Commit Graph

587 Commits

Author SHA1 Message Date
Nalin Dahyabhai
bfdc4351bf Point to the RT for the patch for the right branch 2013-11-05 13:43:32 -05:00
Nalin Dahyabhai
a244d8f93c Incorporate patch for RT#7755 (CVE-2013-1418)
- incorporate upstream patch for remote crash of KDCs which serve multiple
  realms simultaneously (RT#7755, CVE-2013-1418)
2013-11-04 16:11:59 -05:00
Nalin Dahyabhai
a00c810e4e Drop call-access()-more patch for ksu
- drop patch to add additional access() checks to ksu - they add to breakage
  when non-FILE: caches are in use (#1026099), shouldn't be resulting in any
  benefit, and clash with proposed changes to fix its cache handling
2013-11-04 10:26:41 -05:00
Nalin Dahyabhai
433fcb1772 Expand on comments in the daemon wrapper scripts
- add some minimal description to the top of the wrapper scripts we use
  when starting krb5kdc and kadmind to describe why they exist (tooling)
2013-10-22 17:48:49 -04:00
Nalin Dahyabhai
31e8e33c43 Create and own /etc/gss (#1019937) 2013-10-16 18:12:24 -04:00
Nalin Dahyabhai
16e749771f Pull up fix for reimporting ccaches in gssapi
- pull up fix for importing previously-exported credential caches in the
  gssapi library (RT# 7706, #1019420)
2013-10-15 14:40:24 -04:00
Nalin Dahyabhai
84fe7d69da Finish fixing the don't-call-NULL-prompters bug
- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
2013-10-14 14:07:56 -04:00
Nalin Dahyabhai
822059250e Use the prompter callback for PEM files
- backport the callback to use the libkrb5 prompter when we can't load
  PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
2013-10-14 14:07:19 -04:00
Nalin Dahyabhai
37f8b28f7d fix trigger's invocation of sed (#1016945)
- fix trigger scriptlet's invocation of sed (#1016945)
2013-10-14 12:42:56 -04:00
Nalin Dahyabhai
52b6b401df - rebuild with keyutils 1.5.8 (part of #1012043)
Rebuild against a keyutils which tags the new symbols we're using with a
newer symbol version, so that RPM can tell the difference between
versions of the package which contain a shared library that doesn't
include them and versions of the package which contain a shared library
which does.
2013-10-04 09:47:38 -04:00
Nalin Dahyabhai
494e7adbb0 Updated persistent-keyring changes, set as default
- switch to the version of persistent-keyring that was just merged to
  master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
2013-10-02 14:46:20 -04:00
Nalin Dahyabhai
682dc07d28 pull up fix to call kdb check-transited-path first
- pull up fix for not calling a kdb plugin's check-transited-path
  method before calling the library's default version, which only knows
  how to read what's in the configuration file (RT#7709, #1013664)
2013-09-30 11:26:50 -04:00
Nalin Dahyabhai
43d2548f26 configure --without-krb5-config
- configure --without-krb5-config so that we don't pull in the old default
  ccache name when we want to stop setting a default ccache name at configure-
  time
2013-09-26 14:38:01 -04:00
Nalin Dahyabhai
e43f75f274 - fix broken dependency on awk (rdieter)
- fix broken dependency on awk (should be gawk, rdieter)
2013-09-25 12:34:03 -04:00
Nalin Dahyabhai
a375099fe1 add missing dependency on newer keyutils-libs
- add missing dependency on newer keyutils-libs (#1012034)
2013-09-25 11:26:19 -04:00
Nalin Dahyabhai
3bc9a0ec21 Back to DIR: caches by default, for now
- back out setting default_ccache_name to the new default for now, resetting
  it to the old default while the kernel/keyutils bits get sorted (sgallagh)
2013-09-24 17:10:48 -04:00
Nalin Dahyabhai
ee7be3f07f buildrequire the newest keyutils
- add explicit build-time dependency on a version of keyutils that's new
  enough to include keyctl_get_persistent() (more of #991148)
2013-09-23 13:32:21 -04:00
Nalin Dahyabhai
df24e0aeda pull in an updated persistent_keyring.patch
- incorporate Simo's updated backport of his updated persistent-keyring
  changes (more of #991148)
2013-09-19 16:29:52 -04:00
Nalin Dahyabhai
00da3519ec Don't break during %%check with revoked keyrings
If the session keyring is revoked, we'll to walk the ccache collections.
