt (RT#2131, #748528 )
2012-06-01 15:24:41 -04:00
Nalin Dahyabhai
b8b71859bb
update to 1.10.2
...
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
- also package the PDF format admin, user, and install guides
- drop some PDFs that no longer get built right
2012-06-01 14:05:55 -04:00
Nalin Dahyabhai
cd92a2cbb4
- skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part of #819115 )
2012-05-07 17:28:51 -04:00
Nalin Dahyabhai
2057747130
- have -server require /usr/share/dict/words, which we set as the default dict_file in kdc.conf ( #817089 )
2012-05-01 11:44:13 -04:00
Nalin Dahyabhai
f2a7c1df57
- comment out example.com examples in default krb5.conf (Stef Walter, #805320 )
2012-03-20 18:21:01 -04:00
Nalin Dahyabhai
f8503cf35b
- changelog that last change
2012-03-20 18:20:08 -04:00
Nalin Dahyabhai
70240d81c8
- update to 1.10.1
...
- drop the KDC crash fix
- drop the KDC lookaside cache fix
- drop the fix for kadmind RPC ACLs (CVE-2012-1012)
2012-03-09 18:37:47 -05:00
Nalin Dahyabhai
4093154587
- when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the compressed file's name ( #801035 )
2012-03-07 12:04:24 -05:00
Nathaniel McCallum
b44189a932
Fix string RPC ACLs (RT#7093); CVE-2012-1012
2012-02-21 15:40:50 -05:00
Nathaniel McCallum
1b8eb90a4f
add upstream lookaside cache fix RT#7082
2012-01-31 13:42:23 -05:00
Nalin Dahyabhai
9e5f5995cd
- add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349)
2012-01-30 19:49:10 -05:00
Nalin Dahyabhai
6ac0d24fa5
- note the RT number
2012-01-30 12:51:02 -05:00
Nalin Dahyabhai
fbe4130509
- update to 1.10 final
2012-01-30 10:28:53 -05:00
Nathaniel McCallum
767944b7d8
fix release number
2012-01-26 12:17:35 -05:00
Nathaniel McCallum
a134a66915
add upstream crashfix patch
2012-01-26 11:58:18 -05:00
Nalin Dahyabhai
a04da4baa4
- note the RT number
2012-01-23 18:21:02 -05:00
Nalin Dahyabhai
cf65017ae3
- update to beta 1
2012-01-12 18:47:18 -05:00
Nalin Dahyabhai
3e2b8913b0
- add missing changelog item
2012-01-12 16:11:04 -05:00
Peter Robinson
c5fead3d7e
mktemp was long obsoleted by coreutils
2012-01-11 10:36:49 +00:00
Nalin Dahyabhai
620baf13cd
- modify the deltat grammar to also tell gcc (4.7) to suppress "maybe-uninitialized" warnings in addition to the "uninitialized" warnings it's already being told to suppress
2012-01-04 13:52:34 -05:00
Nalin Dahyabhai
2496d7a5c9
- update to alpha 2
...
- drop a couple of patches which were integrated for alpha 2
2011-12-20 13:18:27 -05:00
Nalin Dahyabhai
f28b57af20
- pull in patch for RT#7048: allow PAC verification to only bother trying to
...
verify the signature with keys that it's given (still more of #761317 )
2011-12-13 10:50:02 -05:00
Nalin Dahyabhai
6d68d342c9
- pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
...
(more of #761317 )
2011-12-13 10:48:28 -05:00
Nalin Dahyabhai
fb7c02faff
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
...
