rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1,090 Commits 9 Branches 46 Tags 7.8 MiB
da1e8dbb3f
Commit Graph

876 Commits

Author SHA1 Message Date
Robbie Harwood
a387becbf5 Add PKINIT KDC support for freshness token 
Also, fix securid_sam2 preauth for non-default salt
 2018-03-19 22:16:46 +00:00
Robbie Harwood
ed142b51b1 Exit with status 0 from kadmind 2018-03-14 14:44:04 -04:00
Robbie Harwood
5f3f6ef19b Fix hex conversion of PKINIT certid strings 2018-03-13 17:45:47 -04:00
Robbie Harwood
4b5cd8c1f8 Fix capaths "." values on client 
Resolves: 1551099
 2018-03-07 17:41:04 +00:00
Igor Gnatenko
03afcfa42c
Remove %clean section 
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-14 09:55:56 +01:00
Igor Gnatenko
307e1c3fab Remove BuildRoot definition 
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-13 23:36:56 +01:00
Robbie Harwood
392309c493 Fix flaws in LDAP DN checking 
CVE-2018-5729, CVE-2018-5730
 2018-02-13 11:09:41 -05:00
Robbie Harwood
c4848e3332 Fix a leak in the previous commit 
Also, restore dist macro that was accidentally removed

Resolves: #1540939
 2018-02-12 17:40:48 +00:00
Fedora Release Engineering
bfe3c598b5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2018-02-07 20:27:38 +00:00
Igor Gnatenko
caf02999e0
Switch to %ldconfig_scriptlets 
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-03 17:31:01 +01:00
Robbie Harwood
85d9f736b5 Process included directories in alphabetical order 2018-01-29 17:48:17 +01:00
Robbie Harwood
30d56290b3 Fix network service dependencies 
Resolves: #1525230
 2017-12-12 21:45:17 +00:00
Robbie Harwood
e714c57927 Fix copr rule sop that the spec file builds 2017-12-06 18:10:36 +00:00
Robbie Harwood
9869daa1e8 New upstream release (1.16) 
- No changes from beta2
- Add spec file support for COPR
 2017-12-06 18:07:52 +00:00
Robbie Harwood
6f4f842e5f New upstream prerelease (1.16-beta2) 2017-11-27 22:15:31 +00:00
Robbie Harwood
23141c22b1 Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) 2017-10-24 16:10:22 -04:00
Robbie Harwood
6e83fb6a5e Drop dependency on python2-pyrad (dead upstream, broken with new python) 2017-10-23 16:28:55 +00:00
Robbie Harwood
e02d5c1dac Actually bump kdbversion like I was supposed to 2017-10-09 15:24:04 +00:00
Robbie Harwood
533a73fdd1 New upstream prerelease (1.16-beta1) 2017-10-05 20:29:13 +00:00
Robbie Harwood
0c7302b5bc Add German translation 2017-09-28 21:50:19 +00:00
Robbie Harwood
f1e535bb81 New upstream release - krb5-1.15.2 
Adjust patches as appropriate
 2017-09-25 19:24:33 +00:00
Robbie Harwood
11b90e9e6e Save other programs from worrying about CVE-2017-11462 
Resolves: #1488873
Resolves: #1488874
 2017-09-06 16:43:59 +00:00
Robbie Harwood
f6b653fac2 Add hostname-based ccselect module 
Also update certauth EKU stuff

Resolves: #1463665
 2017-09-05 18:16:58 +00:00
Robbie Harwood
8f0349dc3e Backport certauth eku security fix 2017-08-25 16:43:43 +00:00
Robbie Harwood
95b80fb0b9 Backport kdc policy plugin, but this time with dependencies 2017-08-22 19:11:06 +00:00
Robbie Harwood
48ad53c66e Backport kdcpolicy interface 2017-08-21 17:23:54 +00:00
Robbie Harwood
2674e01b27 * Mon Aug 07 2017 Robbie Harwood <rharwood@redhat.com> 1.15.1-21 
Display an error message if ocsp pkinit is requested
 2017-08-16 20:07:07 +00:00
Robbie Harwood
