Robbie Harwood
e02d5c1dac
Actually bump kdbversion like I was supposed to
2017-10-09 15:24:04 +00:00
Robbie Harwood
533a73fdd1
New upstream prerelease (1.16-beta1)
2017-10-05 20:29:13 +00:00
Robbie Harwood
0c7302b5bc
Add German translation
2017-09-28 21:50:19 +00:00
Robbie Harwood
f1e535bb81
New upstream release - krb5-1.15.2
...
Adjust patches as appropriate
2017-09-25 19:24:33 +00:00
Robbie Harwood
11b90e9e6e
Save other programs from worrying about CVE-2017-11462
...
Resolves : #1488873
Resolves : #1488874
2017-09-06 16:43:59 +00:00
Robbie Harwood
f6b653fac2
Add hostname-based ccselect module
...
Also update certauth EKU stuff
Resolves : #1463665
2017-09-05 18:16:58 +00:00
Robbie Harwood
8f0349dc3e
Backport certauth eku security fix
2017-08-25 16:43:43 +00:00
Robbie Harwood
95b80fb0b9
Backport kdc policy plugin, but this time with dependencies
2017-08-22 19:11:06 +00:00
Robbie Harwood
48ad53c66e
Backport kdcpolicy interface
2017-08-21 17:23:54 +00:00
Robbie Harwood
2674e01b27
* Mon Aug 07 2017 Robbie Harwood <rharwood@redhat.com> 1.15.1-21
...
Display an error message if ocsp pkinit is requested
2017-08-16 20:07:07 +00:00
Robbie Harwood
0d402dae7f
Display an error message if ocsp pkinit is requested
2017-08-07 20:42:47 +00:00
Robbie Harwood
ccd78d8ee9
Disable dns_canonicalize_hostname. This may break some setups.
2017-08-02 17:02:48 +00:00
Robbie Harwood
0f2af40d1e
Re-enable test suite on ppc64le (no other changes)
2017-08-02 14:42:30 +00:00
Fedora Release Engineering
e2a7f10a2f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2017-07-26 17:59:47 +00:00
Robbie Harwood
45c6f63563
Fix CVE-2017-11368 (remote triggerable assertion failure)
2017-07-20 15:31:44 +00:00
Robbie Harwood
bb9cd0748a
Explicitly require python2 packages
2017-07-19 20:08:14 +00:00
Robbie Harwood
dd3f3e78a4
Add support to query the SSF of a context
2017-07-19 18:24:50 +00:00
Petr Písař
887df81921
perl dependency renamed to perl-interpreter < https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules >
2017-07-12 14:04:40 +02:00
Robbie Harwood
ff9e66e349
Fix leaks in gss_inquire_cred_by_oid()
2017-07-06 17:06:13 +00:00
Robbie Harwood
b3eef12e9a
Fix arch name (ppc64le, not ppc64el)
...
Related-to: #1464381
2017-06-26 19:49:21 +00:00
Robbie Harwood
a51673420f
Skip test suite on ppc64el
...
Related-to: #1464381
2017-06-26 19:45:34 +00:00
Robbie Harwood
db0f9d981a
Include more test suite changes from upstream
...
Resolves : #1464381
2017-06-23 20:45:16 +00:00
Robbie Harwood
58aed41605
Fix custom build with -DDEBUG
2017-06-07 15:18:05 +00:00
Robbie Harwood
d322a08712
Use standard trigger logic for krb5 snippet
2017-05-24 19:04:22 +00:00
Robbie Harwood
3cae6ae5c3
Add kprop service env config file
2017-04-28 20:14:01 +00:00
Robbie Harwood
21848ec3e1
Update backports of certauth and corresponding test
2017-04-19 17:49:45 +00:00
Robbie Harwood
291b968871
Include fixes for previous commit
...
Resolves : #1433083
2017-04-13 20:00:14 +00:00
Robbie Harwood
3d952fc6c0
Automatically add includedir where not present
...