S4U2Proxy with the principal name of the proxying principal (part of #761317 )
2011-12-13 10:47:31 -05:00
Nalin Dahyabhai
03e76d7832
- apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748 )
2011-12-06 14:12:15 -05:00
Nalin Dahyabhai
4584a88e40
correct the release to match the changelog
2011-11-30 15:13:54 -05:00
Nalin Dahyabhai
635a422817
- correct a bug in the fix for #754001 so that the file creation context is consistently reset
2011-11-30 15:03:45 -05:00
Nalin Dahyabhai
a45a82724d
- require libverto-module-base at build- and runtime so that tests which
...
use verto can work properly
2011-11-15 13:32:43 -05:00
Nalin Dahyabhai
1110ccd873
- bump to 1.10 alpha 1
2011-11-15 12:45:44 -05:00
Dennis Gilmore
39cc62dcc1
- Rebuilt for glibc bug#747377
2011-10-26 19:09:40 -05:00
Nalin Dahyabhai
af8b546790
- apply upstream patch to fix a null pointer dereference with the LDAP kdb backend (CVE-2011-1527, #744125 ), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb backends (CVE-2011-1529) ( #737711 )
2011-10-18 14:28:08 -04:00
Nalin Dahyabhai
73b7dd3ece
- pull in patch from trunk to rename krb5int_pac_sign() to krb5_pac_sign() and
...
make it public (#745533 )
2011-10-13 15:31:36 -04:00
Nalin Dahyabhai
28837545d5
- handle a harder-to-trigger assertion failure that starts cropping up when we
...
exit the transmit loop on time (#739853 )
2011-10-07 16:29:28 -04:00
Nalin Dahyabhai
098a308f7e
- kadmin.service: fix #723723 again
...
- kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command
lines, because systemd parsing doesn't handle alternate value shell variable
syntax
- kprop.service: add missing Type=forking so that systemd doesn't assume simple
- kprop.service: expect the ACL configuration to be there, not absent
2011-10-07 15:10:35 -04:00
Tom "spot" Callaway
e645180a9a
hardcode pid file path as option to krb5kdc.service
2011-10-02 15:05:51 +02:00
Tom "spot" Callaway
3545dd2571
fix typo
2011-09-30 12:20:58 +02:00
Tom "spot" Callaway
82129e3a0d
convert to systemd
2011-09-19 14:45:57 -04:00
Nalin Dahyabhai
207fa55d00
- pull in upstream patch for RT#6952, confusion following referrals for cross-realm auth ( #734341 )
2011-09-06 00:19:38 -04:00
Nalin Dahyabhai
a26dd7c42c
- switch to the upstream patch for #727829
2011-09-01 09:29:29 -04:00
Nalin Dahyabhai
57d5eabb48
- bump the release number
2011-08-31 13:33:23 -04:00
Nalin Dahyabhai
db0e796a50
- handle an assertion failure that starts cropping up when the patch for using poll ( #701446 ) meets servers that aren't running KDCs or against which the connection fails for other reasons ( #727829 , #734172 )
2011-08-31 13:31:58 -04:00
Nalin Dahyabhai
0ad36e9c38
- override the default build rules to not delete temporary y.tab.c files,
...
so that they can be packaged, allowing debuginfo files which point to them
do so usefully (#729044 )
2011-08-08 18:39:55 -04:00
Nalin Dahyabhai
ad0dcf5042
- pull in a patch to fix losing track of the replay cache FD, from SVN by way of Kevin Coffman
2011-07-22 16:57:35 -04:00
Nalin Dahyabhai
2202e378de
- build shared libraries with partial RELRO support ( #723995 )
...
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
output, now that it's in the buildroot's default LDFLAGS
2011-07-22 16:29:06 -04:00
Nalin Dahyabhai
a0e423054a
- kadmind.init: drop the attempt to detect no-database-present errors ( #723723 )
2011-07-20 17:58:20 -04:00
Nalin Dahyabhai
4e66f1237b
- backport RT#6905: use poll() so that we can use higher descriptor numbers when the client is talking to a KDC
2011-07-19 14:54:29 -04:00
Nalin Dahyabhai
ba9d039a3a
- have a bug number for this now
2011-06-28 14:08:13 -04:00
Nalin Dahyabhai
da69bf39fa
- pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923)
2011-06-23 16:07:40 -04:00
Nalin Dahyabhai
4a5ca5b2d3
- pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo()
...
during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or
not to ask for an IPv6 address based on the set of configured interfaces
(RT#6922)
2011-06-23 16:05:54 -04:00
Nalin Dahyabhai
23ef754340
- fix that bug ID
2011-06-21 18:38:01 -04:00
Nalin Dahyabhai
092982212a
- apply upstream patch by way of Burt Holzman to fall back to a non-referral
...