Work around that so that we don't have to go and disable more tests.
2013-09-13 18:21:09 -04:00
Nalin Dahyabhai
21b73fcc00 pull the newer F21 defaults back to F20 (sgallagh) 2013-09-13 09:13:37 -04:00
Nalin Dahyabhai
5128324677 Only create /run/user/0 on releases where we use it
- only apply the patch to autocreate /run/user/0 when we're hard-wiring the
  default ccache location to be under it; otherwise it's unnecessary
2013-09-09 13:15:18 -04:00
Nalin Dahyabhai
b81045ccea Don't pass a "script" to ldconfig
- don't let comments intended for one scriptlet become part of the "script"
  that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675)
2013-09-09 09:43:05 -04:00
Nalin Dahyabhai
4404e63e31 Conditional triggerun to set default_ccache_name
- on releases where we expect krb5.conf to be configured with a
  default_ccache_name, add it whenever we upgrade from an older version of
  the package that wouldn't have included it in its default configuration
  file (#991148)
2013-09-06 17:32:20 -04:00
Nalin Dahyabhai
16afa92610 Set the default ccname via config, not at build
- restore build-time default DEFCCNAME on Fedora 21 and later and EL, and
  instead set it in the default krb5.conf's [libdefaults] section (#991148)
2013-09-06 16:05:14 -04:00
Nalin Dahyabhai
b0c672125e - restore build-time default DEFCCNAME on F21, EL
- restore build-time default DEFCCNAME on Fedora 21 and later and EL (#991148)
2013-09-06 14:13:31 -04:00
Nalin Dahyabhai
bf2b6cb4e7 - incorporate backported persistent-keyring (Simo)
- incorporate Simo's backport of his persistent-keyring changes (#991148)
2013-09-06 14:12:24 -04:00
Nalin Dahyabhai
e6591a5194 ship an nss_wrappers snapshot, not a git repo
- switch to just the snapshot of nss_wrapper we were using, since we
  no longer need to carry anything that isn't in the cwrap.org repository
  (ssorce)
2013-08-23 14:21:20 -04:00
Nalin Dahyabhai
c3f5bd1fb8 UnversionedDocdirs, take two
- take another stab at accounting for UnversionedDocdirs for the -libs
  subpackage (spotted by ssorce)
2013-08-23 14:08:59 -04:00
Nalin Dahyabhai
6c46043c16 Do the horrible hostname check _before_ faking it 2013-08-15 01:50:42 -04:00
Nalin Dahyabhai
ee18500d9b Fix error detection when starting kpropd/kadmind
- drop a patch we're not applying
- wrap kadmind and kpropd in scripts which check for the presence/absence
  of files which dictate particular exit codes before exec'ing the actual
  binaries, instead of trying to use ConditionPathExists in the unit files
  to accomplish that, so that we exit with failure properly when what we
  expect isn't actually in effect on the system (#800343)
2013-08-15 00:10:24 -04:00
Nalin Dahyabhai
272aaeef17 Assume 32 when __isa_bits isn't defined 2013-07-29 17:47:21 -04:00
Nalin Dahyabhai
d6a5b8b7d7 fixup for UnversionedDocdirs
- attempt to account for UnversionedDocdirs for the -libs subpackage
2013-07-29 17:00:25 -04:00
Nalin Dahyabhai
4c8469c258 tweak configs used by tests
- tweak configuration files used during tests to try to reduce the number
  of conflicts encountered when builds for multiple arches land on the same
  builder
2013-07-26 18:47:03 -04:00
Nalin Dahyabhai
66d9928651 Backport from RT#7682
- pull up changes to allow GSSAPI modules to provide more functions (RT#7682, #986564/#986565)
2013-07-22 14:23:24 -04:00
Nalin Dahyabhai
36dbacb706 Use LD_PRELOAD to be able to run more self-tests
Use nss_wrapper (from cwrap.org) to be able to run more of the
self-tests during %%check.  Help it along a little bit by being
more emphatic about cutting off access to DNS.