Also try removing sleep statement to see if it is still needed
Resolves : #1433083
2017-04-13 19:57:23 +00:00
Robbie Harwood
82cabae196
Fix use of enterprise principals with forwarding
2017-04-07 16:13:00 +00:00
Robbie Harwood
0dc40d929f
Backport certauth plugin and related pkinit changes
2017-03-22 18:09:06 +00:00
Robbie Harwood
fd8a9e22c4
Remove duplication between subpackages
...
Resolves : #1250228
2017-03-07 19:41:05 +00:00
Robbie Harwood
2a20da0e2a
New upstream release - 1.15.1
2017-03-04 00:34:47 +00:00
Robbie Harwood
9ce824b289
Patch build by disabling failing test; will fix properly soon
2017-03-01 22:58:53 +00:00
Robbie Harwood
ae83ec3024
Hammer refresh around transient rawhide issue
2017-02-17 23:45:56 +00:00
Robbie Harwood
beaf0637a0
Backport fix for GSSAPI fallback realm
2017-02-17 22:47:38 +00:00
Robbie Harwood
0d08e37340
Move krb5-kdb-version provides from -libs to -devel
2017-02-07 18:25:18 +00:00
Robbie Harwood
621f3cf2e6
Add free hook to KDB; increments KDB version
...
Add KDB version flag.
All patches are touched because git made the hash lengths in patches longer.
2017-01-20 18:07:42 -05:00
Robbie Harwood
be80cb9861
New upstream release
2016-12-05 20:52:58 +00:00
Robbie Harwood
f68ddd3a8e
Comment how betas work
2016-11-17 09:00:11 -05:00
Robbie Harwood
c3f7090334
New upstream release
2016-11-16 21:22:01 +00:00
Robbie Harwood
442bc9dfe4
Ensure we can build with the new CFLAGS
...
Also remove the git versioning in patches.
2016-11-10 20:32:41 +00:00
Robbie Harwood
821dac42ed
Upstream release 1.15-beta1
...
Also update selinux with RHEL hygene.
Resolves : #1314096
2016-10-20 23:34:55 +00:00
Tomas Mraz
895d0bdfea
rebuild with OpenSSL 1.1.0, added backported upstream patch
2016-10-11 14:04:59 +02:00
Robbie Harwood
76843c3ef0
Properly close krad sockets
...
Resolves : #1380836
2016-09-30 17:38:09 +00:00
Robbie Harwood
5a1a649bda
Fix backward check in kprop.service
2016-09-30 16:40:22 +00:00
Robbie Harwood
bbb54d328c
Switch to using autosetup macro
...
Patches come from git, so it is easiest to just make a git repo
2016-09-30 16:40:14 +00:00
Robbie Harwood
32ef372877
Backport getrandom() support and remove patch numbering
2016-09-22 19:39:24 +00:00
Robbie Harwood
14f028579d
New upstream release and integrate with external git
2016-09-19 23:49:31 +00:00
Robbie Harwood
4f5955da72
Add krb5_db_register_keytab
...
Resolves : #1376812
2016-09-19 16:18:42 +00:00
Robbie Harwood
3e13029eb0
Use responder for non-preauth AS requests
...
Resolves : #1370622
2016-08-29 17:58:02 +00:00
Robbie Harwood
10d34c1413
Guess Samba client mutual flag using ap_option
...
Resolves : #1370980
2016-08-29 17:44:23 +00:00
Robbie Harwood
1dd613afe8
Fix KDC return code and set prompt types for OTP client preauth
...
Resolves : #1370072
2016-08-25 14:05:05 +00:00
Robbie Harwood
136cc25087
Turn OFD locks back on with glibc workaround
...
Resolves : #1274922
2016-08-15 17:33:33 +00:00
Robbie Harwood
766ee8e989
Fix use of KKDCPP with SNI
...