0d402dae7f Display an error message if ocsp pkinit is requested 2017-08-07 20:42:47 +00:00
Robbie Harwood
ccd78d8ee9 Disable dns_canonicalize_hostname. This may break some setups. 2017-08-02 17:02:48 +00:00
Robbie Harwood
0f2af40d1e Re-enable test suite on ppc64le (no other changes) 2017-08-02 14:42:30 +00:00
Fedora Release Engineering
e2a7f10a2f - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 17:59:47 +00:00
Robbie Harwood
45c6f63563 Fix CVE-2017-11368 (remote triggerable assertion failure) 2017-07-20 15:31:44 +00:00
Robbie Harwood
bb9cd0748a Explicitly require python2 packages 2017-07-19 20:08:14 +00:00
Robbie Harwood
dd3f3e78a4 Add support to query the SSF of a context 2017-07-19 18:24:50 +00:00
Petr Písař
887df81921 perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:04:40 +02:00
Robbie Harwood
ff9e66e349 Fix leaks in gss_inquire_cred_by_oid() 2017-07-06 17:06:13 +00:00
Robbie Harwood
b3eef12e9a Fix arch name (ppc64le, not ppc64el) 
Related-to: #1464381
 2017-06-26 19:49:21 +00:00
Robbie Harwood
a51673420f Skip test suite on ppc64el 
Related-to: #1464381
 2017-06-26 19:45:34 +00:00
Robbie Harwood
db0f9d981a Include more test suite changes from upstream 
Resolves: #1464381
 2017-06-23 20:45:16 +00:00
Robbie Harwood
58aed41605 Fix custom build with -DDEBUG 2017-06-07 15:18:05 +00:00
Robbie Harwood
d322a08712 Use standard trigger logic for krb5 snippet 2017-05-24 19:04:22 +00:00
Robbie Harwood
3cae6ae5c3 Add kprop service env config file 2017-04-28 20:14:01 +00:00
Robbie Harwood
21848ec3e1 Update backports of certauth and corresponding test 2017-04-19 17:49:45 +00:00
Robbie Harwood
291b968871 Include fixes for previous commit 
Resolves: #1433083
 2017-04-13 20:00:14 +00:00
Robbie Harwood
3d952fc6c0 Automatically add includedir where not present 
Also try removing sleep statement to see if it is still needed

Resolves: #1433083
 2017-04-13 19:57:23 +00:00
Robbie Harwood
82cabae196 Fix use of enterprise principals with forwarding 2017-04-07 16:13:00 +00:00
Robbie Harwood
0dc40d929f Backport certauth plugin and related pkinit changes 2017-03-22 18:09:06 +00:00
Robbie Harwood
fd8a9e22c4 Remove duplication between subpackages 
Resolves: #1250228
 2017-03-07 19:41:05 +00:00
Robbie Harwood
2a20da0e2a New upstream release - 1.15.1 2017-03-04 00:34:47 +00:00
Robbie Harwood
9ce824b289 Patch build by disabling failing test; will fix properly soon 2017-03-01 22:58:53 +00:00
Robbie Harwood
ae83ec3024 Hammer refresh around transient rawhide issue 2017-02-17 23:45:56 +00:00
Robbie Harwood
beaf0637a0 Backport fix for GSSAPI fallback realm 2017-02-17 22:47:38 +00:00
Robbie Harwood
0d08e37340 Move krb5-kdb-version provides from -libs to -devel 2017-02-07 18:25:18 +00:00
Robbie Harwood
621f3cf2e6 Add free hook to KDB; increments KDB version 
Add KDB version flag.

All patches are touched because git made the hash lengths in patches longer.
 2017-01-20 18:07:42 -05:00
Robbie Harwood
be80cb9861 New upstream release 2016-12-05 20:52:58 +00:00
Robbie Harwood
f68ddd3a8e Comment how betas work 2016-11-17 09:00:11 -05:00
Robbie Harwood
c3f7090334 New upstream release 2016-11-16 21:22:01 +00:00
Robbie Harwood
442bc9dfe4 Ensure we can build with the new CFLAGS 
Also remove the git versioning in patches.
 2016-11-10 20:32:41 +00:00
Robbie Harwood
821dac42ed Upstream release 1.15-beta1 
Also update selinux with RHEL hygene.

