- add a backport of more patches to set the client's list of supported enctypes
when using a keytab to be the list of types of keys in the keytab, plus the
list of other types the client supports but for which it doesn't have keys,
in that order, so that KDCs have a better chance of being able to issue
tickets with session keys of types that the client can use (#837855)
- pull up patch for RT#7063, in which not noticing a prompt for a long
time throws the client library's idea of the time difference between it
and the KDC really far out of whack (#773496)
- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
- reintroduce the init scripts for non-systemd releases
- forward-port %%{_?rawbuild} annotations from EL6 packaging
- selinux: hang on to the list of selinux contexts, freeing and reloading
it only when the file we read it from is modified, freeing it when the
shared library is being unloaded (#845125)
- go back to not messing with library file paths on Fedora 17: it breaks
file path dependencies in other packages, and since Fedora 17 is already
released, breaking that is our fault
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
and CVE-2012-1015, #838012)
- fix a thinko in whether or not we mess around with devel .so symlinks on
systems without a separate /usr (sbose)
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
that's signed with a certificate that isn't in the SignedData, but which
is available as an anchor or intermediate on the client (RT#7183)
- back out this labeling change (dwalsh):
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
- add explicit buildrequires: on 'hostname', for the tests, on systems where
it's in its own package, and require net-tools, which used to provide the
command, everywhere
- add a backport of Stef's patch to set the client's list of supported
enctypes to match the types of keys that we have when we are using a
keytab to try to get initial credentials, so that a KDC won't send us
an AS reply that we can't encrypt (RT#2131, #748528)
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
- also package the PDF format admin, user, and install guides
- drop some PDFs that no longer get built right
- kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command
lines, because systemd parsing doesn't handle alternate value shell variable
syntax
- kprop.service: add missing Type=forking so that systemd doesn't assume simple
- kprop.service: expect the ACL configuration to be there, not absent