2013-07-19 15:52:31 -04:00
Nalin Dahyabhai
909ac318c3 Use %%{?_isa} when hard-coding deps on krb5-libs
- specify dependencies on the same arch of krb5-libs by using the %%{?_isa}
  suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155)
2013-07-01 11:48:17 -04:00
Nalin Dahyabhai
d00d276a47 Bring back "Back out the krb5-1.11-run_user_0.patch"
This reverts commit 8a5a8d492c.

Special-case /run/user/0, attempting to create it when resolving a
directory cache below it fails due to ENOENT and we find that it doesn't
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235).
2013-06-13 13:23:54 -04:00
Nalin Dahyabhai
7b66f600ef update to 1.11.3
- update to 1.11.3
  - drop patch for RT#7605, fixed in this release
  - drop patch for CVE-2002-2443, fixed in this release
  - drop patch for RT#7369, fixed in this release
- pull upstream fix for breaking t_skew.py by adding the patch for #961221
2013-06-04 11:13:25 -04:00
Nalin Dahyabhai
ff0ee94342 Respin with updated version of patch for RT#7650
Respin with updated version of patch for RT#7650, and don't forget to
keep track of the bug ID (#969331).
2013-05-31 14:29:57 -04:00
Nalin Dahyabhai
8a5a8d492c Back out the krb5-1.11-run_user_0.patch
It's not a complete fix, and it may only muddy things further on systems
that are having the kind of trouble it's trying to avoid, so hold off.
For now, at least.
2013-05-30 15:10:35 -04:00
Nalin Dahyabhai
202006a85f Pull a fix for kinit going on an only-masters path
- pull in proposed fix for attempts to get initial creds, which end up
  following referrals, incorrectly trying to always use master KDCs if
  they talked to a master at any point (should fix RT#7650)
2013-05-30 12:32:10 -04:00
Nalin Dahyabhai
dc293b3d84 Add a hackish attempt at a workaround for #961235
Add a patch to create /run/user/0 if we're trying to resolve a
DIR: ccache somewhere below it and neither the target location
nor /run/user/0 exist yet.
The better workaround is to set the location's owner to "linger"
via logind, since even after we do what we're doing here, if
the user logs in and logs back out, our location is still removed.
2013-05-30 12:26:42 -04:00
Nalin Dahyabhai
559c78a30a Label DIR: ccache directories when we create them
- don't forget to set the SELinux label when creating the directory for
  a DIR: ccache
2013-05-30 09:18:15 -04:00
Nalin Dahyabhai
11a4bca1fa Turn off some tests that master stopped doing
- pull in patches from master to not test GSSRPC-over-UDP and to not
  depend on the portmapper, which are areas where our build systems
  often give us trouble, too
2013-05-30 08:53:30 -04:00
Nalin Dahyabhai
bafcf02fa5 Actually bump the release number 2013-05-28 18:18:55 -04:00
Nalin Dahyabhai
e98d94d2bc Add proposed fix for handling AS client clock skew
In addition to basing the contents of an encrypted-timestamp preauth
data item on the server's idea of the current time, go ahead and do the
same for the times in the request.