Resolves: #1314096
 2016-10-20 23:34:55 +00:00
Tomas Mraz
895d0bdfea rebuild with OpenSSL 1.1.0, added backported upstream patch 2016-10-11 14:04:59 +02:00
Robbie Harwood
76843c3ef0 Properly close krad sockets 
Resolves: #1380836
 2016-09-30 17:38:09 +00:00
Robbie Harwood
5a1a649bda Fix backward check in kprop.service 2016-09-30 16:40:22 +00:00
Robbie Harwood
bbb54d328c Switch to using autosetup macro 
Patches come from git, so it is easiest to just make a git repo
 2016-09-30 16:40:14 +00:00
Robbie Harwood
32ef372877 Backport getrandom() support and remove patch numbering 2016-09-22 19:39:24 +00:00
Robbie Harwood
14f028579d New upstream release and integrate with external git 2016-09-19 23:49:31 +00:00
Robbie Harwood
4f5955da72 Add krb5_db_register_keytab 
Resolves: #1376812
 2016-09-19 16:18:42 +00:00
Robbie Harwood
3e13029eb0 Use responder for non-preauth AS requests 
Resolves: #1370622
 2016-08-29 17:58:02 +00:00
Robbie Harwood
10d34c1413 Guess Samba client mutual flag using ap_option 
Resolves: #1370980
 2016-08-29 17:44:23 +00:00
Robbie Harwood
1dd613afe8 Fix KDC return code and set prompt types for OTP client preauth 
Resolves: #1370072
 2016-08-25 14:05:05 +00:00
Robbie Harwood
136cc25087 Turn OFD locks back on with glibc workaround 
Resolves: #1274922
 2016-08-15 17:33:33 +00:00
Robbie Harwood
766ee8e989 Fix use of KKDCPP with SNI 
Resolves: #1365027
 2016-08-10 17:21:41 +00:00
Robbie Harwood
da7614606c Make krb5-devel depend on libkadm5 
Resolves: #1364487
 2016-08-05 17:02:52 +00:00
Robbie Harwood
480d266a1d Up-port a bunch of stuff from the el-7.3 cycle 
Resolves: #1255450
ResolveS: #1314989
 2016-08-03 21:15:16 +00:00
Robbie Harwood
482c8e1687 New upstream version 1.14.3 2016-08-01 20:44:35 +00:00
Robbie Harwood
528404bbf5 Fix CVE-2016-3120 
Resolves: #1361051
 2016-07-28 21:56:33 +00:00
Robbie Harwood
e165eeccda Fix incorrect recv() size calculation in libkrad 2016-06-23 16:07:51 +00:00
Robbie Harwood
802e825d17 Separate out the kadm5 libs 2016-06-16 16:34:18 +00:00
Robbie Harwood
db300d8761 Fix setting of AS key in OTP preauth failure 2016-05-27 21:19:24 +00:00
Robbie Harwood
0429334fa0 Use the correct patches this time. 
Resolves: #1321135
 2016-04-05 20:14:05 +00:00
Robbie Harwood
2f3f20f718 Add send/receive sendto_kdc hooks and corresponding tests 
Resolves: #1321135
 2016-04-04 18:38:02 +00:00
Robbie Harwood
f0b5fc56f2 Fix CVE-2016-3119 (NULL deref in LDAP module) 2016-03-18 21:02:15 +00:00
Robbie Harwood
7b4e88e425 Backport OID mech fix 
Resolves: #1317609
 2016-03-17 17:17:30 +00:00
Robbie Harwood
f1cb770b53 New rawhide, new upstream version 
- Drop CVE patches
- Rename fix_interposer.patch to acquire_cred_interposer.patch
- Update acquire_cred_interposer.patch to apply to new source
 2016-02-29 23:45:38 +00:00
Robbie Harwood
8bddc884ac Fix log file permissions patch with our selinux 
Resolves: #1309421
 2016-02-22 22:06:57 +00:00
Robbie Harwood
96d71f74f7 Backport my interposer fixes from upstream 
Supersedes krb5-mechglue_inqure_attrs.patch
 2016-02-19 20:11:26 +00:00
Robbie Harwood
5d016a51a3 Clean up bad merge 2016-02-16 17:08:51 +00:00
Robbie Harwood
9707484326 Adjust dependency on crypto-polices to be just the file we want 
Patch courtesy of lslebodn.