method in cases where we might be derailed by a KDC that rejects the
canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#713518 )
2011-06-20 13:34:21 -04:00
Nalin Dahyabhai
e1fdb93038
- don't burn a release number
2011-06-14 14:44:36 -04:00
Nalin Dahyabhai
17c9104b1d
- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
...
using the old protocol over IPv4 again (RT#6920)
2011-06-14 14:25:28 -04:00
Nalin Dahyabhai
6a7a118058
- incorporate a fix to teach the file labeling bits about when replay caches are expunged ( #576093 )
2011-06-14 14:15:55 -04:00
Nalin Dahyabhai
20266fd9d7
switch to the upstream patch for #707145
2011-05-26 10:55:11 -04:00
Nalin Dahyabhai
e14f89fa17
klist: don't trip over referral entries when invoked with -s ( #707145 , RT#6915)
2011-05-25 16:55:39 -04:00
Nalin Dahyabhai
7368cf9d38
- fixup URL in a comment
...
- when built with NSS, require 3.12.10 rather than 3.12.9
2011-05-06 10:09:53 -04:00
Nalin Dahyabhai
ac127d5263
- update to 1.9.1:
...
- drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281,
CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285
2011-05-05 19:03:10 -04:00
Nalin Dahyabhai
d2ffb0c7c5
add the bug ID for that last fix
2011-04-13 17:21:33 -04:00
Nalin Dahyabhai
301c9d3ae2
- kadmind: add upstream patch to fix free() on an invalid pointer (MITKRB5-SA-2011-004, CVE-2011-0285)
2011-04-13 15:38:22 -04:00
Nalin Dahyabhai
5ad8efcad5
- don't discard the error code from an error message received in response
...
to a change-password request (#658871 , RT#6893)
2011-04-04 19:04:05 -04:00
Nalin Dahyabhai
2ee39c5e61
- override INSTALL_SETUID at build-time so that ksu is installed into
...
the buildroot with the right permissions (part of #225974 )
2011-04-01 15:52:29 -04:00
Nalin Dahyabhai
27e969332f
- backport change from SVN to fix a computed-value-not-used warning in
...
kpropd (#684065 )
2011-03-18 13:23:22 -04:00
Nalin Dahyabhai
41bc7a0e62
- turn off NSS as the backend for libk5crypto for now to work around its
...
DES string2key not working (#679012 )
- add revised upstream patch to fix double-free in KDC while returning
typed-data with errors (CVE-2011-0284, #674325 )
2011-03-15 14:25:01 -04:00
Nalin Dahyabhai
cbdf0e37a6
- throw in a not-applied-by-default patch to try to make pkinit debugging into a run-time boolean option named "pkinit_debug"
2011-02-17 11:31:49 -05:00
Nalin Dahyabhai
b77e5a0e35
turn on NSS as the backend for libk5crypto, adding nss-devel as a build dependency when that switch is flipped
2011-02-16 19:05:39 -05:00
Nalin Dahyabhai
08f510b379
- krb5kdc init script: prototype some changes to do a quick spot-check
...
of the TGS and kadmind keys and warn if there aren't any non-weak keys
on file for them (to flush out parts of #651466 )
2011-02-09 15:25:17 -05:00
Nalin Dahyabhai
62cb58fe6f
reference the raw hide bug ID for CVE-2011-0283 in the changelog
2011-02-08 16:38:16 -05:00
Nalin Dahyabhai
be633bbbb2
- add upstream patches to fix standalone kpropd exiting if the per-client
...
