- kadmin.service,krb5kdc.service: remove optional use of $KRB5REALM in command
lines, because systemd parsing doesn't handle alternate value shell variable
syntax
- kprop.service: add missing Type=forking so that systemd doesn't assume simple
- kprop.service: expect the ACL configuration to be there, not absent
during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or
not to ask for an IPv6 address based on the set of configured interfaces
(RT#6922)
DES string2key not working (#679012)
- add revised upstream patch to fix double-free in KDC while returning
typed-data with errors (CVE-2011-0284, #674325)
child process exits with an error (MITKRB5-SA-2011-001), a hang or crash
in the KDC when using the LDAP kdb backend, and an uninitialized pointer
use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009,
CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #670567)
- no longer need patches for #555875, #561174, #563431, RT#6661,
CVE-2010-0628
- replace buildrequires on tetex-latex with one on texlive-latex, which is
the package that provides it now
- temporarily bundling the krb5-appl package (split upstream as of 1.8)
until its package review is complete
- profile.d scriptlets are now only needed by -workstation-clients
- adjust paths in init scripts
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
- drop patch to check the user's password correctly using crypt(), which
isn't a code path we hit when we're using PAM
would happen if ftpd was given the name of a user who wasn't known to
the local system, limited to being triggerable by gssapi-authenticated
clients by the default xinetd config (Olivier Fourdan, #569472)
- scrub out references to $RPM_SOURCE_DIR (jdennis)
- include a symlink to the readme with the name LICENSE so that people can
find it more easily (jdennis)
- don't trip AD lockout on wrong password (#542687, #554351)
- incorporates fixes for CVE-2009-4212 and CVE-2009-3295
- fixes gss_krb5_copy_ccache() when SPNEGO is used
- move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to
the devel subpackage, better lining up with the expected krb5/krb5-appl
split in 1.8
- drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it
already depends on -workstation which also includes them
than seven days away when the KDC reports it via the last-req field,
just as we already do when it reports expiration via the key-expiration
field (#556495)
- link with libtinfo rather than libncurses, when we can, in future RHEL
port, kpropd can always bind to the krb5_prop port, and that kadmind
can always bind to the kerberos-adm port (#555279)
- correct inadvertent use of macros in the changelog (rpmlint)
function in the kadmind and kpropd init scripts, so that we get the
right error when we're dead but have a lock file - requires initscripts
8.99 (#521772)
- add patches for read overflow and null pointer dereference in the
implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
- add patch for attempt to free uninitialized pointer in libkrb5
(CVE-2009-0846)
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
when v4 compatibility is enabled on the KDC (CVE-2008-0062,
CVE-2008-0063, #432620, #432621)
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
libgssapi_krb5 (CVE-2007-5971, #415351)
authenticated
- in login, signal PAM when we're changing an expired password that it's an
expired password, so that when cracklib flags a password as being weak
it's treated as an error even if we're running as root
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
the DISALLOW_ALL_TIX flag is set on an entry, for better interop with
Fedora, Netscape, Red Hat Directory Server (Simo Sorce)
- enable patch to make kpasswd fall back to TCP if UDP fails
- enable patch to make kpasswd use the right sequence number on retransmit
- enable patch to allow mech-specific creds delegated under spnego to be
found when searching for creds
- drop unquoted check and silent exit for "$NETWORKING" (#426852, #242500)
- krb524: don't barf on missing database if it looks like we're using
kldap, same as for kadmin
- return non-zero status for missing files which cause startup to fail
CVE-2007-4000 (the new pkinit module is built conditionally and goes
into the -pkinit-openssl package, at least for now, to make a buildreq
loop with openssl avoidable)
- drop old, incomplete SELinux patch
- add patch from Greg Hudson to make srvtab routines report missing-file
errors at same point that keytab routines do (#241805)
there if it looks like we might be using the kldap plugin
- kadmind.init: attempt to extract the key for the host-specific kadmin
service when we try to create the keytab
shared libraries (no more static libraries) makes them unnecessary and
they're not part of the libkrb5 interface (patch by Rex Dieter,
#240220) (strips out libkeyutils, libresolv, libdl)
(#229782, CVE-2007-0956)
- add patch to fix buffer overflow in krb5kdc and kadmind (#231528,
CVE-2007-0957)
- add patch to fix double-free in kadmind (#231537, CVE-2007-1216)
- move workstation daemons to a new subpackage (#81836, #216356, #217301),
and make the new subpackage require xinetd (#211885)
We don't get static libraries any more. Holding off on build until
verification that this doesn't kill other things, or until we get them
building in a semi-useful way.