2013-05-28 18:18:23 -04:00
Nalin Dahyabhai
827a48f7cc Fix handling of empty passwords in get-init-creds 2013-05-28 17:21:45 -04:00
Nalin Dahyabhai
2fdc61e398 Fix transited realm checks in GSSAPI servers
- backport fix for not being able to verify the list of transited realms
  in GSS acceptors (RT#7639, #959685)
2013-05-28 17:16:52 -04:00
Nalin Dahyabhai
325dca9ce4 Note the corresponding EL6 bug ID for reference 2013-05-28 17:13:23 -04:00
Nalin Dahyabhai
ee36e9e6b4 fix to make some use of DIR::... KRB5CCNAME values
- pull in upstream fix to start treating a KRB5CCNAME value that begins
  with DIR:: the same as it would a DIR: value with just one ccache file
  in it (RT#7172, #965574)
2013-05-21 13:51:51 -04:00
Nalin Dahyabhai
fbd06d348b pull up fix for kpasswd service ping-pong attack
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
  #962531,#962534)
2013-05-13 18:32:51 -04:00
Nathaniel McCallum
c0d2f3b96d Update otp patch; add keycheck patch 2013-05-03 17:04:40 -04:00
Nalin Dahyabhai
fcc98d5403 make the default ccname change affect f19, too
- pull the changing of the compiled-in default ccache location to
  DIR:/run/user/%%{uid}/krb5cc back into F19, in line with SSSD and
  the most recent pam_krb5 build
2013-04-23 17:39:34 -04:00
Nalin Dahyabhai
d54b8d87c6 correct some configuration file paths
Correct some configuration file paths which the KDC_DIR patch
inadvertently changed.
2013-04-17 10:42:46 -04:00
Nalin Dahyabhai
3ba00c4edc keep track of the message type of FAST requests
- pull in fix for keeping track of the message type when parsing FAST requests
  in the KDC (RT#7605, #951843)
2013-04-15 11:06:55 -04:00
Nalin Dahyabhai
61043181c7 update to 1.11.2
- update to 1.11.2
  - drop pulled in patch for RT#7586, included in this release
  - drop pulled in patch for RT#7592, included in this release
2013-04-15 11:06:15 -04:00
Nalin Dahyabhai
fd7717242f set DEFCCNAME to DIR:/run/user/%{uid}/krb5cc
- move the compiled-in default ccache location from the previous default of
  FILE:/tmp/krb5cc_%{uid} to DIR:/run/user/%{uid}/krb5cc (part of #949588)
2013-04-12 09:24:16 -04:00
Nathaniel McCallum
8d291c8c0a Update otp plugin backport patches 2013-04-09 14:06:33 -04:00
Nalin Dahyabhai
ffcebd6c2b trying to get more of the tests to run on builders
- when testing the RPC library, treat denials from the local portmapper the
  same as a portmapper-not-running situation, to allow other library tests
  to be run while building the package
2013-04-03 17:23:58 -04:00
Nalin Dahyabhai
46d5c735d6 add RT number for most recent patch 2013-04-01 10:23:20 -04:00
Nalin Dahyabhai
7b92138ee8 teach gss_acquire_cred_from() about "client_keytab"
- pull in Simo's patch to recognize "client_keytab" as a key type which can
  be passed in to gss_acquire_cred_from()
2013-03-28 16:13:41 -04:00
Nalin Dahyabhai
30e39857ae package the right client keytab directory
- create and own /var/kerberos/krb5/user instead of /var/kerberos/kdc/user,
  since that's what the libraries actually look for
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
  to run properly during builds
2013-03-28 16:12:30 -04:00
Nalin Dahyabhai
e7b662f81f pull in arm 64 (aarch64) build tweaks
- go back to using reconf to run autoconf and autoheader (part of #925640)
- add temporary patch to use newer config.guess/config.sub (more of #925640)
2013-03-26 16:48:29 -04:00
Nalin Dahyabhai
9d52c1d370 specify backup suffixes, like we do 2013-03-26 16:34:37 -04:00
Nalin Dahyabhai
c761eb0da7 pull up patch to mark imported gss contexts right
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
  contexts (RT#7592)
2013-03-26 16:32:29 -04:00
Nalin Dahyabhai