child process exits with an error (MITKRB5-SA-2011-001), a hang or crash
in the KDC when using the LDAP kdb backend, and an uninitialized pointer
use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009 ,
CVE-2011-0281, #668719 , CVE-2011-0282, #668726 , CVE-2011-0283, #670567 )
2011-02-08 14:37:19 -05:00
Dennis Gilmore
4fe1ed04f8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
2011-02-07 21:09:16 -06:00
Nalin Dahyabhai
9fed313d79
fix a compile error in the SELinux labeling patch when -DDEBUG is used (Sumit Bose)
2011-02-07 11:24:03 -05:00
Nalin Dahyabhai
293e1a6e51
- properly advertise that the kpropd init script now supports force-reload (Zbysek Mraz #630587 )
2011-02-01 10:38:05 -05:00
Nalin Dahyabhai
3442cb8a33
- pkinit: when verifying signed data, use the CMS APIs for better interoperability ( #636985 , RT#6851)
2011-01-26 13:59:56 -05:00
Nalin Dahyabhai
8c3bae0303
update to 1.9 final
2010-12-22 17:22:08 -05:00
Nalin Dahyabhai
09a9ac8a63
- fix link flags and permissions on shared libraries (ausil)
2010-12-20 15:20:01 -05:00
Nalin Dahyabhai
ce5e3836b2
- update to 1.9 beta 3
2010-12-16 14:43:53 -05:00
Nalin Dahyabhai
695c21dd42
- update to beta 2
2010-12-06 16:55:35 -05:00
Nalin Dahyabhai
478f86fe1e
add tweaks for initial whitespace that cause 389-ds to choke on the schema ldif
2010-12-06 16:55:34 -05:00
Nalin Dahyabhai
eb90866aa9
- drop not-needed-since-1.8 build dependency on rsh (ssorce)
2010-12-06 16:55:34 -05:00
Nalin Dahyabhai
b9f9657a15
- if WITH_NSS is set, built with --with-crypto-impl=nss (requires NSS 3.12.9)
2010-12-06 16:55:34 -05:00
Nalin Dahyabhai
66b6f44b6c
- initial jump to 1.9 beta 1
2010-12-06 16:55:33 -05:00
Nalin Dahyabhai
5faba5957f
- right, renamed the patch
2010-11-30 14:28:42 -05:00
Nalin Dahyabhai
786702d87a
add upstream patch to fix various issues from MITKRB5-SA-2010-007
2010-11-30 12:00:23 -05:00
Nalin Dahyabhai
60f5ea8eaf
- incorporate upstream patch to fix uninitialized pointer crash in the KDC's authorization data handling (CVE-2010-1322, #636335 )
2010-10-05 15:29:32 -04:00
Nalin Dahyabhai
e84327e216
- pull down patches from trunk to implement k5login_authoritative and k5login_directory settings for krb5.conf ( #539423 )
2010-10-04 19:01:38 -04:00
Jesse Keating
82f4c7f41e
- Rebuilt for gcc bug 634757
2010-09-29 14:34:57 -07:00
Nalin Dahyabhai
f44b554d1b
- fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022 , RT#6775)
...
- fix selection of pkinit client certs when one or more don't include a subjectAltName extension (part of #629022 , RT#6774)
2010-09-16 19:32:06 -04:00
Nalin Dahyabhai
3f5343a0b9
- build with -fstack-protector-all instead of the default -fstack-protector,
...
so that we add checking to more functions (i.e., all of them) (#629950 )
2010-09-03 13:50:17 -04:00
Nalin Dahyabhai
a7376e1a41
- also link binaries with -Wl,-z,relro,-z,now (part of #629950 )
2010-09-03 13:08:45 -04:00
Nalin Dahyabhai
6130f43a46
- fix a logic bug in computing key expiration times (RT#6762, #627022 )
2010-08-24 18:29:42 -04:00
Nalin Dahyabhai
0c20d8744b
- update to 1.8.3
...
- drop backports of fixes for gss context expiration and error table
registration/deregistration mismatch
- drop patch for upstream #6750
2010-08-04 18:22:20 -04:00
Nalin Dahyabhai
eed65b02ae
- fix a typo in the changelog
2010-07-15 15:47:39 +00:00
Nalin Dahyabhai
45b591b3eb
- fix parsing of the pidfile option in the KDC (upstream #6750 )
2010-07-07 20:56:07 +00:00
Nalin Dahyabhai
8b8653b9be
- add logrotate configuration files for krb5kdc and kadmind ( #462658 )
2010-07-07 18:09:05 +00:00
Nalin Dahyabhai
a0ca6e4d98
- tell krb5kdc and kadmind to create pid files, since they can
2010-07-07 17:41:39 +00:00
Nalin Dahyabhai
cb407c5fa1
- libgssapi: pull in patch from svn to stop returning context-expired
...