Resolves : #1365027
2016-08-10 17:21:41 +00:00
Robbie Harwood
da7614606c
Make krb5-devel depend on libkadm5
...
Resolves : #1364487
2016-08-05 17:02:52 +00:00
Robbie Harwood
480d266a1d
Up-port a bunch of stuff from the el-7.3 cycle
...
Resolves : #1255450
ResolveS : #1314989
2016-08-03 21:15:16 +00:00
Robbie Harwood
482c8e1687
New upstream version 1.14.3
2016-08-01 20:44:35 +00:00
Robbie Harwood
528404bbf5
Fix CVE-2016-3120
...
Resolves : #1361051
2016-07-28 21:56:33 +00:00
Robbie Harwood
e165eeccda
Fix incorrect recv() size calculation in libkrad
2016-06-23 16:07:51 +00:00
Robbie Harwood
802e825d17
Separate out the kadm5 libs
2016-06-16 16:34:18 +00:00
Robbie Harwood
db300d8761
Fix setting of AS key in OTP preauth failure
2016-05-27 21:19:24 +00:00
Robbie Harwood
0429334fa0
Use the correct patches this time.
...
Resolves : #1321135
2016-04-05 20:14:05 +00:00
Robbie Harwood
2f3f20f718
Add send/receive sendto_kdc hooks and corresponding tests
...
Resolves : #1321135
2016-04-04 18:38:02 +00:00
Robbie Harwood
f0b5fc56f2
Fix CVE-2016-3119 (NULL deref in LDAP module)
2016-03-18 21:02:15 +00:00
Robbie Harwood
7b4e88e425
Backport OID mech fix
...
Resolves : #1317609
2016-03-17 17:17:30 +00:00
Robbie Harwood
f1cb770b53
New rawhide, new upstream version
...
- Drop CVE patches
- Rename fix_interposer.patch to acquire_cred_interposer.patch
- Update acquire_cred_interposer.patch to apply to new source
2016-02-29 23:45:38 +00:00
Robbie Harwood
8bddc884ac
Fix log file permissions patch with our selinux
...
Resolves : #1309421
2016-02-22 22:06:57 +00:00
Robbie Harwood
96d71f74f7
Backport my interposer fixes from upstream
...
Supersedes krb5-mechglue_inqure_attrs.patch
2016-02-19 20:11:26 +00:00
Robbie Harwood
5d016a51a3
Clean up bad merge
2016-02-16 17:08:51 +00:00
Robbie Harwood
9707484326
Adjust dependency on crypto-polices to be just the file we want
...
Patch courtesy of lslebodn.
Resolves : #1308984
2016-02-16 17:07:34 +00:00
Dennis Gilmore
04850893e4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
2016-02-04 02:24:34 +00:00
Robbie Harwood
f525729cee
Replace _kadmin/_kprop with systemd macros
...
Remove traces of upstart from fedora package per policy
Resolves : #1290185
2016-01-28 19:44:10 +00:00
Robbie Harwood
c52f5baf4b
Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
2016-01-27 23:17:07 +00:00
Robbie Harwood
93772ec156
Make krb5kdc.log not world-readable by default
...
Resolves : #1276484
2016-01-21 19:05:45 +00:00
Robbie Harwood
892fe9b7b5
Allow verification of attributes on krb5.conf
2016-01-21 18:05:08 +00:00
Robbie Harwood
ce63dad07e
Use "new" systemd macros for service handling. (Thanks vpavlin!)
...
Resolves : #850399
2016-01-20 22:11:00 +00:00
Robbie Harwood
21a49ad7c7
Simplify spec file by removing some dead code paths
...
This includes removal of the following macros:
- WITH_NSS (always false)
- WITH_SYSTEMD (always true)
- WITH_LDAP (always true)
- WITH_OPENSSL (always true)
2016-01-20 21:15:02 +00:00
Robbie Harwood
b653d26d53
Backport fix for chrome crash in spnego_gss_inquire_context
...
