Commit Graph

842 Commits

Author SHA1 Message Date
Robbie Harwood
96d71f74f7 Backport my interposer fixes from upstream
Supersedes krb5-mechglue_inqure_attrs.patch
2016-02-19 20:11:26 +00:00
Robbie Harwood
5d016a51a3 Clean up bad merge 2016-02-16 17:08:51 +00:00
Robbie Harwood
9707484326 Adjust dependency on crypto-polices to be just the file we want
Patch courtesy of lslebodn.

Resolves: #1308984
2016-02-16 17:07:34 +00:00
Dennis Gilmore
04850893e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 02:24:34 +00:00
Robbie Harwood
f525729cee Replace _kadmin/_kprop with systemd macros
Remove traces of upstart from fedora package per policy

Resolves: #1290185
2016-01-28 19:44:10 +00:00
Robbie Harwood
c52f5baf4b Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 2016-01-27 23:17:07 +00:00
Robbie Harwood
93772ec156 Make krb5kdc.log not world-readable by default
Resolves: #1276484
2016-01-21 19:05:45 +00:00
Robbie Harwood
892fe9b7b5 Allow verification of attributes on krb5.conf 2016-01-21 18:05:08 +00:00
Robbie Harwood
ce63dad07e Use "new" systemd macros for service handling. (Thanks vpavlin!)
Resolves: #850399
2016-01-20 22:11:00 +00:00
Robbie Harwood
21a49ad7c7 Simplify spec file by removing some dead code paths
This includes removal of the following macros:
- WITH_NSS (always false)
- WITH_SYSTEMD (always true)
- WITH_LDAP (always true)
- WITH_OPENSSL (always true)
2016-01-20 21:15:02 +00:00
Robbie Harwood
b653d26d53 Backport fix for chrome crash in spnego_gss_inquire_context
Resolves: #1295893
2016-01-08 18:38:57 +00:00
Robbie Harwood
07d6f2cd01 Backport patch to fix mechglue for gss_inqure_attrs_for_mech() 2015-12-17 02:12:51 +00:00
Robbie Harwood (frozencemetery)
1560d2b3cc Backport interposer fix from master
Drop workaround pwsize initialization patch (gcc has been fixed)

Resolves: rhbz#1284985
2015-12-03 22:02:09 +00:00
Robbie Harwood (frozencemetery)
bf282deaf1 Fix FTBFS by no longer working around bug in nss_wrapper 2015-11-24 16:39:15 +00:00
Robbie Harwood (frozencemetery)
89ae1a3c67 Upstream release. No actual change from beta, just version bump
Also clean up unused parts of spec file.
2015-11-23 22:56:02 +00:00
Robbie Harwood (frozencemetery)
806928902d Release 1.14-beta2 2015-11-16 18:11:20 +00:00
Robbie Harwood (frozencemetery)
b81fddfea1 Patch CVE-2015-2698 2015-11-04 20:26:21 +00:00
Robbie Harwood (frozencemetery)
def8c582bb Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 2015-10-27 17:31:54 +00:00
Robbie Harwood (frozencemetery)
255e769785 Ensure pwsize is initialized in chpass_util.c 2015-10-22 18:30:26 +00:00
Robbie Harwood (frozencemetery)
5eb94ecfab Fix typo of crypto-policies file in previous version 2015-10-22 15:14:45 +00:00
Robbie Harwood (frozencemetery)
9baef8fa8f Start using crypto-policies 2015-10-19 23:01:44 +00:00
Robbie Harwood (frozencemetery)
582b087130 TEMPORARILY disable usage of OFD locks as a workaround for x86 2015-10-19 17:38:34 +00:00
Robbie Harwood (frozencemetery)
98128c4038 New upstream beta version 2015-10-15 20:51:57 +00:00
Robbie Harwood (frozencemetery)
4529758a74 Work around KDC client prinicipal in referrals issue
Resolves: rhbz#1259844
2015-10-08 19:24:20 +00:00
Robbie Harwood (frozencemetery)
a89bdde4da Revert "New upstream version: krb5-1.14-alpha1"
This reverts commit 1138991893.
2015-10-01 18:33:34 +00:00
Robbie Harwood
5ccfdd171d Bring back krb5.conf.d and allow building with bad krb5.conf 2015-09-29 14:47:06 -04:00
Robbie Harwood (frozencemetery)
1138991893 New upstream version: krb5-1.14-alpha1
Drop patches that have since been applied.  Create new patches as
needed.
2015-09-24 17:57:53 +00:00
Robbie Harwood (frozencemetery)
a328acab1b Drop dependency on pax&ksh and remove support for fedora < 20 2015-09-23 18:42:40 +00:00
Robbie Harwood (frozencemetery)
a9af3c8817 Nix /usr/share/krb5.conf.d to reduce complexity 2015-09-23 15:11:53 +00:00
Robbie Harwood (frozencemetery)
65ce267be1 Depend on crypto-policies which provides /etc/krb5.conf.d
Resolves: rhbz#1225792
2015-09-23 14:02:37 +00:00
Robbie Harwood (frozencemetery)
5ec8cb89e0 Miscalaneous spec fixes.
Remove dependency on systemd-sysv which is no longer needed for fedora
> 20.  Other fixes as needed to resolve a fail-to-build issue.
2015-09-11 17:02:31 +00:00
Robbie Harwood (frozencemetery)
2e058adfc5 Bump minor release 2015-09-10 19:55:53 +00:00
Robbie Harwood (frozencemetery)
6cb6b69409 Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/
Resolves: rhbz#1225792, rhbz#1146370, rhbz#1145808
2015-09-10 19:45:12 +00:00
Roland Mainz
580aefb618 * Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-6
- Use system nss_wrapper and socket_wrapper for testing.