- first cut at making RPM scriptlets failproof for install-info
- pull up pre-generated PDF docs so that we don't have multiarch
differences due to document IDs, timestamps, and compressed data,
- pull up the script to make sure that the PDF matches its source to guard
against the package maintainer forgetting to update when we move to a
new release
a different location than the default (fenlason)
- remove the [kdc] section from the default krb5.conf -- doesn't seem to
have been applicable for a while
64-bit architectures, to avoid multilib conflicts; other changes will
conspire to strip out the -L flag which uses this, so it should be
harmless (#192692)
krb5-config which is okay in multilib environments (#190118)
- make the name-of-the-tempfile comment which compile_et adds to error code
headers always list the same file to avoid conflicts on multilib
installations
- strip SIZEOF_LONG out of krb5.h so that it doesn't conflict on multilib
boxes
- strip GSS_SIZEOF_LONG out of gssapi.h so that it doesn't conflict on
mulitlib boxes
(CAN-2005-0469)
- add draft fix from Tom Yu for env_opt_add() buffer overflow
(CAN-2005-0468)
will need to re-roll if the draft fix isn't the same as the final one *
- v1.4 kadmin client requires a v1.4 kadmind on the server, or use the "-O"
flag to specify that it should communicate with the server using the
older protocol
- new libkrb5support library
- v5passwdd and kadmind4 are gone
- versioned symbols
- pick up $KRB5KDC_ARGS from /etc/sysconfig/krb5kdc, if it exists, and pass
it on to krb5kdc
- pick up $KADMIND_ARGS from /etc/sysconfig/kadmin, if it exists, and pass
it on to kadmind
- pick up $KRB524D_ARGS from /etc/sysconfig/krb524, if it exists, and pass
it on to krb524d *instead of* "-m"
- set "forwardable" in [libdefaults] in the default krb5.conf to match the
default setting which we supply for pam_krb5
- set a default of 24h for "ticket_lifetime" in [libdefaults], reflecting
the compiled-in default
#140036)
- silence compiler warning in kprop by using an in-memory ccache with a
fixed name instead of an on-disk ccache with a name generated by
tmpnam()
Wed May 12 2004 Thomas Woerner <twoerner@redhat.com> 1.3.3-3
- removed rpath
Thu Apr 15 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.3-2
- re-enable large file support, fell out in 1.3-1
- patch rcp to use long long and %lld format specifiers when reporting file
sizes on large files
Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.2-1
- update to 1.3.2
Mon Mar 08 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-12
- rebuild
Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11.1
- rebuilt
Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> 1.3.1-11
- rebuilt
Mon Feb 09 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-10
- catch krb4 send_to_kdc cases in kdc preference patch
Mon Feb 02 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-9
- remove patch to set TERM in klogind which, combined with the upstream fix
in
1.3.1, actually produces the bug now (#114762)
Mon Jan 19 2004 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-8
- when iterating over lists of interfaces which are "up" from getifaddrs(),
skip over those which have no address (#113347)
Mon Jan 12 2004 Nalin Dahyabhai <nalin@redhat.com>
- prefer the kdc which last replied to a request when sending requests to
kdcs
Mon Nov 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-7
- fix combination of --with-netlib and --enable-dns
Tue Nov 18 2003 Nalin Dahyabhai <nalin@redhat.com>
- remove libdefault ticket_lifetime option from the default krb5.conf, it
is ignored by libkrb5
Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-6
- fix bug in patch to make rlogind start login with a clean environment a
la netkit rlogin, spotted and fixed by Scott McClung
Tue Sep 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-5
- include profile.d scriptlets in krb5-devel so that krb5-config will be in
the path, reported by Kir Kolyshkin
Mon Sep 08 2003 Nalin Dahyabhai <nalin@redhat.com>
- add more etypes (arcfour) to the default enctype list in kdc.conf
- don't apply previous patch, refused upstream
Fri Sep 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-4
- fix 32/64-bit bug storing and retrieving the issue_date in v4 credentials
Wed Sep 03 2003 Dan Walsh <dwalsh@redhat.com> 1.3.1-3
- Don't check for write access on /etc/krb5.conf if SELinux
Tue Aug 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-2
- fixup some int/pointer varargs wackiness
Tue Aug 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-1
- rebuild
Mon Aug 04 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3.1-0
- update to 1.3.1
Thu Jul 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-2
- pull fix for non-compliant encoding of salt field in etype-info2 preauth
data from 1.3.1 beta 1, until 1.3.1 is released.