Resolves : #1295893
2016-01-08 18:38:57 +00:00
Robbie Harwood
07d6f2cd01
Backport patch to fix mechglue for gss_inqure_attrs_for_mech()
2015-12-17 02:12:51 +00:00
Robbie Harwood (frozencemetery)
1560d2b3cc
Backport interposer fix from master
...
Drop workaround pwsize initialization patch (gcc has been fixed)
Resolves: rhbz#1284985
2015-12-03 22:02:09 +00:00
Robbie Harwood (frozencemetery)
bf282deaf1
Fix FTBFS by no longer working around bug in nss_wrapper
2015-11-24 16:39:15 +00:00
Robbie Harwood (frozencemetery)
89ae1a3c67
Upstream release. No actual change from beta, just version bump
...
Also clean up unused parts of spec file.
2015-11-23 22:56:02 +00:00
Robbie Harwood (frozencemetery)
806928902d
Release 1.14-beta2
2015-11-16 18:11:20 +00:00
Robbie Harwood (frozencemetery)
b81fddfea1
Patch CVE-2015-2698
2015-11-04 20:26:21 +00:00
Robbie Harwood (frozencemetery)
def8c582bb
Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695
2015-10-27 17:31:54 +00:00
Robbie Harwood (frozencemetery)
255e769785
Ensure pwsize is initialized in chpass_util.c
2015-10-22 18:30:26 +00:00
Robbie Harwood (frozencemetery)
5eb94ecfab
Fix typo of crypto-policies file in previous version
2015-10-22 15:14:45 +00:00
Robbie Harwood (frozencemetery)
9baef8fa8f
Start using crypto-policies
2015-10-19 23:01:44 +00:00
Robbie Harwood (frozencemetery)
582b087130
TEMPORARILY disable usage of OFD locks as a workaround for x86
2015-10-19 17:38:34 +00:00
Robbie Harwood (frozencemetery)
98128c4038
New upstream beta version
2015-10-15 20:51:57 +00:00
Robbie Harwood (frozencemetery)
4529758a74
Work around KDC client prinicipal in referrals issue
...
Resolves: rhbz#1259844
2015-10-08 19:24:20 +00:00
Robbie Harwood (frozencemetery)
a89bdde4da
Revert "New upstream version: krb5-1.14-alpha1"
...
This reverts commit 1138991893
.
2015-10-01 18:33:34 +00:00
Robbie Harwood
5ccfdd171d
Bring back krb5.conf.d and allow building with bad krb5.conf
2015-09-29 14:47:06 -04:00
Robbie Harwood (frozencemetery)
1138991893
New upstream version: krb5-1.14-alpha1
...
Drop patches that have since been applied. Create new patches as
needed.
2015-09-24 17:57:53 +00:00
Robbie Harwood (frozencemetery)
a328acab1b
Drop dependency on pax&ksh and remove support for fedora < 20
2015-09-23 18:42:40 +00:00
Robbie Harwood (frozencemetery)
a9af3c8817
Nix /usr/share/krb5.conf.d to reduce complexity
2015-09-23 15:11:53 +00:00
Robbie Harwood (frozencemetery)
65ce267be1
Depend on crypto-policies which provides /etc/krb5.conf.d
...
Resolves: rhbz#1225792
2015-09-23 14:02:37 +00:00
Robbie Harwood (frozencemetery)
5ec8cb89e0
Miscalaneous spec fixes.
...
Remove dependency on systemd-sysv which is no longer needed for fedora
> 20. Other fixes as needed to resolve a fail-to-build issue.
2015-09-11 17:02:31 +00:00
Robbie Harwood (frozencemetery)
2e058adfc5
Bump minor release
2015-09-10 19:55:53 +00:00
Robbie Harwood (frozencemetery)
6cb6b69409
Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/
...
Resolves: rhbz#1225792, rhbz#1146370, rhbz#1145808
2015-09-10 19:45:12 +00:00
Roland Mainz
580aefb618
* Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-6
...