Resolves: #1308984
 2016-02-16 17:07:34 +00:00
Dennis Gilmore
04850893e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 02:24:34 +00:00
Robbie Harwood
f525729cee Replace _kadmin/_kprop with systemd macros 
Remove traces of upstart from fedora package per policy

Resolves: #1290185
 2016-01-28 19:44:10 +00:00
Robbie Harwood
c52f5baf4b Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 2016-01-27 23:17:07 +00:00
Robbie Harwood
93772ec156 Make krb5kdc.log not world-readable by default 
Resolves: #1276484
 2016-01-21 19:05:45 +00:00
Robbie Harwood
892fe9b7b5 Allow verification of attributes on krb5.conf 2016-01-21 18:05:08 +00:00
Robbie Harwood
ce63dad07e Use "new" systemd macros for service handling. (Thanks vpavlin!) 
Resolves: #850399
 2016-01-20 22:11:00 +00:00
Robbie Harwood
21a49ad7c7 Simplify spec file by removing some dead code paths 
This includes removal of the following macros:
- WITH_NSS (always false)
- WITH_SYSTEMD (always true)
- WITH_LDAP (always true)
- WITH_OPENSSL (always true)
 2016-01-20 21:15:02 +00:00
Robbie Harwood
b653d26d53 Backport fix for chrome crash in spnego_gss_inquire_context 
Resolves: #1295893
 2016-01-08 18:38:57 +00:00
Robbie Harwood
07d6f2cd01 Backport patch to fix mechglue for gss_inqure_attrs_for_mech() 2015-12-17 02:12:51 +00:00
Robbie Harwood (frozencemetery)
1560d2b3cc Backport interposer fix from master 
Drop workaround pwsize initialization patch (gcc has been fixed)

Resolves: rhbz#1284985
 2015-12-03 22:02:09 +00:00
Robbie Harwood (frozencemetery)
bf282deaf1 Fix FTBFS by no longer working around bug in nss_wrapper 2015-11-24 16:39:15 +00:00
Robbie Harwood (frozencemetery)
89ae1a3c67 Upstream release. No actual change from beta, just version bump 
Also clean up unused parts of spec file.
 2015-11-23 22:56:02 +00:00
Robbie Harwood (frozencemetery)
806928902d Release 1.14-beta2 2015-11-16 18:11:20 +00:00
Robbie Harwood (frozencemetery)
b81fddfea1 Patch CVE-2015-2698 2015-11-04 20:26:21 +00:00
Robbie Harwood (frozencemetery)
def8c582bb Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 2015-10-27 17:31:54 +00:00
Robbie Harwood (frozencemetery)
255e769785 Ensure pwsize is initialized in chpass_util.c 2015-10-22 18:30:26 +00:00
Robbie Harwood (frozencemetery)
5eb94ecfab Fix typo of crypto-policies file in previous version 2015-10-22 15:14:45 +00:00
Robbie Harwood (frozencemetery)
9baef8fa8f Start using crypto-policies 2015-10-19 23:01:44 +00:00
Robbie Harwood (frozencemetery)
582b087130 TEMPORARILY disable usage of OFD locks as a workaround for x86 2015-10-19 17:38:34 +00:00
Robbie Harwood (frozencemetery)
98128c4038 New upstream beta version 2015-10-15 20:51:57 +00:00
Robbie Harwood (frozencemetery)
4529758a74 Work around KDC client prinicipal in referrals issue 
Resolves: rhbz#1259844
 2015-10-08 19:24:20 +00:00
Robbie Harwood (frozencemetery)
a89bdde4da Revert "New upstream version: krb5-1.14-alpha1" 
This reverts commit 1138991893.
 2015-10-01 18:33:34 +00:00
Robbie Harwood
5ccfdd171d Bring back krb5.conf.d and allow building with bad krb5.conf 2015-09-29 14:47:06 -04:00
Robbie Harwood (frozencemetery)
1138991893 New upstream version: krb5-1.14-alpha1 
Drop patches that have since been applied.  Create new patches as
needed.
 2015-09-24 17:57:53 +00:00
Robbie Harwood (frozencemetery)
a328acab1b Drop dependency on pax&ksh and remove support for fedora < 20 2015-09-23 18:42:40 +00:00
Robbie Harwood (frozencemetery)
a9af3c8817 Nix /usr/share/krb5.conf.d to reduce complexity 2015-09-23 15:11:53 +00:00
Robbie Harwood (frozencemetery)
65ce267be1 Depend on crypto-policies which provides /etc/krb5.conf.d 
Resolves: rhbz#1225792
 2015-09-23 14:02:37 +00:00
Robbie Harwood (frozencemetery)
5ec8cb89e0 Miscalaneous spec fixes. 