  Patch by Andreas Schneider <asn@redhat.com>
2015-06-26 02:47:13 +02:00
Roland Mainz
d4aa04d87c * Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5
- Remove Zanata test glue and related workarounds
  - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
  - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh")
2015-06-25 14:23:31 +02:00
Roland Mainz
168ec0c9e7 * Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4
- Fix dependicy on binfmt.service
2015-06-19 18:22:15 +02:00
Dennis Gilmore
57f951a0e2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-17 13:38:13 +00:00
Roland Mainz
7029c6670c * Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear
  when kadmind starts"). The issue was caused by an unneeded |htons()|
  which triggered SELinux AVC denials due to the "random" port usage.
2015-06-03 02:57:20 +02:00
Roland Mainz
8c2cea93bb * Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
  the installed shared libraries instead the ones from the build")
2015-05-22 16:28:26 +02:00
Roland Mainz
3ae7a21305 * Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0
- Update to krb5-1.13.2
  - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
  - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
- Add script processing for upcoming Zanata l10n support
- Minor spec cleanup
2015-05-15 01:02:21 +02:00
Roland Mainz
1171aa60d0 * Mon May 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-4
- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass
  in PKINIT-enabled KDC".
  In MIT krb5 1.12 and later, when the KDC is configured with
  PKINIT support, an unauthenticated remote attacker can
  bypass the requires_preauth flag on a client principal and
  obtain a ciphertext encrypted in the principal's long-term
  key.  This ciphertext could be used to conduct an off-line
  dictionary attack against the user's password.
resolves: #1216134
2015-05-06 01:15:00 +02:00
Roland Mainz
14a63ce373 * Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3
- Add temporay workaround for RH bug #1204646 ("krb5-config
  returns wrong -specs path") which modifies krb5-config post
  build so that development of krb5 dependicies gets unstuck.
  This MUST be removed before rawhide becomes F23 ...
2015-03-25 16:06:10 +01:00
Roland Mainz
1984e0ee1d * Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
  denial of service in recvauth_common() and others"
2015-03-20 13:24:47 +01:00
Roland Mainz
54e60b1162 * Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
  denial of service in recvauth_common() and others"
2015-03-20 13:23:20 +01:00
Roland Mainz
03981c354e * Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
- Update to krb5-1.13.1
  - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
  - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
  - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
- Minor spec cleanup
2015-02-13 17:35:10 +01:00
Roland Mainz
c74e97faa9 * Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-8
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
  incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial
  deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly
  validates server principal name (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications
  leak uninitialized bytes (MITKRB5-SA-2015-001)"
2015-02-04 12:02:36 +01:00
Roland Mainz
aad351ad29 * Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-7
- Remove "python-sphinx-latex" and "tar" from the build requirements
  to fix build failures on F22 machines.
- Minor spec cleanup
2015-02-04 11:47:44 +01:00
Nathaniel McCallum
7188a346bd Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) 2015-02-03 17:48:30 +01:00
Roland Mainz
fb520967f9 * Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.13-5
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
  loop on principal unknown errors").
- Added "python-sphinx-latex" to the build requirements
  to fix build failures on F22 machines.
2015-01-26 18:38:55 +01:00
Roland Mainz
6baee3e656 * Thu Dec 19 2014 Roland Mainz <rmainz@redhat.com> - 1.13-4
- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
  dereference when using keyless entries"
2014-12-18 17:57:19 +01:00
Roland Mainz
8545575f69 * Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
  name crash"
2014-12-17 12:06:33 +01:00
Roland Mainz
a54d1f9ac9 * Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
- Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue
  which would lead yum updates to treat the last alpha as newer
  than the final version.
2014-10-29 22:25:13 +01:00
Roland Mainz
eca7fd3d15 * Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
- Update from krb5-1.13-alpha1 to final krb5-1.13
- Removed patch for CVE-2014-5351 (#1145425) "krb5: current
  keys returned when randomizing the keys for a service principal" -
  now part of upstream sources
- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only
  for Fedora > 20
2014-10-29 21:55:10 +01:00
Roland Mainz
210ae0a2c1 * Tue Sep 30 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0.alpha1.3
- fix build failure caused by change of prototype for glibc
  |eventfd()| (#1147887)
2014-09-30 12:19:07 +02:00
Roland Mainz
c5c716d7e4 - fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when
randomizing the keys for a service principal" (fix rpm spec file)
2014-09-29 23:04:48 +02:00
Nalin Dahyabhai
67988a74d0 Keep the license from being a dangling symlink
Processing of %license puts the named file in a directory other than the
docs directory, and doesn't rewrite relative symlinks to be correct.  So
we can't use a symlink to one of them as the license.