557835fdb3 tweak buildrequires conditionals for el7 builds
- fix a version comparison to expect newer texlive build requirements when
  %%{_rhel} > 6 rather than when it's > 7
2013-03-18 10:28:51 -04:00
Nathaniel McCallum
0efba32c47 first round of the otp plugin 2013-03-11 16:26:50 -04:00
Nalin Dahyabhai
6fdbb463fc fix a memory leak when obtaining creds via keytabs
- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110)
2013-02-28 16:37:33 -05:00
Nalin Dahyabhai
abff2e5117 escape uses of macros in comments (more of 884065)
escape uses of macros in comments (more of #884065)
2013-02-27 18:16:30 -05:00
Nalin Dahyabhai
a47a2acb30 drop the kerberos-iv portreserve file
drop the kerberos-iv portreserve file (long overdue), and drop the rest
on systemd systems, since we don't currently poke portreserve when we're
starting a service
2013-02-27 18:15:26 -05:00
Nalin Dahyabhai
460c5ab8b7 prebuild PDF docs to reduce multilib differences
prebuild PDF docs to reduce multilib differences (internal tooling, #884065)
2013-02-27 14:59:35 -05:00
Nalin Dahyabhai
0c2dcfe3ef update to 1.11.1
update to 1.11.1
- drop patch for noticing negative timeouts being passed to the poll()
  wrapper in the client transmit functions
2013-02-25 12:44:43 -05:00
Nalin Dahyabhai
977a60b72c set "rdns = false" in the default krb5.conf
set "rdns = false" in the default krb5.conf (#908323)
2013-02-08 10:29:14 -05:00
Nalin Dahyabhai
0597014fa8 update to 1.11 release
- update to the 1.11 final release
- drop the rawbuild tag from a couple of patches which we don't actually
  need to apply to get things to compile the way the package expects
2012-12-18 10:37:36 -05:00
Nalin Dahyabhai
9e98fec59e update to 1.11 beta 2 2012-12-13 10:57:00 -05:00
Nalin Dahyabhai
38b95e7b3e move a non-system libverto to the -libs subpackage
- when building with our bundled copy of libverto, package it in with -libs
  rather than with -server (#886049)
2012-12-13 10:27:19 -05:00
Nalin Dahyabhai
78b3a524da update to 1.11 beta 1 2012-11-21 15:56:57 -05:00
Nalin Dahyabhai
282fb3c1e0 packaging tweaks
- handle releases where texlive packaging wasn't yet as complicated as it
  is in Fedora 18
- fix an uninitialized-variable error building one of the test programs
2012-11-16 17:19:59 -05:00
Nalin Dahyabhai
8cf49572ea more tweaks to try to get doc building working 2012-11-16 15:58:51 -05:00
Nalin Dahyabhai
d97833d1ef just drop package-level deps on tex altogether 2012-11-16 14:56:42 -05:00
Nalin Dahyabhai
b1e19fe613 sure, okay. 2012-11-16 14:51:53 -05:00
Nalin Dahyabhai
5816919080 require pdflatex and makeindex 2012-11-16 14:36:59 -05:00
Nalin Dahyabhai
d8fb585c09 don't dummy up required stylesheets, require them 2012-11-16 13:35:21 -05:00
Nalin Dahyabhai
9f497eac9f also note the multilib impact in the docs 2012-11-16 13:14:55 -05:00
Nalin Dahyabhai
7404a3c685 more packaging fixups
- move the rather large pile of html and pdf docs to -workstation, so
  that just having something that links to the libraries won't drag
  them onto a system
- actually create %%{_var}/kerberos/kdc/user, so that it can be packaged
- correct the list of packaged man pages
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
777f196e39 drop patches to fixup paths in man pages 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
d0f6217945 own /var/kerberos/kdc/user 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
18bdbb99e3 drop the only-weak-keys checker 2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
0efe966105 update heed-nsaccountlock patch
We lost explicit support for eDirectory per se, so just add a toggle to
enable heeding the one native attribute that 389 adds to the mix.