Mon Jul 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-1
- update to 1.3
Mon Jul 07 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-4
- correctly use stdargs
Wed Jun 18 2003 Nalin Dahyabhai <nalin@redhat.com> 1.3-0.beta.4
- test update to 1.3 beta 4
- ditch statglue build option
- krb5-devel requires e2fsprogs-devel, which now provides libss and
libcom_err
Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
Wed May 21 2003 Jeremy Katz <katzj@redhat.com> 1.2.8-2
- gcc 3.3 doesn't implement varargs.h, include stdarg.h instead
Wed Apr 09 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.8-1
- update to 1.2.8
Fri Mar 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-24
- fix double-free of enc_part2 in krb524d
- update to latest patch kit for MITKRB5-SA-2003-004
Thu Mar 20 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-23
- make the default kdc.conf list the same enctypes we use for 1.2.7
Wed Mar 19 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-22
- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028)
Mon Mar 17 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-21
- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and
CAN-2003-0139)
Thu Mar 06 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-20
- fix buffer underrun in unparsing certain principals (CAN-2003-0082)
Wed Feb 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-19
- add patch to fix server-side crashes when principals have no components
(CAN-2003-0072)
Mon Feb 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-18
- add patch from Matt Crawford for encoding transited realms properly
Wed Feb 05 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-17
- sync compiler flags for configure and make with other versions
Tue Feb 04 2003 Nalin Dahyabhai <nalin@redhat.com>
- add patch to document the reject-bad-transited option in kdc.conf
- add backported symbol namespacing fix from 1.2.3 to clear up clashes with
glib
- add backported fix for hangs in kadmin client when principal contains an
escaped @ symbol
Thu Jan 30 2003 Nalin Dahyabhai <nalin@redhat.com>
- add candidate backports for CAN-2002-0036, CAN-2002-058, CAN-2002-059
(CAN-2002-060 was fixed in 1.1.1-7 or so)
Thu Jan 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-16
- add patch from Mark Cox for exploitable bugs in ftp client
- add patch to avoid buffer read overruns when configuring via DNS
- add patch to properly include <errno.h>
Wed Oct 23 2002 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-15
- add patch from Tom Yu for exploitable bugs in kadmind4
- remove raw keys from the default kdc.conf
Fri Jul 20 2001 Nalin Dahyabhai <nalin@redhat.com>
- tweak statglue.c to fix stat/stat64 aliasing problems
- be cleaner in use of gcc to build shlibs
Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- use gcc to build shared libraries
Wed Jun 27 2001 Nalin Dahyabhai <nalin@redhat.com>
- add patch to support "ANY" keytab type (i.e., "default_keytab_name =
ANY:FILE:/etc/krb5.keytab,SRVTAB:/etc/srvtab" patch from Gerald
Britton, #42551)
- build with -D_FILE_OFFSET_BITS=64 to get large file I/O in ftpd (#30697)
- patch ftpd to use long long and %lld format specifiers to support the
SIZE command on large files (also #30697)
- don't use LOG_AUTH as an option value when calling openlog() in ksu
(#45965)
- implement reload in krb5kdc and kadmind init scripts (#41911)
- lose the krb5server init script (not using it any more)
Sun Jun 24 2001 Elliot Lee <sopwith@redhat.com>
- Bump release + rebuild.
Tue May 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- pass some structures by address instead of on the stack in krb5kdc
Tue May 22 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
Thu Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- add patch from Tom Yu to fix ftpd overflows
Wed Apr 18 2001 Than Ngo <than@redhat.com>
- disable optimizations on the alpha again
Fri Mar 30 2001 Nalin Dahyabhai <nalin@redhat.com>
- add in glue code to make sure that libkrb5 continues to provide a weak
copy of stat()
Thu Mar 15 2001 Nalin Dahyabhai <nalin@redhat.com>
- build alpha with -O0 for now
Thu Mar 08 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix the kpropd init script
Mon Mar 05 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.2.2, which fixes some bugs relating to empty ETYPE-INFO
- re-enable optimization on Alpha
Thu Feb 08 2001 Nalin Dahyabhai <nalin@redhat.com>
- build alpha with -O0 for now
- own /var/kerberos
Tue Feb 06 2001 Nalin Dahyabhai <nalin@redhat.com>
- own the directories which are created for each package (#26342)
Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- gettextize init scripts
Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
- add some comments to the ksu patches for the curious
- re-enable optimization on alphas
Mon Jan 15 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix krb5-send-pr (#18932) and move it from -server to -workstation
- buildprereq libtermcap-devel
- temporariliy disable optimization on alphas
- gettextize init scripts
Tue Dec 05 2000 Nalin Dahyabhai <nalin@redhat.com>
- force -fPIC
Fri Dec 01 2000 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
- add bison as a BuildPrereq (#20091)
Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
- change /usr/dict/words to /usr/share/dict/words in default kdc.conf
(#20000)
Thu Oct 05 2000 Nalin Dahyabhai <nalin@redhat.com>
- apply kpasswd bug fixes from David Wragg
Wed Oct 04 2000 Nalin Dahyabhai <nalin@redhat.com>
- make krb5-libs obsolete the old krb5-configs package (#18351)
- don't quit from the kpropd init script if there's no principal database
so that you can propagate the first time without running kpropd
manually
- don't complain if /etc/ld.so.conf doesn't exist in the -libs %post
Tue Sep 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix credential forwarding problem in klogind (goof in KRB5CCNAME
handling) (#11588)
- fix heap corruption bug in FTP client (#14301)