2014-09-08 18:57:52 -04:00
Nalin Dahyabhai
56cd96f9bd Remove the -S flag from kprop.service
- kpropd hasn't bothered with -S since 1.11; stop trying to use that
  flag in the systemd unit file and change its type from "forking" to
  "simple"
2014-08-28 14:05:37 -04:00
Nalin Dahyabhai
8563ebea46 Updating to 1.13 alpha1 2014-08-22 16:14:20 -04:00
Nalin Dahyabhai
c48fd0f0bc Pull in upstream fix for an mischecked strdup()
- pull in upstream fix for an incorrect check on the value returned by a
  strdup() call (#1132062)
2014-08-20 17:36:44 -04:00
Peter Robinson
9c7c7781c4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 00:48:14 +00:00
Nalin Dahyabhai
4f7f51121b drop patch for CVE-2014-4345, included in 1.12.2 2014-08-15 15:04:26 -04:00
Nalin Dahyabhai
7880fca0ad drop patch for CVE-2014-4344, included in 1.12.2 2014-08-15 15:02:04 -04:00
Nalin Dahyabhai
b234a3d334 drop patch for CVE-2014-4343, included in 1.12.2 2014-08-15 15:01:01 -04:00
Nalin Dahyabhai
56235f0463 drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 2014-08-15 14:59:36 -04:00
Nalin Dahyabhai
2184fad363 drop patch for RT#7926, fixed in 1.12.2 2014-08-15 14:56:39 -04:00
Nalin Dahyabhai
7041f914bd drop patch for RT#7924, fixed in 1.12.2 2014-08-15 14:52:23 -04:00
Nalin Dahyabhai
0bd95b4771 drop patch for RT#7858, fixed in 1.12.2 2014-08-15 14:50:08 -04:00
Nalin Dahyabhai
d41320b7c1 drop patch for RT#7836, fixed in 1.12.2 2014-08-15 14:37:24 -04:00
Nalin Dahyabhai
1d44a8f927 drop patch for RT#7818, fixed in 1.12.2 2014-08-15 14:35:45 -04:00
Nalin Dahyabhai
f543a683b0 Drop patch for #231147, fixed in 1.12.2 2014-08-15 14:13:21 -04:00
Nalin Dahyabhai
e5a4698cf5 drop patch for RT#7820, merged in 1.12.2 2014-08-15 14:02:13 -04:00
Nalin Dahyabhai
c042f71c80 Update collection cache patch set for ksu
- replace older proposed changes for ksu with backports of the changes
  after review and merging upstream (#1015559, #1026099, #1118347)
2014-08-15 14:00:14 -04:00
Nalin Dahyabhai
b324000e34 fix MITKRB5-SA-2014-001 (CVE-2014-4345)
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
2014-08-07 19:25:49 -04:00
Nalin Dahyabhai
38595f5338 Add patch for CVE-2014-4344
- gssapi: pull in upstream fix for a possible NULL dereference
  in spnego (CVE-2014-4344)
2014-07-21 17:51:10 -04:00
Nalin Dahyabhai
24f7f1a446 Update to upstream patch
Update to the as-committed version of this patch, which affects the
comments it includes.
2014-07-21 17:19:42 -04:00
Nalin Dahyabhai
9594be4f3a Add proposed fix for a double-free in gss clients
- gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, #1117963)
2014-07-16 15:14:38 -04:00
Tom Callaway
79897b3c5d fix license handling 2014-07-12 18:45:11 -04:00
Nalin Dahyabhai
e2bc024559 Pull in fix for CVE-2014-4341/CVE-2014-4342
- pull in fix for denial of service by injection of malformed GSSAPI
  tokens (CVE-2014-4341, CVE-2014-4342, #1116181)
2014-07-07 17:56:12 -04:00
Nalin Dahyabhai
40e2189ede Backport support for scanning /etc/gss/mech.d/*.conf
- pull in changes from upstream which add processing of the contents of
  /etc/gss/mech.d/*.conf when loading GSS modules (#1102839)
2014-06-24 16:47:17 -04:00
Nalin Dahyabhai
47d56d9162 Fix FTBFS #1107061 using a patch from upstream
- pull in fix for building against tcl 8.6 (#1107061)
2014-06-12 16:23:15 -04:00
Nalin Dahyabhai
790a56ba59 Add a buildrequires: on texlive-pdftex
We were having trouble building the PDFs due to a missing pdfcolor.tex
after the latest update to python-sphinx, but an even newer
texlive-pdftex provides that, so add it as a BuildRequires:
2014-06-12 12:04:06 -04:00
Dennis Gilmore
dd2e1e4398 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 22:22:03 -05:00
Nathaniel McCallum
44d0e80df0 Backport fix for change password requests when using FAST (RT#7868) 2014-03-04 11:22:42 -05:00
Nalin Dahyabhai
2550f0f56b Backport fix for RT#7858
- spnego: pull in patch from master to restore preserving the OID of the
  mechanism the initiator requested when we have multiple OIDs for the
  same mechanism, so that we reply using the same mechanism OID and the
  initiator doesn't get confused (#1066000, RT#7858)
2014-02-17 21:06:07 -05:00
Nalin Dahyabhai
c0d64aa79f Note that "runstatedir" changes are also #1040056 2014-02-10 14:17:15 -05:00
Nalin Dahyabhai
bdb8c58c53 Move the default directory for OTP sockets to /var/run/krb5kdc
- pull in patch from master to move the default directory which the KDC
  uses when computing the socket path for a local OTP daemon from the
  database directory (/var/kerberos/krb5kdc) to the newly-added run
  directory (/run/krb5kdc), in line with what we're expecting in 1.13
  (RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
  boot-time
- own /var/run/krb5kdc
2014-02-07 16:13:29 -05:00
Nalin Dahyabhai
419c14d6ac Pull from the right wrapper branches
... and add our local patch to fix the bind-then-connect case.