Remove dependency on systemd-sysv which is no longer needed for fedora
> 20.  Other fixes as needed to resolve a fail-to-build issue.
 2015-09-11 17:02:31 +00:00
Robbie Harwood (frozencemetery)
2e058adfc5 Bump minor release 2015-09-10 19:55:53 +00:00
Robbie Harwood (frozencemetery)
6cb6b69409 Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ 
Resolves: rhbz#1225792, rhbz#1146370, rhbz#1145808
 2015-09-10 19:45:12 +00:00
Roland Mainz
580aefb618 * Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-6 
- Use system nss_wrapper and socket_wrapper for testing.
  Patch by Andreas Schneider <asn@redhat.com>
 2015-06-26 02:47:13 +02:00
Roland Mainz
d4aa04d87c * Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5 
- Remove Zanata test glue and related workarounds
  - Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
  - Bug #1234326 ("krb5-server introduces new rpm dependency on ksh")
 2015-06-25 14:23:31 +02:00
Roland Mainz
168ec0c9e7 * Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4 
- Fix dependicy on binfmt.service
 2015-06-19 18:22:15 +02:00
Dennis Gilmore
57f951a0e2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-17 13:38:13 +00:00
Roland Mainz
7029c6670c * Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2 
- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear
  when kadmind starts"). The issue was caused by an unneeded |htons()|
  which triggered SELinux AVC denials due to the "random" port usage.
 2015-06-03 02:57:20 +02:00
Roland Mainz
8c2cea93bb * Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1 
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
  the installed shared libraries instead the ones from the build")
 2015-05-22 16:28:26 +02:00
Roland Mainz
3ae7a21305 * Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0 
- Update to krb5-1.13.2
  - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
  - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
- Add script processing for upcoming Zanata l10n support
- Minor spec cleanup
 2015-05-15 01:02:21 +02:00
Roland Mainz
1171aa60d0 * Mon May 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-4 
- fix for CVE-2015-2694 (#1216133) "requires_preauth bypass
  in PKINIT-enabled KDC".
  In MIT krb5 1.12 and later, when the KDC is configured with
  PKINIT support, an unauthenticated remote attacker can
  bypass the requires_preauth flag on a client principal and
  obtain a ciphertext encrypted in the principal's long-term
  key.  This ciphertext could be used to conduct an off-line
  dictionary attack against the user's password.
resolves: #1216134
 2015-05-06 01:15:00 +02:00
Roland Mainz
14a63ce373 * Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3 
- Add temporay workaround for RH bug #1204646 ("krb5-config
  returns wrong -specs path") which modifies krb5-config post
  build so that development of krb5 dependicies gets unstuck.
  This MUST be removed before rawhide becomes F23 ...
 2015-03-25 16:06:10 +01:00
Roland Mainz
1984e0ee1d * Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2 
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
  denial of service in recvauth_common() and others"
 2015-03-20 13:24:47 +01:00
Roland Mainz
54e60b1162 * Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2 
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
  denial of service in recvauth_common() and others"
 2015-03-20 13:23:20 +01:00
Roland Mainz
03981c354e * Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1 
- Update to krb5-1.13.1
  - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
  - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
  - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
- Minor spec cleanup
 2015-02-13 17:35:10 +01:00
Roland Mainz
c74e97faa9 * Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-8 
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
  incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial
  deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly
  validates server principal name (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications
  leak uninitialized bytes (MITKRB5-SA-2015-001)"
 2015-02-04 12:02:36 +01:00
Roland Mainz
aad351ad29 * Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-7 
- Remove "python-sphinx-latex" and "tar" from the build requirements
  to fix build failures on F22 machines.
- Minor spec cleanup
 2015-02-04 11:47:44 +01:00
Nathaniel McCallum
7188a346bd Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) 2015-02-03 17:48:30 +01:00
Roland Mainz
fb520967f9 * Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.13-5 
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
  loop on principal unknown errors").
- Added "python-sphinx-latex" to the build requirements
  to fix build failures on F22 machines.
