Commit Graph

814 Commits

Author SHA1 Message Date
Nalin Dahyabhai
38e22af414 undo file-move fixes on Fedora 17
- go back to not messing with library file paths on Fedora 17: it breaks
  file path dependencies in other packages, and since Fedora 17 is already
  released, breaking that is our fault
2012-08-02 11:15:21 -04:00
Nalin Dahyabhai
899e166076 update bug numbers for this update 2012-07-31 14:34:09 -04:00
Nalin Dahyabhai
718a1573e1 fixes for MITKRB5-SA-2012-001 and .so symlinks
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
  another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
  and CVE-2012-1015, #838012)
- fix a thinko in whether or not we mess around with devel .so symlinks on
  systems without a separate /usr (sbose)
2012-07-31 14:14:12 -04:00
Dennis Gilmore
a020fb0304 Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-27 00:46:48 -05:00
Nalin Dahyabhai
f60e9ef28c backport RT#7183
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
  that's signed with a certificate that isn't in the SignedData, but which
  is available as an anchor or intermediate on the client (RT#7183)
2012-06-22 14:07:46 -04:00
Nalin Dahyabhai
16a5c7affc back out the recent labeling change, per dwalsh
- back out this labeling change (dwalsh):
  - when building the new label for a file we're about to create, also mix
    in the current range, in addition to the current user
2012-06-05 16:24:15 -04:00
Nalin Dahyabhai
6e8c2c396c add explicit buildrequires: on 'hostname' and 'net-tools'
- add explicit buildrequires: on 'hostname', for the tests, on systems where
  it's in its own package, and require net-tools, which used to provide the
  command, everywhere
2012-06-01 16:31:50 -04:00
Nalin Dahyabhai
f06298144d no-separate-/usr means we don't have to move shlibs
- don't shuffle around any shared libraries on releases with
  no-separate-/usr, since /lib and /usr/lib are the same anyway
2012-06-01 15:41:01 -04:00
Nalin Dahyabhai
037ab925da backport a fix for keytabs which don't have keys for all enctypes
- add a backport of Stef's patch to set the client's list of supported
  enctypes to match the types of keys that we have when we are using a
  keytab to try to get initial credentials, so that a KDC won't send us
  an AS reply that we can't encrypt (RT#2131, #748528)
2012-06-01 15:24:41 -04:00
Nalin Dahyabhai
b8b71859bb update to 1.10.2
- when building the new label for a file we're about to create, also mix
  in the current range, in addition to the current user
- also package the PDF format admin, user, and install guides
- drop some PDFs that no longer get built right
2012-06-01 14:05:55 -04:00
Nalin Dahyabhai
cd92a2cbb4 - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part of #819115) 2012-05-07 17:28:51 -04:00
Nalin Dahyabhai
2057747130 - have -server require /usr/share/dict/words, which we set as the default dict_file in kdc.conf (#817089) 2012-05-01 11:44:13 -04:00
Nalin Dahyabhai
f2a7c1df57 - comment out example.com examples in default krb5.conf (Stef Walter, #805320) 2012-03-20 18:21:01 -04:00
Nalin Dahyabhai
f8503cf35b - changelog that last change 2012-03-20 18:20:08 -04:00
Stef Walter
2da8874065 Change back dns_lookup_kdc to the default
The specifications recommend against using TXT records to mapping
hostnames to realms. However they do not recommend against using
SRV records to lookup the KDC.

Change back to the MIT default of enabling DNS for KDC lookup.
This allows automatic configuration and failover.