2014-02-04 15:31:21 -05:00
Nalin Dahyabhai
956ccfdfb4 refresh nss_wrapper, add socket_wrapper 2014-01-31 16:56:05 -05:00
Nalin Dahyabhai
5c7bab5883 Take x bit off of an html doc file, fix whitespace 2014-01-31 16:55:11 -05:00
Nalin Dahyabhai
9b18d26ce3 Add proposed ksu KEYRING+default_ccache_name patch
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)
2014-01-31 16:55:05 -05:00
Nalin Dahyabhai
2eb0567065 Backport changes to allow "rcache" credstores
- pull in multiple changes to allow replay caches to be added to a GSS
  credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
  #1056078/#1056080)
2014-01-21 18:52:57 -05:00
Nalin Dahyabhai
792d78fa47 Backport fixes for timesync with keyring caches
add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607)
2014-01-17 10:58:19 -05:00
Nalin Dahyabhai
4dec248a05 Drop obsolete patches 2014-01-17 10:55:16 -05:00
Nalin Dahyabhai
8ae5258eb3 Drop obsolete patch 2014-01-17 10:48:08 -05:00
Nalin Dahyabhai
29afef6c24 Drop obsolete patch 2014-01-17 10:47:01 -05:00
Nalin Dahyabhai
007e77a2b3 Drop obsolete patch 2014-01-17 10:17:19 -05:00
Nalin Dahyabhai
6a8573e3af Drop obsolete patch 2014-01-17 10:08:58 -05:00
Nalin Dahyabhai
0b6ebaab00 Drop obsolete patch 2014-01-17 09:59:39 -05:00
Nalin Dahyabhai
6265fcabf5 Drop obsolete patch 2014-01-17 09:58:40 -05:00
Nalin Dahyabhai
aef7c262b1 Update the textrel patch for x86
- update the PIC patch for iaesx86.s to not use ELF relocations
  (RT#7815, #1045699) to the version that landed upstream
2014-01-13 11:41:47 -05:00
Nalin Dahyabhai
8fe7e82068 Note why we started saving ebx 2014-01-09 13:20:22 -05:00
Nalin Dahyabhai
6e03c5ada1 Link shared libs using -Wl,--warn-shared-textrel
- pass -Wl,--warn-shared-textrel to the compiler when we're creating shared
  libraries
2014-01-09 13:13:30 -05:00
Nalin Dahyabhai
5de1fa728f bump release for a new build 2014-01-09 11:03:45 -05:00
Nalin Dahyabhai
8a1df153c6 Save/restore ebx in functions where we modify it
- amend the PIC patch for iaesx86.s to also save/restore ebx in the
  functions where we modify it
2014-01-09 11:02:26 -05:00
Nalin Dahyabhai
75edc7c7ca Try to remove execmod from 32-bit AES-NI k5crypto
- make a guess at making the 32-bit AES-NI implementation sufficiently
  position-independent to not require execmod permissions for libk5crypto
  (more of #1045699)
2014-01-06 18:53:03 -05:00
Nalin Dahyabhai
05c4140d32 Switch to as-committed version
- grab a more-commented version of the most recent patch from upstream
  master
2014-01-06 15:58:20 -05:00
Nalin Dahyabhai
480b9efaa3 Add Dhiru Kholia's patch to restore noexecstack
- add patch from Dhiru Kholia for the AES-NI implementations to allow
  libk5crypto to be properly marked as not needing an executable stack
  on arches where they're used (#1045699, and so many others)
2014-01-02 23:46:42 -05:00
Nalin Dahyabhai
13df2d5386 Remove the BuildRequires: on yasm for now
Go back to not using AES-NI, until we sort out execstack (#1045699).
2014-01-02 17:08:52 -05:00
Nalin Dahyabhai
911b9e932d Add the buildrequires: for AES-NI support
- add yasm as a build requirement for AES-NI support, on arches that have
  yasm and AES-NI
2013-12-19 13:07:54 -05:00
Nalin Dahyabhai
e1cb527238 Pull in fix to improve SPNEGO error messages
- pull in fix from master to make reporting of errors encountered by the
  SPNEGO mechanism work better (RT#7045, part of #1043962)
2013-12-19 11:52:30 -05:00
Nalin Dahyabhai
45d93c6d1c Enable pyrad-based tests
- update a test wrapper to properly handle things that the new libkrad does,
  and add python-pyrad as a build requirement so that we can run its tests
2013-12-19 11:17:28 -05:00
Nalin Dahyabhai
9f2cb9776b For completeness, also initialize an unused field 2013-12-18 18:01:30 -05:00
Nalin Dahyabhai
82c5b9f9b2 Backport fixes for krb5_copy_context
- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
2013-12-18 17:38:54 -05:00
Nalin Dahyabhai
2550a37b4f Pull in a fix for a mem leak from master (RT#7805)
- pull in fix from master to avoid a memory leak in a couple of error
  cases which could occur while obtaining acceptor credentials (RT#7805, part
  of #1043962)
2013-12-18 14:33:23 -05:00
Nalin Dahyabhai
460d74d224 Pull in a fix for a mem leak from master (RT#7803)
- pull in fix from master to avoid a memory leak when a mechanism's
  init_sec_context function fails (RT#7803, part of #1043962)
2013-12-18 14:23:21 -05:00
Nalin Dahyabhai
39888b7c42 Pick up another interop fix from master (RT#7797)
- pull in fix from master to ignore an empty token from an acceptor if
  we've already finished authenticating (RT#7797, part of #1043962)
2013-12-18 14:22:24 -05:00
Nalin Dahyabhai
735b73ebbb Pick up an interop fix from master (RT#7794)
- pull in fix from master to return a NULL pointer rather than allocating
  zero bytes of memory if we read a zero-length input token (RT#7794, part of
  #1043962)
2013-12-18 14:20:57 -05:00
Nalin Dahyabhai
3a1e355f38 Update to 1.12 final 2013-12-11 10:52:40 -05:00
Nalin Dahyabhai
93ae18a6c5 Whoops, grab the beta 2 PDFs 2013-12-02 11:58:32 -05:00
Nalin Dahyabhai
f002059e62 Update to 1.12 beta2
- drop obsolete backports for storing KDC time offsets and expiration times
  in keyring credential caches
2013-12-02 11:47:40 -05:00
Nalin Dahyabhai
88c0c528bd Update to 1.12 beta 2013-11-19 18:08:43 -05:00
Nalin Dahyabhai
3c08a1616e BuildRequire: pkgconfig and package pkgconfig data 2013-11-19 17:40:02 -05:00
Nalin Dahyabhai
f8f559ef32 Drop backports for RT#7656 and RT#7657 2013-11-19 17:39:59 -05:00
Nalin Dahyabhai
447ee6c9e6 Update for 1.12's removal of krb5_xfree() 2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
f619caa9c9 Drop OTP backport 2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
7448cea67e Untweak for 1.11.3 2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
00cf6df3e6 Drop backport for RT#7590 and partial for RT#7680 2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
19bc209a19 Drop backport for RT#7709 2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
13b2f96a29 Drop backports for RT#7682 2013-11-19 17:38:46 -05:00
Nalin Dahyabhai
0b296b8b04 Drop obsolete patches to skip GSSRPC-over-UDP test
- drop patches from master to not test GSSRPC-over-UDP and to not
  depend on the portmapper, which are areas where our build systems
  often give us trouble, too; obsolete
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
25fe69d885 Drop backport for RT#7643 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
a2e5f1f872 Drop backport for RT#7642 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
9e1d45535e Drop backport for RT#7172 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
bd8c46afd2 Drop backport for RT#7598 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
286168174b Drop patch to teach config.* about aarch64-linux 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
11656c4fe0 Drop obsolete patch fixing a test use-before-init 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
9c8c2d53ba Update for 1.12 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
d2ea586766 Update for 1.12 2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
f618776e18 Update for 1.12 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
d175d043f1 Update for 1.12 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
daca172770 Update patch for 1.12 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
15dceb5da6 Drop backport for RT#7689 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
b1f558a0f5 Drop backported patch 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
8a39d5ff72 Start rebasing to 1.12 alpha1 2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
a77ee55771 Pull in keyring expiration from RT#7769
- pull in fix to set expiration times on keyrings used for storing keyring
  credential caches (RT#7769, #1031724)
2013-11-18 18:02:20 -05:00
Nalin Dahyabhai
81715b1776 Pull in keyring offset storage from RT#7768
- pull in fix to store KDC time offsets in keyring credential caches
  (RT#7768, #1030607)
2013-11-18 17:14:07 -05:00
Nalin Dahyabhai
dee7ae00a4 Note where CVE-2013-6800 was fixed
CVE-2013-6800 appears to be fixed by the same patch that fixes
CVE-2013-1418, so mention the first in changelog entries that refer to
the second.