errors when the ticket which was used to set up the context expires
(#605366 , upstream #6739 )
2010-06-21 18:26:35 +00:00
Nalin Dahyabhai
da92cbb7b4
- pull up fix for upstream #6745 , in which the gssapi library would add the
...
wrong error table but subsequently attempt to unload the right one
2010-06-21 18:11:40 +00:00
Nalin Dahyabhai
e067cf87fe
- update to 1.8.2
...
- drop patches for CVE-2010-1320, CVE-2010-1321
2010-06-10 22:21:43 +00:00
Nalin Dahyabhai
1313c14673
- reference the right bug -- this wasn't a problem until the revision
2010-05-27 21:10:28 +00:00
Nalin Dahyabhai
17238354c3
don't skip the PAM account check for root or the same user (more of
...
#477033 )
2010-05-27 20:53:30 +00:00
Nalin Dahyabhai
ccdc4a4228
- ksu: move session management calls to before we drop privileges, like su
...
does (#596887 )
2010-05-27 20:01:43 +00:00
Nalin Dahyabhai
b60e63ef2b
- that -fno-strict-aliasing change merits a rebuild
2010-05-24 22:15:15 +00:00
Nalin Dahyabhai
ab9e2985db
- go back to building without strict aliasing (compiler warnings in gssrpc)
2010-05-24 21:31:38 +00:00
Nalin Dahyabhai
5d72216a22
- drop explicit linking with libtinfo for applications that use libss, now
...
that readline itself links with libtinfo (as of readline-5.2-3, since
fedora 7 or so)
2010-05-24 20:42:04 +00:00
Nalin Dahyabhai
c430745262
- make krb5-server-ldap also depend on the same version-release of
...
krb5-libs, as the other subpackages do, if only to make it clearer than
it is when we just do it through krb5-server
2010-05-24 20:07:09 +00:00
Nalin Dahyabhai
b3e836cce9
- add patch to correct GSSAPI library null pointer dereference which could
...
be triggered by malformed client requests (CVE-2010-1321, #582466 )
2010-05-18 18:14:30 +00:00
Nalin Dahyabhai
59f0148016
- fix output of kprop's init script's "status" and "reload" commands
...
(#588222 )
2010-05-04 19:32:52 +00:00
Nalin Dahyabhai
98bc7d7d76
- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922 )
2010-04-20 18:26:39 +00:00
Nalin Dahyabhai
044f184f7a
- fix a typo in kerberos.ldif
2010-04-14 14:28:32 +00:00
Nalin Dahyabhai
b48f2bcb58
- update to 1.8.1
...
- no longer need patches for #555875 , #561174 , #563431 , RT#6661,
CVE-2010-0628
- replace buildrequires on tetex-latex with one on texlive-latex, which is
the package that provides it now
2010-04-09 13:44:05 +00:00
Nalin Dahyabhai
6b3df78771
- kdc.conf: no more need to suggest a v4 mode, or listening on the v4 port
2010-04-08 21:27:15 +00:00
Nalin Dahyabhai
8d606a93f5
- drop patch to suppress key expiration warnings sent from the KDC in the
...
last-req field, as the KDC is expected to just be configured to either
send them or not as a particular key approaches expiration (#556495 )
2010-04-08 19:14:31 +00:00
Nalin Dahyabhai
665fa22b0f
- add bug numbers for the fix for CVE-2010-0628
2010-03-23 22:56:35 +00:00
Nalin Dahyabhai
cac63d2dfa
- kdc.conf: no more need to suggest keeping keys with v4-compatible salting
2010-03-23 18:18:32 +00:00
Nalin Dahyabhai
4a2bf7dc5d
- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628)
2010-03-23 18:07:13 +00:00
Nalin Dahyabhai
1f83fab4c7
- remove the krb5-appl bits (the -workstation-clients and
...
-workstation-servers subpackages) now that krb5-appl is its own package
2010-03-19 21:15:33 +00:00