- Use system nss_wrapper and socket_wrapper for testing.
Patch by Andreas Schneider <asn@redhat.com>
2015-06-26 02:47:13 +02:00
Roland Mainz
d4aa04d87c
* Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5
...
- Remove Zanata test glue and related workarounds
- Bug #1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
- Bug #1234326 ("krb5-server introduces new rpm dependency on ksh")
2015-06-25 14:23:31 +02:00
Roland Mainz
168ec0c9e7
* Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4
...
- Fix dependicy on binfmt.service
2015-06-19 18:22:15 +02:00
Dennis Gilmore
57f951a0e2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
2015-06-17 13:38:13 +00:00
Roland Mainz
7029c6670c
* Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
...
- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear
when kadmind starts"). The issue was caused by an unneeded |htons()|
which triggered SELinux AVC denials due to the "random" port usage.
2015-06-03 02:57:20 +02:00
Roland Mainz
8c2cea93bb
* Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
...
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
the installed shared libraries instead the ones from the build")
2015-05-22 16:28:26 +02:00
Roland Mainz
3ae7a21305
* Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0
...
- Update to krb5-1.13.2
- drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
- drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
- Add script processing for upcoming Zanata l10n support
- Minor spec cleanup
2015-05-15 01:02:21 +02:00
Roland Mainz
1171aa60d0
* Mon May 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-4
...
- fix for CVE-2015-2694 (#1216133 ) "requires_preauth bypass
in PKINIT-enabled KDC".
In MIT krb5 1.12 and later, when the KDC is configured with
PKINIT support, an unauthenticated remote attacker can
bypass the requires_preauth flag on a client principal and
obtain a ciphertext encrypted in the principal's long-term
key. This ciphertext could be used to conduct an off-line
dictionary attack against the user's password.
resolves : #1216134
2015-05-06 01:15:00 +02:00
Roland Mainz
14a63ce373
* Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3
...
- Add temporay workaround for RH bug #1204646 ("krb5-config
returns wrong -specs path") which modifies krb5-config post
build so that development of krb5 dependicies gets unstuck.
This MUST be removed before rawhide becomes F23 ...
2015-03-25 16:06:10 +01:00
Roland Mainz
1984e0ee1d
* Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
...
- fix for CVE-2014-5355 (#1193939 ) "krb5: unauthenticated
denial of service in recvauth_common() and others"
2015-03-20 13:24:47 +01:00
Roland Mainz
54e60b1162
* Thu Mar 19 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-2
...
- fix for CVE-2014-5355 (#1193939 ) "krb5: unauthenticated
denial of service in recvauth_common() and others"
2015-03-20 13:23:20 +01:00
Roland Mainz
03981c354e
* Fri Feb 13 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-1
...
- Update to krb5-1.13.1
- drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
- drop patch for kinit -C loops (MIT/krb5 bug #243 ), fixed in krb5-1.13.1
- drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
- Minor spec cleanup
2015-02-13 17:35:10 +01:00
Roland Mainz
c74e97faa9
* Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-8
...
- fix for CVE-2014-5352 (#1179856 ) "gss_process_context_token()
incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857 ) "kadmind doubly frees partial
deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861 ) "kadmind incorrectly
validates server principal name (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9423 (#1179863 ) "libgssrpc server applications
leak uninitialized bytes (MITKRB5-SA-2015-001)"
2015-02-04 12:02:36 +01:00
Roland Mainz
aad351ad29
* Wed Feb 4 2015 Roland Mainz <rmainz@redhat.com> - 1.13-7
...
- Remove "python-sphinx-latex" and "tar" from the build requirements
to fix build failures on F22 machines.
- Minor spec cleanup
2015-02-04 11:47:44 +01:00
Nathaniel McCallum
7188a346bd
Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063)
2015-02-03 17:48:30 +01:00
Roland Mainz
fb520967f9
* Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.13-5
...
