- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear
when kadmind starts"). The issue was caused by an unneeded |htons()|
which triggered SELinux AVC denials due to the "random" port usage.
- Update to krb5-1.13.2
- drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
- drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
- Add script processing for upcoming Zanata l10n support
- Minor spec cleanup
- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass
in PKINIT-enabled KDC".
In MIT krb5 1.12 and later, when the KDC is configured with
PKINIT support, an unauthenticated remote attacker can
bypass the requires_preauth flag on a client principal and
obtain a ciphertext encrypted in the principal's long-term
key. This ciphertext could be used to conduct an off-line
dictionary attack against the user's password.
resolves: #1216134
- Add temporay workaround for RH bug #1204646 ("krb5-config
returns wrong -specs path") which modifies krb5-config post
build so that development of krb5 dependicies gets unstuck.
This MUST be removed before rawhide becomes F23 ...
- Update to krb5-1.13.1
- drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
- drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
- drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
- Minor spec cleanup
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
loop on principal unknown errors").
- Added "python-sphinx-latex" to the build requirements
to fix build failures on F22 machines.
- Update from krb5-1.13-alpha1 to final krb5-1.13
- Removed patch for CVE-2014-5351 (#1145425) "krb5: current
keys returned when randomizing the keys for a service principal" -
now part of upstream sources
- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only
for Fedora > 20
Processing of %license puts the named file in a directory other than the
docs directory, and doesn't rewrite relative symlinks to be correct. So
we can't use a symlink to one of them as the license.
We were having trouble building the PDFs due to a missing pdfcolor.tex
after the latest update to python-sphinx, but an even newer
texlive-pdftex provides that, so add it as a BuildRequires:
- spnego: pull in patch from master to restore preserving the OID of the
mechanism the initiator requested when we have multiple OIDs for the
same mechanism, so that we reply using the same mechanism OID and the
initiator doesn't get confused (#1066000, RT#7858)
- pull in patch from master to move the default directory which the KDC
uses when computing the socket path for a local OTP daemon from the
database directory (/var/kerberos/krb5kdc) to the newly-added run
directory (/run/krb5kdc), in line with what we're expecting in 1.13
(RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
boot-time
- own /var/run/krb5kdc