2013-11-18 16:24:33 -05:00
Nalin Dahyabhai
cac86c9df2 Bump the release to 1 2013-11-12 16:32:02 -05:00
Nalin Dahyabhai
8f876bbbeb Drop patch for CVE-2013-1418, included in 1.11.4 2013-11-12 16:25:26 -05:00
Nalin Dahyabhai
1f02b0bc49 Drop patch for RT#7706, obsoleted as RT#7723 2013-11-12 16:23:38 -05:00
Nalin Dahyabhai
0c6ad14521 Drop patch for RT#7650, included in 1.11.4 2013-11-12 16:20:49 -05:00
Nalin Dahyabhai
2b359c527a Start updating to 1.11.4 2013-11-12 16:20:31 -05:00
Nalin Dahyabhai
b3399eb8fb Switch to the upstream patch for #1029110
Switch to the simplified version of the patch for #1029110 that ended up
being committed upstream (RT#7764).
2013-11-12 13:20:50 -05:00
Nalin Dahyabhai
11d14a1e7c Fix a typo in a changelog entry 2013-11-11 14:34:29 -05:00
Nalin Dahyabhai
49c8edfa6b Catch more strtol() failures when using KEYRINGs
- check more thorougly for errors when resolving KEYRING ccache names of type
  "persistent", which should only have a numeric UID as the next part of the
  name (#1029110)
2013-11-11 14:11:29 -05:00
Nalin Dahyabhai
bfdc4351bf Point to the RT for the patch for the right branch 2013-11-05 13:43:32 -05:00
Nalin Dahyabhai
a244d8f93c Incorporate patch for RT#7755 (CVE-2013-1418)
- incorporate upstream patch for remote crash of KDCs which serve multiple
  realms simultaneously (RT#7755, CVE-2013-1418)
2013-11-04 16:11:59 -05:00
Nalin Dahyabhai
a00c810e4e Drop call-access()-more patch for ksu
- drop patch to add additional access() checks to ksu - they add to breakage
  when non-FILE: caches are in use (#1026099), shouldn't be resulting in any
  benefit, and clash with proposed changes to fix its cache handling
2013-11-04 10:26:41 -05:00
Nalin Dahyabhai
433fcb1772 Expand on comments in the daemon wrapper scripts
- add some minimal description to the top of the wrapper scripts we use
  when starting krb5kdc and kadmind to describe why they exist (tooling)
2013-10-22 17:48:49 -04:00
Nalin Dahyabhai
31e8e33c43 Create and own /etc/gss (#1019937) 2013-10-16 18:12:24 -04:00
Nalin Dahyabhai
16e749771f Pull up fix for reimporting ccaches in gssapi
- pull up fix for importing previously-exported credential caches in the
  gssapi library (RT# 7706, #1019420)
2013-10-15 14:40:24 -04:00
Nalin Dahyabhai
84fe7d69da Finish fixing the don't-call-NULL-prompters bug
- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
2013-10-14 14:07:56 -04:00
Nalin Dahyabhai
822059250e Use the prompter callback for PEM files
- backport the callback to use the libkrb5 prompter when we can't load
  PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
2013-10-14 14:07:19 -04:00
Nalin Dahyabhai
37f8b28f7d fix trigger's invocation of sed (#1016945)
- fix trigger scriptlet's invocation of sed (#1016945)
2013-10-14 12:42:56 -04:00
Nalin Dahyabhai
52b6b401df - rebuild with keyutils 1.5.8 (part of #1012043)
Rebuild against a keyutils which tags the new symbols we're using with a
newer symbol version, so that RPM can tell the difference between
versions of the package which contain a shared library that doesn't
include them and versions of the package which contain a shared library
which does.