 2015-01-26 18:38:55 +01:00
Roland Mainz
6baee3e656 * Thu Dec 19 2014 Roland Mainz <rmainz@redhat.com> - 1.13-4 
- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
  dereference when using keyless entries"
 2014-12-18 17:57:19 +01:00
Roland Mainz
8545575f69 * Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3 
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
  name crash"
 2014-12-17 12:06:33 +01:00
Roland Mainz
a54d1f9ac9 * Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0 
- Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue
  which would lead yum updates to treat the last alpha as newer
  than the final version.
 2014-10-29 22:25:13 +01:00
Roland Mainz
eca7fd3d15 * Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0 
- Update from krb5-1.13-alpha1 to final krb5-1.13
- Removed patch for CVE-2014-5351 (#1145425) "krb5: current
  keys returned when randomizing the keys for a service principal" -
  now part of upstream sources
- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only
  for Fedora > 20
 2014-10-29 21:55:10 +01:00
Roland Mainz
210ae0a2c1 * Tue Sep 30 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0.alpha1.3 
- fix build failure caused by change of prototype for glibc
  |eventfd()| (#1147887)
 2014-09-30 12:19:07 +02:00
Roland Mainz
c5c716d7e4 - fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when 
randomizing the keys for a service principal" (fix rpm spec file)
 2014-09-29 23:04:48 +02:00
Nalin Dahyabhai
67988a74d0 Keep the license from being a dangling symlink 
Processing of %license puts the named file in a directory other than the
docs directory, and doesn't rewrite relative symlinks to be correct.  So
we can't use a symlink to one of them as the license.
 2014-09-08 18:57:52 -04:00
Nalin Dahyabhai
56cd96f9bd Remove the -S flag from kprop.service 
- kpropd hasn't bothered with -S since 1.11; stop trying to use that
  flag in the systemd unit file and change its type from "forking" to
  "simple"
 2014-08-28 14:05:37 -04:00
Nalin Dahyabhai
8563ebea46 Updating to 1.13 alpha1 2014-08-22 16:14:20 -04:00
Nalin Dahyabhai
c48fd0f0bc Pull in upstream fix for an mischecked strdup() 
- pull in upstream fix for an incorrect check on the value returned by a
  strdup() call (#1132062)
 2014-08-20 17:36:44 -04:00
Peter Robinson
9c7c7781c4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 00:48:14 +00:00
Nalin Dahyabhai
4f7f51121b drop patch for CVE-2014-4345, included in 1.12.2 2014-08-15 15:04:26 -04:00
Nalin Dahyabhai
7880fca0ad drop patch for CVE-2014-4344, included in 1.12.2 2014-08-15 15:02:04 -04:00
Nalin Dahyabhai
b234a3d334 drop patch for CVE-2014-4343, included in 1.12.2 2014-08-15 15:01:01 -04:00
Nalin Dahyabhai
56235f0463 drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 2014-08-15 14:59:36 -04:00
Nalin Dahyabhai
2184fad363 drop patch for RT#7926, fixed in 1.12.2 2014-08-15 14:56:39 -04:00
Nalin Dahyabhai
7041f914bd drop patch for RT#7924, fixed in 1.12.2 2014-08-15 14:52:23 -04:00
Nalin Dahyabhai
0bd95b4771 drop patch for RT#7858, fixed in 1.12.2 2014-08-15 14:50:08 -04:00
Nalin Dahyabhai
d41320b7c1 drop patch for RT#7836, fixed in 1.12.2 2014-08-15 14:37:24 -04:00
Nalin Dahyabhai
1d44a8f927 drop patch for RT#7818, fixed in 1.12.2 2014-08-15 14:35:45 -04:00
Nalin Dahyabhai
f543a683b0 Drop patch for #231147, fixed in 1.12.2 2014-08-15 14:13:21 -04:00
Nalin Dahyabhai
e5a4698cf5 drop patch for RT#7820, merged in 1.12.2 2014-08-15 14:02:13 -04:00
Nalin Dahyabhai
c042f71c80 Update collection cache patch set for ksu 
- replace older proposed changes for ksu with backports of the changes
  after review and merging upstream (#1015559, #1026099, #1118347)
 2014-08-15 14:00:14 -04:00
Nalin Dahyabhai
b324000e34 fix MITKRB5-SA-2014-001 (CVE-2014-4345) 
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
 2014-08-07 19:25:49 -04:00
Nalin Dahyabhai
38595f5338 Add patch for CVE-2014-4344 
- gssapi: pull in upstream fix for a possible NULL dereference
  in spnego (CVE-2014-4344)
 2014-07-21 17:51:10 -04:00
Nalin Dahyabhai
24f7f1a446 Update to upstream patch 
Update to the as-committed version of this patch, which affects the
comments it includes.
