- temporarily bundling the krb5-appl package (split upstream as of 1.8)
until its package review is complete
- profile.d scriptlets are now only needed by -workstation-clients
- adjust paths in init scripts
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
- drop patch to check the user's password correctly using crypt(), which
isn't a code path we hit when we're using PAM
would happen if ftpd was given the name of a user who wasn't known to
the local system, limited to being triggerable by gssapi-authenticated
clients by the default xinetd config (Olivier Fourdan, #569472)
- scrub out references to $RPM_SOURCE_DIR (jdennis)
- include a symlink to the readme with the name LICENSE so that people can
find it more easily (jdennis)
- don't trip AD lockout on wrong password (#542687, #554351)
- incorporates fixes for CVE-2009-4212 and CVE-2009-3295
- fixes gss_krb5_copy_ccache() when SPNEGO is used
- move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to
the devel subpackage, better lining up with the expected krb5/krb5-appl
split in 1.8
- drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it
already depends on -workstation which also includes them
than seven days away when the KDC reports it via the last-req field,
just as we already do when it reports expiration via the key-expiration
field (#556495)
- link with libtinfo rather than libncurses, when we can, in future RHEL
port, kpropd can always bind to the krb5_prop port, and that kadmind
can always bind to the kerberos-adm port (#555279)
- correct inadvertent use of macros in the changelog (rpmlint)
function in the kadmind and kpropd init scripts, so that we get the
right error when we're dead but have a lock file - requires initscripts
8.99 (#521772)
- add patches for read overflow and null pointer dereference in the
implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
- add patch for attempt to free uninitialized pointer in libkrb5
(CVE-2009-0846)
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
when v4 compatibility is enabled on the KDC (CVE-2008-0062,
CVE-2008-0063, #432620, #432621)
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
libgssapi_krb5 (CVE-2007-5971, #415351)
authenticated
- in login, signal PAM when we're changing an expired password that it's an
expired password, so that when cracklib flags a password as being weak
it's treated as an error even if we're running as root
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
the DISALLOW_ALL_TIX flag is set on an entry, for better interop with
Fedora, Netscape, Red Hat Directory Server (Simo Sorce)
- enable patch to make kpasswd fall back to TCP if UDP fails
- enable patch to make kpasswd use the right sequence number on retransmit
- enable patch to allow mech-specific creds delegated under spnego to be
found when searching for creds
- drop unquoted check and silent exit for "$NETWORKING" (#426852, #242500)
- krb524: don't barf on missing database if it looks like we're using
kldap, same as for kadmin
- return non-zero status for missing files which cause startup to fail
CVE-2007-4000 (the new pkinit module is built conditionally and goes
into the -pkinit-openssl package, at least for now, to make a buildreq
loop with openssl avoidable)
- drop old, incomplete SELinux patch
- add patch from Greg Hudson to make srvtab routines report missing-file
errors at same point that keytab routines do (#241805)
there if it looks like we might be using the kldap plugin
- kadmind.init: attempt to extract the key for the host-specific kadmin
service when we try to create the keytab
shared libraries (no more static libraries) makes them unnecessary and
they're not part of the libkrb5 interface (patch by Rex Dieter,
#240220) (strips out libkeyutils, libresolv, libdl)
(#229782, CVE-2007-0956)
- add patch to fix buffer overflow in krb5kdc and kadmind (#231528,
CVE-2007-0957)
- add patch to fix double-free in kadmind (#231537, CVE-2007-1216)
- move workstation daemons to a new subpackage (#81836, #216356, #217301),
and make the new subpackage require xinetd (#211885)
We don't get static libraries any more. Holding off on build until
verification that this doesn't kill other things, or until we get them
building in a semi-useful way.