2013-10-04 09:47:38 -04:00
Nalin Dahyabhai
494e7adbb0 Updated persistent-keyring changes, set as default
- switch to the version of persistent-keyring that was just merged to
  master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
2013-10-02 14:46:20 -04:00
Nalin Dahyabhai
682dc07d28 pull up fix to call kdb check-transited-path first
- pull up fix for not calling a kdb plugin's check-transited-path
  method before calling the library's default version, which only knows
  how to read what's in the configuration file (RT#7709, #1013664)
2013-09-30 11:26:50 -04:00
Nalin Dahyabhai
43d2548f26 configure --without-krb5-config
- configure --without-krb5-config so that we don't pull in the old default
  ccache name when we want to stop setting a default ccache name at configure-
  time
2013-09-26 14:38:01 -04:00
Nalin Dahyabhai
e43f75f274 - fix broken dependency on awk (rdieter)
- fix broken dependency on awk (should be gawk, rdieter)
2013-09-25 12:34:03 -04:00
Nalin Dahyabhai
a375099fe1 add missing dependency on newer keyutils-libs
- add missing dependency on newer keyutils-libs (#1012034)
2013-09-25 11:26:19 -04:00
Nalin Dahyabhai
3bc9a0ec21 Back to DIR: caches by default, for now
- back out setting default_ccache_name to the new default for now, resetting
  it to the old default while the kernel/keyutils bits get sorted (sgallagh)
2013-09-24 17:10:48 -04:00
Nalin Dahyabhai
ee7be3f07f buildrequire the newest keyutils
- add explicit build-time dependency on a version of keyutils that's new
  enough to include keyctl_get_persistent() (more of #991148)
2013-09-23 13:32:21 -04:00
Nalin Dahyabhai
df24e0aeda pull in an updated persistent_keyring.patch
- incorporate Simo's updated backport of his updated persistent-keyring
  changes (more of #991148)
2013-09-19 16:29:52 -04:00
Nalin Dahyabhai
00da3519ec Don't break during %%check with revoked keyrings
If the session keyring is revoked, we'll to walk the ccache collections.
Work around that so that we don't have to go and disable more tests.
2013-09-13 18:21:09 -04:00
Nalin Dahyabhai
21b73fcc00 pull the newer F21 defaults back to F20 (sgallagh) 2013-09-13 09:13:37 -04:00
Nalin Dahyabhai
5128324677 Only create /run/user/0 on releases where we use it
- only apply the patch to autocreate /run/user/0 when we're hard-wiring the
  default ccache location to be under it; otherwise it's unnecessary
2013-09-09 13:15:18 -04:00
Nalin Dahyabhai
b81045ccea Don't pass a "script" to ldconfig
- don't let comments intended for one scriptlet become part of the "script"
  that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675)
2013-09-09 09:43:05 -04:00
Nalin Dahyabhai
4404e63e31 Conditional triggerun to set default_ccache_name
- on releases where we expect krb5.conf to be configured with a
  default_ccache_name, add it whenever we upgrade from an older version of
  the package that wouldn't have included it in its default configuration
  file (#991148)
2013-09-06 17:32:20 -04:00
Nalin Dahyabhai
16afa92610 Set the default ccname via config, not at build
- restore build-time default DEFCCNAME on Fedora 21 and later and EL, and
  instead set it in the default krb5.conf's [libdefaults] section (#991148)
2013-09-06 16:05:14 -04:00
Nalin Dahyabhai
b0c672125e - restore build-time default DEFCCNAME on F21, EL
- restore build-time default DEFCCNAME on Fedora 21 and later and EL (#991148)
2013-09-06 14:13:31 -04:00
Nalin Dahyabhai
bf2b6cb4e7 - incorporate backported persistent-keyring (Simo)
- incorporate Simo's backport of his persistent-keyring changes (#991148)
2013-09-06 14:12:24 -04:00
Nalin Dahyabhai
e6591a5194 ship an nss_wrappers snapshot, not a git repo
- switch to just the snapshot of nss_wrapper we were using, since we
  no longer need to carry anything that isn't in the cwrap.org repository
  (ssorce)
2013-08-23 14:21:20 -04:00
Nalin Dahyabhai
c3f5bd1fb8 UnversionedDocdirs, take two
- take another stab at accounting for UnversionedDocdirs for the -libs
  subpackage (spotted by ssorce)
2013-08-23 14:08:59 -04:00
Nalin Dahyabhai
6c46043c16 Do the horrible hostname check _before_ faking it 2013-08-15 01:50:42 -04:00
Nalin Dahyabhai
ee18500d9b Fix error detection when starting kpropd/kadmind
- drop a patch we're not applying
- wrap kadmind and kpropd in scripts which check for the presence/absence
  of files which dictate particular exit codes before exec'ing the actual
  binaries, instead of trying to use ConditionPathExists in the unit files
  to accomplish that, so that we exit with failure properly when what we
  expect isn't actually in effect on the system (#800343)
2013-08-15 00:10:24 -04:00
Nalin Dahyabhai
272aaeef17 Assume 32 when __isa_bits isn't defined 2013-07-29 17:47:21 -04:00
Nalin Dahyabhai
d6a5b8b7d7 fixup for UnversionedDocdirs
- attempt to account for UnversionedDocdirs for the -libs subpackage
2013-07-29 17:00:25 -04:00
Nalin Dahyabhai
4c8469c258 tweak configs used by tests
- tweak configuration files used during tests to try to reduce the number
  of conflicts encountered when builds for multiple arches land on the same
  builder
2013-07-26 18:47:03 -04:00
Nalin Dahyabhai
66d9928651 Backport from RT#7682
- pull up changes to allow GSSAPI modules to provide more functions (RT#7682, #986564/#986565)
2013-07-22 14:23:24 -04:00
Nalin Dahyabhai
36dbacb706 Use LD_PRELOAD to be able to run more self-tests
Use nss_wrapper (from cwrap.org) to be able to run more of the
self-tests during %%check.  Help it along a little bit by being
more emphatic about cutting off access to DNS.
2013-07-19 15:52:31 -04:00
Nalin Dahyabhai
909ac318c3 Use %%{?_isa} when hard-coding deps on krb5-libs
- specify dependencies on the same arch of krb5-libs by using the %%{?_isa}
  suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155)
2013-07-01 11:48:17 -04:00
Nalin Dahyabhai
d00d276a47 Bring back "Back out the krb5-1.11-run_user_0.patch"
This reverts commit 8a5a8d492c.