 2014-07-21 17:19:42 -04:00
Nalin Dahyabhai
9594be4f3a Add proposed fix for a double-free in gss clients 
- gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, #1117963)
 2014-07-16 15:14:38 -04:00
Tom Callaway
79897b3c5d fix license handling 2014-07-12 18:45:11 -04:00
Nalin Dahyabhai
e2bc024559 Pull in fix for CVE-2014-4341/CVE-2014-4342 
- pull in fix for denial of service by injection of malformed GSSAPI
  tokens (CVE-2014-4341, CVE-2014-4342, #1116181)
 2014-07-07 17:56:12 -04:00
Nalin Dahyabhai
40e2189ede Backport support for scanning /etc/gss/mech.d/*.conf 
- pull in changes from upstream which add processing of the contents of
  /etc/gss/mech.d/*.conf when loading GSS modules (#1102839)
 2014-06-24 16:47:17 -04:00
Nalin Dahyabhai
47d56d9162 Fix FTBFS #1107061 using a patch from upstream 
- pull in fix for building against tcl 8.6 (#1107061)
 2014-06-12 16:23:15 -04:00
Nalin Dahyabhai
790a56ba59 Add a buildrequires: on texlive-pdftex 
We were having trouble building the PDFs due to a missing pdfcolor.tex
after the latest update to python-sphinx, but an even newer
texlive-pdftex provides that, so add it as a BuildRequires:
 2014-06-12 12:04:06 -04:00
Dennis Gilmore
dd2e1e4398 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 22:22:03 -05:00
Nathaniel McCallum
44d0e80df0 Backport fix for change password requests when using FAST (RT#7868) 2014-03-04 11:22:42 -05:00
Nalin Dahyabhai
2550f0f56b Backport fix for RT#7858 
- spnego: pull in patch from master to restore preserving the OID of the
  mechanism the initiator requested when we have multiple OIDs for the
  same mechanism, so that we reply using the same mechanism OID and the
  initiator doesn't get confused (#1066000, RT#7858)
 2014-02-17 21:06:07 -05:00
Nalin Dahyabhai
c0d64aa79f Note that "runstatedir" changes are also #1040056 2014-02-10 14:17:15 -05:00
Nalin Dahyabhai
bdb8c58c53 Move the default directory for OTP sockets to /var/run/krb5kdc 
- pull in patch from master to move the default directory which the KDC
  uses when computing the socket path for a local OTP daemon from the
  database directory (/var/kerberos/krb5kdc) to the newly-added run
  directory (/run/krb5kdc), in line with what we're expecting in 1.13
  (RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
  boot-time
- own /var/run/krb5kdc
 2014-02-07 16:13:29 -05:00
Nalin Dahyabhai
419c14d6ac Pull from the right wrapper branches 
... and add our local patch to fix the bind-then-connect case.
 2014-02-04 15:31:21 -05:00
Nalin Dahyabhai
956ccfdfb4 refresh nss_wrapper, add socket_wrapper 2014-01-31 16:56:05 -05:00
Nalin Dahyabhai
5c7bab5883 Take x bit off of an html doc file, fix whitespace 2014-01-31 16:55:11 -05:00
Nalin Dahyabhai
9b18d26ce3 Add proposed ksu KEYRING+default_ccache_name patch 
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)
 2014-01-31 16:55:05 -05:00
Nalin Dahyabhai
2eb0567065 Backport changes to allow "rcache" credstores 
- pull in multiple changes to allow replay caches to be added to a GSS
  credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
  #1056078/#1056080)
 2014-01-21 18:52:57 -05:00
Nalin Dahyabhai
792d78fa47 Backport fixes for timesync with keyring caches 
add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607)
 2014-01-17 10:58:19 -05:00
Nalin Dahyabhai
4dec248a05 Drop obsolete patches 2014-01-17 10:55:16 -05:00
Nalin Dahyabhai
8ae5258eb3 Drop obsolete patch 2014-01-17 10:48:08 -05:00
Nalin Dahyabhai
29afef6c24 Drop obsolete patch 2014-01-17 10:47:01 -05:00
Nalin Dahyabhai
007e77a2b3 Drop obsolete patch 2014-01-17 10:17:19 -05:00