- first cut at making RPM scriptlets failproof for install-info
- pull up pre-generated PDF docs so that we don't have multiarch
differences due to document IDs, timestamps, and compressed data,
- pull up the script to make sure that the PDF matches its source to guard
against the package maintainer forgetting to update when we move to a
new release
a different location than the default (fenlason)
- remove the [kdc] section from the default krb5.conf -- doesn't seem to
have been applicable for a while
64-bit architectures, to avoid multilib conflicts; other changes will
conspire to strip out the -L flag which uses this, so it should be
harmless (#192692)
krb5-config which is okay in multilib environments (#190118)
- make the name-of-the-tempfile comment which compile_et adds to error code
headers always list the same file to avoid conflicts on multilib
installations
- strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib
boxes
- strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on
mulitlib boxes
(CAN-2005-0469)
- add draft fix from Tom Yu for env_opt_add() buffer overflow
(CAN-2005-0468)
will need to re-roll if the draft fix isn't the same as the final one *
- v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O"
flag to specify that it should communicate with the server using the
older protocol
- new libkrb5support library
- v5passwdd and kadmind4 are gone
- versioned symbols
- pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass
it on to krb5kdc
- pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass
it on to kadmind
- pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass
it on to krb524d *instead of* "-m"
- set "forwardable" in [libdefaults] in the default krb5.conf to match the
default setting which we supply for pam_krb5
- set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting
the compiled-in default
#140036)
- silence compiler warning in kprop by using an in-memory ccache with a
fixed name instead of an on-disk ccache with a name generated by
tmpnam()
Wed May 12 2004 Thomas Woerner <twoerner@redhat.com> 1.3.3-3
- removed rpath
Thu Apr 15 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-2
- re-enable large file support, fell out in 1.3-1
- patch rcp to use long long and %lld format specifiers when reporting file
sizes on large files
Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.2-1
- update to 1.3.2
Mon Mar 08 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-12
- rebuild
Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11.1
- rebuilt
Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11
- rebuilt
Mon Feb 09 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-10
- catch krb4 send_to_kdc cases in kdc preference patch
Mon Feb 02 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-9
- remove patch to set TERM in klogind which, combined with the upstream fix
in
1.3.1, actually produces the bug now (#114762)
Mon Jan 19 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-8
- when iterating over lists of interfaces which are "up" from getifaddrs(),
skip over those which have no address (#113347)
Mon Jan 12 2004 Nalin Dahyabhai <nalin@redhat.com>
- prefer the kdc which last replied to a request when sending requests to
kdcs
Mon Nov 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-7
- fix combination of --with-netlib and --enable-dns
Tue Nov 18 2003 Nalin Dahyabhai <nalin@redhat.com>
- remove libdefault ticket_lifetime option from the default krb5.conf, it
is ignored by libkrb5
Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-6
- fix bug in patch to make rlogind start login with a clean environment a
la netkit rlogin, spotted and fixed by Scott McClung
Tue Sep 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-5
- include profile.d scriptlets in krb5-devel so that krb5-config will be in
the path, reported by Kir Kolyshkin
Mon Sep 08 2003 Nalin Dahyabhai <nalin@redhat.com>
- add more etypes (arcfour) to the default enctype list in kdc.conf
- don't apply previous patch, refused upstream
Fri Sep 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-4
- fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials
Wed Sep 03 2003 Dan Walsh <dwalsh@redhat.com> 1.3.1-3
- Don't check for write access on /etc/krb5.conf if SELinux
Tue Aug 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-2
- fixup some int/pointer varargs wackiness
Tue Aug 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-1
- rebuild
Mon Aug 04 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-0
- update to 1.3.1
Thu Jul 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-2
- pull fix for non-compliant encoding of salt field in etype-info2 preauth
data from 1.3.1 beta 1, until 1.3.1 is released.
Mon Jul 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-1
- update to 1.3
Mon Jul 07 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-4
- correctly use stdargs
Wed Jun 18 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-0.beta.4
- test update to 1.3 beta 4
- ditch statglue build option
- krb5-devel requires e2fsprogs-devel, which now provides libss and
libcom_err
Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
Wed May 21 2003 Jeremy Katz <katzj@redhat.com> 1.2.8-2
- gcc 3.3 doesn't implement varargs.h, include stdarg.h instead
Wed Apr 09 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-1
- update to 1.2.8
Fri Mar 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-24
- fix double-free of enc_part2 in krb524d
- update to latest patch kit for MITKRB5-SA-2003-004
Thu Mar 20 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-23
- make the default kdc.conf list the same enctypes we use for 1.2.7
Wed Mar 19 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-22
- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028)
Mon Mar 17 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-21
- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and
CAN-2003-0139)
Thu Mar 06 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-20
- fix buffer underrun in unparsing certain principals (CAN-2003-0082)
Wed Feb 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-19
- add patch to fix server-side crashes when principals have no components
(CAN-2003-0072)
Mon Feb 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-18
- add patch from Matt Crawford for encoding transited realms properly
Wed Feb 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-17
- sync compiler flags for configure and make with other versions
Tue Feb 04 2003 Nalin Dahyabhai <nalin@redhat.com>
- add patch to document the reject-bad-transited option in kdc.conf
- add backported symbol namespacing fix from 1.2.3 to clear up clashes with
glib
- add backported fix for hangs in kadmin client when principal contains an
escaped @ symbol
Thu Jan 30 2003 Nalin Dahyabhai <nalin@redhat.com>
- add candidate backports for CAN-2002-0036, CAN-2002-058, CAN-2002-059
(CAN-2002-060 was fixed in 1.1.1-7 or so)
Thu Jan 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-16
- add patch from Mark Cox for exploitable bugs in ftp client
- add patch to avoid buffer read overruns when configuring via DNS
- add patch to properly include <errno.h>