Special-case /run/user/0, attempting to create it when resolving a
directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235).
2013-06-13 13:23:54 -04:00
Nalin Dahyabhai
7b66f600ef update to 1.11.3
- update to 1.11.3
  - drop patch for RT#7605, fixed in this release
  - drop patch for CVE-2002-2443, fixed in this release
  - drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
2013-06-04 11:13:25 -04:00
Nalin Dahyabhai
ff0ee94342 Respin with updated version of patch for RT#7650
Respin with updated version of patch for RT#7650, and don't forget to
keep track of the bug ID (#969331).
2013-05-31 14:29:57 -04:00
Nalin Dahyabhai
8a5a8d492c Back out the krb5-1.11-run_user_0.patch
It's not a complete fix, and it may only muddy things further on systems
that are having the kind of trouble it's trying to avoid, so hold off.
For now, at least.
2013-05-30 15:10:35 -04:00
Nalin Dahyabhai
202006a85f Pull a fix for kinit going on an only-masters path
- pull in proposed fix for attempts to get initial creds, which end up
  following referrals, incorrectly trying to always use master KDCs if
  they talked to a master at any point (should fix RT#7650)
2013-05-30 12:32:10 -04:00
Nalin Dahyabhai
dc293b3d84 Add a hackish attempt at a workaround for #961235
Add a patch to create /run/user/0 if we're trying to resolve a
DIR: ccache somewhere below it and neither the target location
nor /run/user/0 exist yet.
The better workaround is to set the location's owner to "linger"
via logind, since even after we do what we're doing here, if
the user logs in and logs back out, our location is still removed.
2013-05-30 12:26:42 -04:00
Nalin Dahyabhai
559c78a30a Label DIR: ccache directories when we create them
- don't forget to set the SELinux label when creating the directory for
  a DIR: ccache
2013-05-30 09:18:15 -04:00
Nalin Dahyabhai
11a4bca1fa Turn off some tests that master stopped doing
- pull in patches from master to not test GSSRPC-over-UDP and to not
  depend on the portmapper, which are areas where our build systems
  often give us trouble, too
2013-05-30 08:53:30 -04:00
Nalin Dahyabhai
bafcf02fa5 Actually bump the release number 2013-05-28 18:18:55 -04:00
Nalin Dahyabhai
e98d94d2bc Add proposed fix for handling AS client clock skew
In addition to basing the contents of an encrypted-timestamp preauth
data item on the server's idea of the current time, go ahead and do the
same for the times in the request.
2013-05-28 18:18:23 -04:00
Nalin Dahyabhai
827a48f7cc Fix handling of empty passwords in get-init-creds 2013-05-28 17:21:45 -04:00
Nalin Dahyabhai
2fdc61e398 Fix transited realm checks in GSSAPI servers
- backport fix for not being able to verify the list of transited realms
  in GSS acceptors (RT#7639, #959685)
2013-05-28 17:16:52 -04:00
Nalin Dahyabhai
325dca9ce4 Note the corresponding EL6 bug ID for reference 2013-05-28 17:13:23 -04:00
Nalin Dahyabhai
ee36e9e6b4 fix to make some use of DIR::... KRB5CCNAME values
- pull in upstream fix to start treating a KRB5CCNAME value that begins
  with DIR:: the same as it would a DIR: value with just one ccache file
  in it (RT#7172, #965574)
2013-05-21 13:51:51 -04:00
Nalin Dahyabhai
fbd06d348b pull up fix for kpasswd service ping-pong attack
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
  #962531,#962534)
2013-05-13 18:32:51 -04:00
Nathaniel McCallum
c0d2f3b96d Update otp patch; add keycheck patch 2013-05-03 17:04:40 -04:00
Nalin Dahyabhai
fcc98d5403 make the default ccname change affect f19, too
- pull the changing of the compiled-in default ccache location to
  DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and
  the most recent pam_krb5 build
2013-04-23 17:39:34 -04:00
Nalin Dahyabhai
d54b8d87c6 correct some configuration file paths
Correct some configuration file paths which the KDC_DIR patch
inadvertently changed.
2013-04-17 10:42:46 -04:00
Nalin Dahyabhai
3ba00c4edc keep track of the message type of FAST requests
- pull in fix for keeping track of the message type when parsing FAST requests
  in the KDC (RT#7605, #951843)
2013-04-15 11:06:55 -04:00
Nalin Dahyabhai
61043181c7 update to 1.11.2
- update to 1.11.2
  - drop pulled in patch for RT#7586, included in this release
  - drop pulled in patch for RT#7592, included in this release
2013-04-15 11:06:15 -04:00
Nalin Dahyabhai
fd7717242f set DEFCCNAME to DIR:/run/user/%{uid}/krb5cc
- move the compiled-in default ccache location from the previous default of
  FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588)
2013-04-12 09:24:16 -04:00
Nathaniel McCallum
8d291c8c0a Update otp plugin backport patches 2013-04-09 14:06:33 -04:00
Nalin Dahyabhai
ffcebd6c2b trying to get more of the tests to run on builders
- when testing the RPC library, treat denials from the local portmapper the
  same as a portmapper-not-running situation, to allow other library tests
  to be run while building the package
2013-04-03 17:23:58 -04:00
Nalin Dahyabhai
46d5c735d6 add RT number for most recent patch 2013-04-01 10:23:20 -04:00
Nalin Dahyabhai
7b92138ee8 teach gss_acquire_cred_from() about "client_keytab"
- pull in Simo's patch to recognize "client_keytab" as a key type which can
  be passed in to gss_acquire_cred_from()
2013-03-28 16:13:41 -04:00
Nalin Dahyabhai
30e39857ae package the right client keytab directory
- create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user,
  since that's what the libraries actually look for
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
  to run properly during builds