2012-11-16 13:01:56 -05:00
Nalin Dahyabhai
8a943cb6b5 update selinux labeling patch 2012-11-16 13:01:55 -05:00
Nalin Dahyabhai
423d0d2f67 update the paths-in-man-pages patch 2012-11-15 18:03:30 -05:00
Nalin Dahyabhai
34c8bac7e3 drop backported fix for clock skew errors
- drop backported fix for avoiding spurious clock skew when a TGT is
  decrypted long after the KDC sent it to the client which decrypts it
2012-11-15 15:23:18 -05:00
Nalin Dahyabhai
e5f60e0625 drop backports of patch for keytab-based kinit
- drop backported patches to make keytab-based authentication attempts
  work better when the client tells the KDC that it supports a particular
  cipher, but doesn't have a key for it in the keytab
2012-11-15 15:21:19 -05:00
Nalin Dahyabhai
b47c708afc drop backported PKINIT fix: directly-trusted KDCs
- drop backported fix for teaching PKINIT clients which trust the KDC's
  certificate directly to verify signed-data messages that are signed with
  the KDC's certificate, when the blobs don't include a copy of the KDC's
  certificate
2012-11-15 15:19:00 -05:00
Nalin Dahyabhai
f1f0baeb82 drop backported patch for disabling replay caches
- drop backported fix for disabling use of a replay cache when verifying
  initial credentials
2012-11-15 15:18:12 -05:00
Nalin Dahyabhai
e4244fc907 drop backported build patch 2012-11-15 15:15:47 -05:00
Nalin Dahyabhai
d86f9ffaaf the new docs system generates PDFs, so we can stop 2012-11-15 15:14:28 -05:00
Nalin Dahyabhai
03522e1559 drop backported patches for RT #7406,#7407,#7408
- drop backported patch for RT #7406
- drop backported patch for RT #7407
- drop backported patch for RT #7408
2012-11-15 15:04:38 -05:00
Nalin Dahyabhai
6baa28a80d start moving to 1.11 2012-11-15 15:03:00 -05:00
Nalin Dahyabhai
c7b12ecdfa tag a couple more patches for %%{?_rawbuild}
- tag a couple of other patches which we still need to be applied during
  %%{?_rawbuild} builds (zmraz)
2012-10-17 17:36:50 -04:00
Nalin Dahyabhai
51b608140a - actually pull up the patch for RT#7063, and not some other ticket (#773496) 2012-09-25 02:02:35 -04:00
Nalin Dahyabhai
3e1f3982d4 revise Filip's patch so that it more closely mimics the select() path 2012-09-10 18:47:48 -04:00
Nalin Dahyabhai
a4ad97ae22 abort the current transmit attempt if our timeout is negative
- add patch from Filip Krska to abort a transmit attempt when we've given
  poll() a negative timeout (#838548)
2012-09-10 16:30:11 -04:00
Nalin Dahyabhai
4c51c8bc7e more backported fixes for keytab-doesn't-have-all-key-types cases
- add a backport of more patches to set the client's list of supported enctypes
  when using a keytab to be the list of types of keys in the keytab, plus the
  list of other types the client supports but for which it doesn't have keys,
  in that order, so that KDCs have a better chance of being able to issue
  tickets with session keys of types that the client can use (#837855)
2012-09-07 16:10:45 -04:00
Nalin Dahyabhai
e39bc82589 pull up patch for RT#7063 - KDC/client time skew
- pull up patch for RT#7063, in which not noticing a prompt for a long
  time throws the client library's idea of the time difference between it
  and the KDC really far out of whack (#773496)
2012-09-07 14:05:10 -04:00
Nalin Dahyabhai
9a4c3f763b conflict with broken libsmbclient builds on EL6, so that we don't break them
- on EL6, conflict with libsmbclient before 3.5.10-124, which is when it
  stopped linking with a symbol which we no longer export (#771687)
2012-09-07 12:50:09 -04:00
Nalin Dahyabhai
cf693a2998 cut out an extraneous label configuration reload
- cut down the number of times we load SELinux labeling configuration from