A theoretical attack involving SRV records could be similarly
accomplished by a similar attack involving the A records for
the KDC hosts.
2012-03-20 18:16:59 -04:00
Nalin Dahyabhai
7d6fe6def6 update sources 2012-03-09 18:48:50 -05:00
Nalin Dahyabhai
70240d81c8 - update to 1.10.1
- drop the KDC crash fix
  - drop the KDC lookaside cache fix
  - drop the fix for kadmind RPC ACLs (CVE-2012-1012)
2012-03-09 18:37:47 -05:00
Nalin Dahyabhai
df8a03bc2b - note the RT number 2012-03-08 16:21:52 -05:00
Nalin Dahyabhai
4093154587 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the compressed file's name (#801035) 2012-03-07 12:04:24 -05:00
Nathaniel McCallum
b44189a932 Fix string RPC ACLs (RT#7093); CVE-2012-1012 2012-02-21 15:40:50 -05:00
Nathaniel McCallum
1b8eb90a4f add upstream lookaside cache fix RT#7082 2012-01-31 13:42:23 -05:00
Nalin Dahyabhai
9e5f5995cd - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) 2012-01-30 19:49:10 -05:00
Nalin Dahyabhai
6ac0d24fa5 - note the RT number 2012-01-30 12:51:02 -05:00
Nalin Dahyabhai
fbe4130509 - update to 1.10 final 2012-01-30 10:28:53 -05:00
Nathaniel McCallum
767944b7d8 fix release number 2012-01-26 12:17:35 -05:00
Nathaniel McCallum
a134a66915 add upstream crashfix patch 2012-01-26 11:58:18 -05:00
Nalin Dahyabhai
a04da4baa4 - note the RT number 2012-01-23 18:21:02 -05:00
Nalin Dahyabhai
0ce26f54ef - update to beta 1 2012-01-12 18:47:26 -05:00
Nalin Dahyabhai
cf65017ae3 - update to beta 1 2012-01-12 18:47:18 -05:00
Nalin Dahyabhai
fd2308c2b8 - update to beta 1 2012-01-12 18:43:25 -05:00
Nalin Dahyabhai
3e2b8913b0 - add missing changelog item 2012-01-12 16:11:04 -05:00
Peter Robinson
c5fead3d7e mktemp was long obsoleted by coreutils 2012-01-11 10:36:49 +00:00
Nalin Dahyabhai
620baf13cd - modify the deltat grammar to also tell gcc (4.7) to suppress "maybe-uninitialized" warnings in addition to the "uninitialized" warnings it's already being told to suppress 2012-01-04 13:52:34 -05:00
Nalin Dahyabhai
2496d7a5c9 - update to alpha 2
- drop a couple of patches which were integrated for alpha 2
2011-12-20 13:18:27 -05:00
Nalin Dahyabhai
e0a60dd473 - don't need this any more 2011-12-20 11:49:22 -05:00
Nalin Dahyabhai
298c87aab9 - don't need this any more 2011-12-20 11:48:50 -05:00
Nalin Dahyabhai
f28b57af20 - pull in patch for RT#7048: allow PAC verification to only bother trying to
verify the signature with keys that it's given (still more of #761317)
2011-12-13 10:50:02 -05:00
Nalin Dahyabhai
6d68d342c9 - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
(more of #761317)
2011-12-13 10:48:28 -05:00
Nalin Dahyabhai
fb7c02faff - pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
2011-12-13 10:47:31 -05:00
Nalin Dahyabhai
03e76d7832 - apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748) 2011-12-06 14:12:15 -05:00
Nalin Dahyabhai
4584a88e40 correct the release to match the changelog 2011-11-30 15:13:54 -05:00
Nalin Dahyabhai
635a422817 - correct a bug in the fix for #754001 so that the file creation context is consistently reset 2011-11-30 15:03:45 -05:00
Nalin Dahyabhai
a45a82724d - require libverto-module-base at build- and runtime so that tests which
use verto can work properly
2011-11-15 13:32:43 -05:00
Nalin Dahyabhai
1110ccd873 - bump to 1.10 alpha 1 2011-11-15 12:45:44 -05:00
Nalin Dahyabhai
a8e279c6ee - get the 'make check' target to build in the gss-kernel-lib subdir 2011-11-14 16:41:13 -05:00
Nalin Dahyabhai
efdfc3a244 update for 1.10 2011-11-09 18:44:22 -05:00
Nalin Dahyabhai
6d42ba9cb1 update for 1.10 2011-11-09 18:44:01 -05:00
Nalin Dahyabhai
be0f417bc2 we shouldn't need this any more, per RT#6893 2011-11-09 18:25:44 -05:00
Nalin Dahyabhai
18b089b01f update for 1.10 2011-11-09 18:20:14 -05:00
Nalin Dahyabhai
74f66f3e49 dependency libs aren't output any more 2011-11-09 17:15:32 -05:00