Nalin Dahyabhai
6a8573e3af Drop obsolete patch 2014-01-17 10:08:58 -05:00
Nalin Dahyabhai
0b6ebaab00 Drop obsolete patch 2014-01-17 09:59:39 -05:00
Nalin Dahyabhai
6265fcabf5 Drop obsolete patch 2014-01-17 09:58:40 -05:00
Nalin Dahyabhai
aef7c262b1 Update the textrel patch for x86 
- update the PIC patch for iaesx86.s to not use ELF relocations
  (RT#7815, #1045699) to the version that landed upstream
 2014-01-13 11:41:47 -05:00
Nalin Dahyabhai
8fe7e82068 Note why we started saving ebx 2014-01-09 13:20:22 -05:00
Nalin Dahyabhai
6e03c5ada1 Link shared libs using -Wl,--warn-shared-textrel 
- pass -Wl,--warn-shared-textrel to the compiler when we're creating shared
  libraries
 2014-01-09 13:13:30 -05:00
Nalin Dahyabhai
5de1fa728f bump release for a new build 2014-01-09 11:03:45 -05:00
Nalin Dahyabhai
8a1df153c6 Save/restore ebx in functions where we modify it 
- amend the PIC patch for iaesx86.s to also save/restore ebx in the
  functions where we modify it
 2014-01-09 11:02:26 -05:00
Nalin Dahyabhai
75edc7c7ca Try to remove execmod from 32-bit AES-NI k5crypto 
- make a guess at making the 32-bit AES-NI implementation sufficiently
  position-independent to not require execmod permissions for libk5crypto
  (more of #1045699)
 2014-01-06 18:53:03 -05:00
Nalin Dahyabhai
05c4140d32 Switch to as-committed version 
- grab a more-commented version of the most recent patch from upstream
  master
 2014-01-06 15:58:20 -05:00
Nalin Dahyabhai
480b9efaa3 Add Dhiru Kholia's patch to restore noexecstack 
- add patch from Dhiru Kholia for the AES-NI implementations to allow
  libk5crypto to be properly marked as not needing an executable stack
  on arches where they're used (#1045699, and so many others)
 2014-01-02 23:46:42 -05:00
Nalin Dahyabhai
13df2d5386 Remove the BuildRequires: on yasm for now 
Go back to not using AES-NI, until we sort out execstack (#1045699).
 2014-01-02 17:08:52 -05:00
Nalin Dahyabhai
911b9e932d Add the buildrequires: for AES-NI support 
- add yasm as a build requirement for AES-NI support, on arches that have
  yasm and AES-NI
 2013-12-19 13:07:54 -05:00
Nalin Dahyabhai
e1cb527238 Pull in fix to improve SPNEGO error messages 
- pull in fix from master to make reporting of errors encountered by the
  SPNEGO mechanism work better (RT#7045, part of #1043962)
 2013-12-19 11:52:30 -05:00
Nalin Dahyabhai
45d93c6d1c Enable pyrad-based tests 
- update a test wrapper to properly handle things that the new libkrad does,
  and add python-pyrad as a build requirement so that we can run its tests
 2013-12-19 11:17:28 -05:00
Nalin Dahyabhai
9f2cb9776b For completeness, also initialize an unused field 2013-12-18 18:01:30 -05:00
Nalin Dahyabhai
82c5b9f9b2 Backport fixes for krb5_copy_context 
- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
 2013-12-18 17:38:54 -05:00
Nalin Dahyabhai
2550a37b4f Pull in a fix for a mem leak from master (RT#7805) 
- pull in fix from master to avoid a memory leak in a couple of error
  cases which could occur while obtaining acceptor credentials (RT#7805, part
  of #1043962)
 2013-12-18 14:33:23 -05:00
Nalin Dahyabhai
460d74d224 Pull in a fix for a mem leak from master (RT#7803) 
- pull in fix from master to avoid a memory leak when a mechanism's
  init_sec_context function fails (RT#7803, part of #1043962)
 2013-12-18 14:23:21 -05:00
Nalin Dahyabhai
39888b7c42 Pick up another interop fix from master (RT#7797) 
- pull in fix from master to ignore an empty token from an acceptor if
  we've already finished authenticating (RT#7797, part of #1043962)
 2013-12-18 14:22:24 -05:00