  a minimum of two times to actually one (more of #845125)
2012-09-06 18:42:40 -04:00
Nalin Dahyabhai
7f06579f48 backport patch from RT#7229
- backport patch to disable replay detection in krb5_verify_init_creds()
  while reading the AP-REQ that's generated in the same function (RT#7229)
2012-08-30 14:22:23 -04:00
Nalin Dahyabhai
ec0380bcae merge and conditionalize some EL6isms
- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
- reintroduce the init scripts for non-systemd releases
- forward-port %%{_?rawbuild} annotations from EL6 packaging
2012-08-30 14:06:23 -04:00
Nalin Dahyabhai
81ca63cffc - update to 1.10.3, rolling in MITKRB5-SA-2012-001 2012-08-09 11:11:24 -04:00
Nalin Dahyabhai
5d6308abab cache the selabel context between uses (dwalsh)
- selinux: hang on to the list of selinux contexts, freeing and reloading
  it only when the file we read it from is modified, freeing it when the
  shared library is being unloaded (#845125)
2012-08-02 18:50:32 -04:00
Nalin Dahyabhai
38e22af414 undo file-move fixes on Fedora 17
- go back to not messing with library file paths on Fedora 17: it breaks
  file path dependencies in other packages, and since Fedora 17 is already
  released, breaking that is our fault
2012-08-02 11:15:21 -04:00
Nalin Dahyabhai
899e166076 update bug numbers for this update 2012-07-31 14:34:09 -04:00
Nalin Dahyabhai
718a1573e1 fixes for MITKRB5-SA-2012-001 and .so symlinks
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
  another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
  and CVE-2012-1015, #838012)
- fix a thinko in whether or not we mess around with devel .so symlinks on
  systems without a separate /usr (sbose)
2012-07-31 14:14:12 -04:00
Dennis Gilmore
a020fb0304 Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-27 00:46:48 -05:00
Nalin Dahyabhai
f60e9ef28c backport RT#7183
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
  that's signed with a certificate that isn't in the SignedData, but which
  is available as an anchor or intermediate on the client (RT#7183)
2012-06-22 14:07:46 -04:00
Nalin Dahyabhai
16a5c7affc back out the recent labeling change, per dwalsh
- back out this labeling change (dwalsh):
  - when building the new label for a file we're about to create, also mix
    in the current range, in addition to the current user
2012-06-05 16:24:15 -04:00
Nalin Dahyabhai
6e8c2c396c add explicit buildrequires: on 'hostname' and 'net-tools'
- add explicit buildrequires: on 'hostname', for the tests, on systems where
  it's in its own package, and require net-tools, which used to provide the
  command, everywhere
2012-06-01 16:31:50 -04:00
Nalin Dahyabhai
f06298144d no-separate-/usr means we don't have to move shlibs
- don't shuffle around any shared libraries on releases with
  no-separate-/usr, since /lib and /usr/lib are the same anyway
2012-06-01 15:41:01 -04:00
Nalin Dahyabhai
037ab925da backport a fix for keytabs which don't have keys for all enctypes
- add a backport of Stef's patch to set the client's list of supported
  enctypes to match the types of keys that we have when we are using a
  keytab to try to get initial credentials, so that a KDC won't send us
  an AS reply that we can't encrypt (RT#2131, #748528)
2012-06-01 15:24:41 -04:00
Nalin Dahyabhai
b8b71859bb update to 1.10.2
- when building the new label for a file we're about to create, also mix
  in the current range, in addition to the current user
- also package the PDF format admin, user, and install guides
- drop some PDFs that no longer get built right
2012-06-01 14:05:55 -04:00
Nalin Dahyabhai