2013-03-28 16:12:30 -04:00
Nalin Dahyabhai
e7b662f81f pull in arm 64 (aarch64) build tweaks
- go back to using reconf to run autoconf and autoheader (part of #925640)
- add temporary patch to use newer config.guess/config.sub (more of #925640)
2013-03-26 16:48:29 -04:00
Nalin Dahyabhai
9d52c1d370 specify backup suffixes, like we do 2013-03-26 16:34:37 -04:00
Nalin Dahyabhai
c761eb0da7 pull up patch to mark imported gss contexts right
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
  contexts (RT#7592)
2013-03-26 16:32:29 -04:00
Nalin Dahyabhai
557835fdb3 tweak buildrequires conditionals for el7 builds
- fix a version comparison to expect newer texlive build requirements when
  %%{_rhel} > 6 rather than when it's > 7
2013-03-18 10:28:51 -04:00
Nathaniel McCallum
0efba32c47 first round of the otp plugin 2013-03-11 16:26:50 -04:00
Nalin Dahyabhai
6fdbb463fc fix a memory leak when obtaining creds via keytabs
- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110)
2013-02-28 16:37:33 -05:00
Nalin Dahyabhai
abff2e5117 escape uses of macros in comments (more of 884065)
escape uses of macros in comments (more of #884065)
2013-02-27 18:16:30 -05:00
Nalin Dahyabhai
a47a2acb30 drop the kerberos-iv portreserve file
drop the kerberos-iv portreserve file (long overdue), and drop the rest
on systemd systems, since we don't currently poke portreserve when we're
starting a service
2013-02-27 18:15:26 -05:00
Nalin Dahyabhai
460c5ab8b7 prebuild PDF docs to reduce multilib differences
prebuild PDF docs to reduce multilib differences (internal tooling, #884065)
2013-02-27 14:59:35 -05:00
Nalin Dahyabhai
0c2dcfe3ef update to 1.11.1
update to 1.11.1
- drop patch for noticing negative timeouts being passed to the poll()
  wrapper in the client transmit functions
2013-02-25 12:44:43 -05:00
Nalin Dahyabhai
977a60b72c set "rdns = false" in the default krb5.conf
set "rdns = false" in the default krb5.conf (#908323)
2013-02-08 10:29:14 -05:00
Nalin Dahyabhai
0597014fa8 update to 1.11 release
- update to the 1.11 final release
- drop the rawbuild tag from a couple of patches which we don't actually
  need to apply to get things to compile the way the package expects
2012-12-18 10:37:36 -05:00
Nalin Dahyabhai
9e98fec59e update to 1.11 beta 2 2012-12-13 10:57:00 -05:00
Nalin Dahyabhai
38b95e7b3e move a non-system libverto to the -libs subpackage
- when building with our bundled copy of libverto, package it in with -libs
  rather than with -server (#886049)
2012-12-13 10:27:19 -05:00
Nalin Dahyabhai
78b3a524da update to 1.11 beta 1 2012-11-21 15:56:57 -05:00
Nalin Dahyabhai
282fb3c1e0 packaging tweaks
- handle releases where texlive packaging wasn't yet as complicated as it
  is in Fedora 18
- fix an uninitialized-variable error building one of the test programs
2012-11-16 17:19:59 -05:00
Nalin Dahyabhai
8cf49572ea more tweaks to try to get doc building working 2012-11-16 15:58:51 -05:00
Nalin Dahyabhai
d97833d1ef just drop package-level deps on tex altogether 2012-11-16 14:56:42 -05:00
Nalin Dahyabhai
b1e19fe613 sure, okay. 2012-11-16 14:51:53 -05:00
Nalin Dahyabhai
5816919080 require pdflatex and makeindex 2012-11-16 14:36:59 -05:00
Nalin Dahyabhai
d8fb585c09 don't dummy up required stylesheets, require them 2012-11-16 13:35:21 -05:00
Nalin Dahyabhai
9f497eac9f also note the multilib impact in the docs 2012-11-16 13:14:55 -05:00
Nalin Dahyabhai
7404a3c685 more packaging fixups
- move the rather large pile of html and pdf docs to -workstation, so
  that just having something that links to the libraries won't drag
  them onto a system
- actually create %%{_var}/kerberos/kdc/user, so that it can be packaged
- correct the list of packaged man pages
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
777f196e39 drop patches to fixup paths in man pages 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
d0f6217945 own /var/kerberos/kdc/user 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
18bdbb99e3 drop the only-weak-keys checker 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
0efe966105 update heed-nsaccountlock patch
We lost explicit support for eDirectory per se, so just add a toggle to
enable heeding the one native attribute that 389 adds to the mix.
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
8a943cb6b5 update selinux labeling patch 2012-11-16 13:01:55 -05:00
Nalin Dahyabhai
423d0d2f67 update the paths-in-man-pages patch 2012-11-15 18:03:30 -05:00
Nalin Dahyabhai
34c8bac7e3 drop backported fix for clock skew errors
- drop backported fix for avoiding spurious clock skew when a TGT is
  decrypted long after the KDC sent it to the client which decrypts it
2012-11-15 15:23:18 -05:00
Nalin Dahyabhai
e5f60e0625 drop backports of patch for keytab-based kinit
- drop backported patches to make keytab-based authentication attempts
  work better when the client tells the KDC that it supports a particular
  cipher, but doesn't have a key for it in the keytab
2012-11-15 15:21:19 -05:00
Nalin Dahyabhai
b47c708afc drop backported PKINIT fix: directly-trusted KDCs
- drop backported fix for teaching PKINIT clients which trust the KDC's
  certificate directly to verify signed-data messages that are signed with
  the KDC's certificate, when the blobs don't include a copy of the KDC's
  certificate
2012-11-15 15:19:00 -05:00
Nalin Dahyabhai
f1f0baeb82 drop backported patch for disabling replay caches
- drop backported fix for disabling use of a replay cache when verifying
  initial credentials
2012-11-15 15:18:12 -05:00