- undo rename from krb5-pkinit-openssl to krb5-pkinit on EL6
- version the Obsoletes: on the krb5-pkinit-openssl to krb5-pkinit rename
- reintroduce the init scripts for non-systemd releases
- forward-port %%{_?rawbuild} annotations from EL6 packaging
- selinux: hang on to the list of selinux contexts, freeing and reloading
it only when the file we read it from is modified, freeing it when the
shared library is being unloaded (#845125)
- go back to not messing with library file paths on Fedora 17: it breaks
file path dependencies in other packages, and since Fedora 17 is already
released, breaking that is our fault
- add upstream patch to fix freeing an uninitialized pointer and dereferencing
another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014
and CVE-2012-1015, #838012)
- fix a thinko in whether or not we mess around with devel .so symlinks on
systems without a separate /usr (sbose)
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
that's signed with a certificate that isn't in the SignedData, but which
is available as an anchor or intermediate on the client (RT#7183)
- back out this labeling change (dwalsh):
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
- add explicit buildrequires: on 'hostname', for the tests, on systems where
it's in its own package, and require net-tools, which used to provide the
command, everywhere
- add a backport of Stef's patch to set the client's list of supported
enctypes to match the types of keys that we have when we are using a
keytab to try to get initial credentials, so that a KDC won't send us
an AS reply that we can't encrypt (RT#2131, #748528)
- when building the new label for a file we're about to create, also mix
in the current range, in addition to the current user
- also package the PDF format admin, user, and install guides
- drop some PDFs that no longer get built right
The specifications recommend against using TXT records to mapping
hostnames to realms. However they do not recommend against using
SRV records to lookup the KDC.
Change back to the MIT default of enabling DNS for KDC lookup.
This allows automatic configuration and failover.
A theoretical attack involving SRV records could be similarly
accomplished by a similar attack involving the A records for
the KDC hosts.