cd92a2cbb4 - skip the setfscreatecon() if fopen() is passed "rb" as the open mode (part of #819115) 2012-05-07 17:28:51 -04:00
Nalin Dahyabhai
2057747130 - have -server require /usr/share/dict/words, which we set as the default dict_file in kdc.conf (#817089) 2012-05-01 11:44:13 -04:00
Nalin Dahyabhai
f2a7c1df57 - comment out example.com examples in default krb5.conf (Stef Walter, #805320) 2012-03-20 18:21:01 -04:00
Nalin Dahyabhai
f8503cf35b - changelog that last change 2012-03-20 18:20:08 -04:00
Nalin Dahyabhai
70240d81c8 - update to 1.10.1
- drop the KDC crash fix
  - drop the KDC lookaside cache fix
  - drop the fix for kadmind RPC ACLs (CVE-2012-1012)
2012-03-09 18:37:47 -05:00
Nalin Dahyabhai
4093154587 - when removing -workstation, remove our files from the info index while the file is still there, in %%preun, rather than %%postun, and use the compressed file's name (#801035) 2012-03-07 12:04:24 -05:00
Nathaniel McCallum
b44189a932 Fix string RPC ACLs (RT#7093); CVE-2012-1012 2012-02-21 15:40:50 -05:00
Nathaniel McCallum
1b8eb90a4f add upstream lookaside cache fix RT#7082 2012-01-31 13:42:23 -05:00
Nalin Dahyabhai
9e5f5995cd - add patch to accept keytab entries with vno==0 as matches when we're searching for an entry with a specific name/kvno (#230382/#782211,RT#3349) 2012-01-30 19:49:10 -05:00
Nalin Dahyabhai
6ac0d24fa5 - note the RT number 2012-01-30 12:51:02 -05:00
Nalin Dahyabhai
fbe4130509 - update to 1.10 final 2012-01-30 10:28:53 -05:00
Nathaniel McCallum
767944b7d8 fix release number 2012-01-26 12:17:35 -05:00
Nathaniel McCallum
a134a66915 add upstream crashfix patch 2012-01-26 11:58:18 -05:00
Nalin Dahyabhai
a04da4baa4 - note the RT number 2012-01-23 18:21:02 -05:00
Nalin Dahyabhai
cf65017ae3 - update to beta 1 2012-01-12 18:47:18 -05:00
Nalin Dahyabhai
3e2b8913b0 - add missing changelog item 2012-01-12 16:11:04 -05:00
Peter Robinson
c5fead3d7e mktemp was long obsoleted by coreutils 2012-01-11 10:36:49 +00:00
Nalin Dahyabhai
620baf13cd - modify the deltat grammar to also tell gcc (4.7) to suppress "maybe-uninitialized" warnings in addition to the "uninitialized" warnings it's already being told to suppress 2012-01-04 13:52:34 -05:00
Nalin Dahyabhai
2496d7a5c9 - update to alpha 2
- drop a couple of patches which were integrated for alpha 2
2011-12-20 13:18:27 -05:00
Nalin Dahyabhai
f28b57af20 - pull in patch for RT#7048: allow PAC verification to only bother trying to
verify the signature with keys that it's given (still more of #761317)
2011-12-13 10:50:02 -05:00
Nalin Dahyabhai
6d68d342c9 - pull in patch for RT#7047: allow tickets obtained via S4U2Proxy to be cached
(more of #761317)
2011-12-13 10:48:28 -05:00
Nalin Dahyabhai
fb7c02faff - pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
2011-12-13 10:47:31 -05:00
Nalin Dahyabhai
03e76d7832 - apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748) 2011-12-06 14:12:15 -05:00
Nalin Dahyabhai
4584a88e40 correct the release to match the changelog 2011-11-30 15:13:54 -05:00
Nalin Dahyabhai
635a422817 - correct a bug in the fix for #754001 so that the file creation context is consistently reset 2011-11-30 15:03:45 -05:00
Nalin Dahyabhai
a45a82724d - require libverto-module-base at build- and runtime so that tests which
use verto can work properly
2011-11-15 13:32:43 -05:00
Nalin Dahyabhai
1110ccd873 - bump to 1.10 alpha 1 2011-11-15 12:45:44 -05:00
Dennis Gilmore
39cc62dcc1 - Rebuilt for glibc bug#747377 2011-10-26 19:09:40 -05:00
Nalin Dahyabhai
af8b546790 - apply upstream patch to fix a null pointer dereference with the LDAP kdb backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb backends (CVE-2011-1529) (#737711) 2011-10-18 14:28:08 -04:00