- New upstream version (1.21.3)
- CVE-2024-37370 CVE-2024-37371
Fix vulnerabilities in GSS message token handling
Resolves: RHEL-45387 RHEL-45378
- Fix memory leak in GSSAPI interface
Resolves: RHEL-47284
- Fix memory leak in PMAP RPC interface
Resolves: RHEL-47287
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-47285
- Make TCP waiting time configurable
Resolves: RHEL-47278
- Do not include files with "~" termination in krb5-tests
Resolves: RHEL-45995
Signed-off-by: Julien Rische <jrische@redhat.com>
- Add missing SPDX license identifiers
Resolves: RHEL-44383
Some MIT krb5 licenses where not registered by the SPDX project. They
were recently added to the official list. The SPDX expression is
complete at this point.
Signed-off-by: Julien Rische <jrische@redhat.com>
By default, dnf5 does not download the filelists repository metadata
required to resolve file dependencies outside of /usr/(s)bin or /etc.
This causes the krb5-server file to become uninstallable.
$ dnf5 install krb5-server
Repositories loaded.
Failed to resolve the transaction:
Problem: conflicting requests
- nothing provides /usr/share/dict/words needed by krb5-server-1.21-1.fc39.x86_64
This change aligns with the Fedora packaging guidelines, as stated here:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_file_and_directory_dependencies
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216903
Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2214297
Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2214300
Allow to set PAC ticket signature as optional
Resolves: rhbz#2181311
Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
Fix syntax error in aclocal.m4
Resolves: rhbz#2143306
Signed-off-by: Julien Rische <jrische@redhat.com>
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Signed-off-by: Julien Rische <jrische@redhat.com>
Also set "supportedCMSTypes" to SHA-512/256 with RSA encryption
Resolves: rhbz#2124463
Resolves: rhbz#2114766
Signed-off-by: Julien Rische <jrische@redhat.com>
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0. Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.
Change the initial high value to the be the "invalid" value
(time_t)-1. Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.
Signed-off-by: Julien Rische <jrische@redhat.com>
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2082189
Signed-off-by: Julien Rische <jrische@redhat.com>
change_set_password() was changed to prefer TCP. However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Resolves: rhbz#2076965
Signed-off-by: Julien Rische <jrische@redhat.com>
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
ticket: 9036 (new)
From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.
Resolves: rhbz#2067121
Signed-off-by: Julien Rische <jrische@redhat.com>
1.15.1 was ~2017, so there is no need to support upgrades from such old
systemd. This allows the dependency on grep to be dropped. grep pulls
in pcre, but most other programs in the core group depend on the newer
pcre2, so it's nicer to avoid pulling in pcre in minimal installations.