- fix for kinit -C loops (#1184629 , MIT/krb5 issue 243, "Do not
loop on principal unknown errors").
- Added "python-sphinx-latex" to the build requirements
to fix build failures on F22 machines.
2015-01-26 18:38:55 +01:00
Roland Mainz
6baee3e656
* Thu Dec 19 2014 Roland Mainz <rmainz@redhat.com> - 1.13-4
...
- fix for CVE-2014-5354 (#1174546 ) "krb5: NULL pointer
dereference when using keyless entries"
2014-12-18 17:57:19 +01:00
Roland Mainz
8545575f69
* Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3
...
- fix for CVE-2014-5353 (#1174543 ) "Fix LDAP misused policy
name crash"
2014-12-17 12:06:33 +01:00
Roland Mainz
a54d1f9ac9
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
...
- Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue
which would lead yum updates to treat the last alpha as newer
than the final version.
2014-10-29 22:25:13 +01:00
Roland Mainz
eca7fd3d15
* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
...
- Update from krb5-1.13-alpha1 to final krb5-1.13
- Removed patch for CVE-2014-5351 (#1145425 ) "krb5: current
keys returned when randomizing the keys for a service principal" -
now part of upstream sources
- Use patch for glibc |eventfd()| prototype mismatch (#1147887 ) only
for Fedora > 20
2014-10-29 21:55:10 +01:00
Roland Mainz
210ae0a2c1
* Tue Sep 30 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0.alpha1.3
...
- fix build failure caused by change of prototype for glibc
|eventfd()| (#1147887 )
2014-09-30 12:19:07 +02:00
Roland Mainz
c5c716d7e4
- fix for CVE-2014-5351 ( #1145425 ) "krb5: current keys returned when
...
randomizing the keys for a service principal" (fix rpm spec file)
2014-09-29 23:04:48 +02:00
Nalin Dahyabhai
67988a74d0
Keep the license from being a dangling symlink
...
Processing of %license puts the named file in a directory other than the
docs directory, and doesn't rewrite relative symlinks to be correct. So
we can't use a symlink to one of them as the license.
2014-09-08 18:57:52 -04:00
Nalin Dahyabhai
56cd96f9bd
Remove the -S flag from kprop.service
...
- kpropd hasn't bothered with -S since 1.11; stop trying to use that
flag in the systemd unit file and change its type from "forking" to
"simple"
2014-08-28 14:05:37 -04:00
Nalin Dahyabhai
8563ebea46
Updating to 1.13 alpha1
2014-08-22 16:14:20 -04:00
Nalin Dahyabhai
c48fd0f0bc
Pull in upstream fix for an mischecked strdup()
...
- pull in upstream fix for an incorrect check on the value returned by a
strdup() call (#1132062 )
2014-08-20 17:36:44 -04:00
Peter Robinson
9c7c7781c4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
2014-08-17 00:48:14 +00:00
Nalin Dahyabhai
4f7f51121b
drop patch for CVE-2014-4345, included in 1.12.2
2014-08-15 15:04:26 -04:00
Nalin Dahyabhai
7880fca0ad
drop patch for CVE-2014-4344, included in 1.12.2
2014-08-15 15:02:04 -04:00
Nalin Dahyabhai
b234a3d334
drop patch for CVE-2014-4343, included in 1.12.2
2014-08-15 15:01:01 -04:00
Nalin Dahyabhai
56235f0463
drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
2014-08-15 14:59:36 -04:00
Nalin Dahyabhai
2184fad363
drop patch for RT#7926, fixed in 1.12.2
2014-08-15 14:56:39 -04:00
Nalin Dahyabhai
7041f914bd
drop patch for RT#7924, fixed in 1.12.2
2014-08-15 14:52:23 -04:00
Nalin Dahyabhai
0bd95b4771
drop patch for RT#7858, fixed in 1.12.2
2014-08-15 14:50:08 -04:00
Nalin Dahyabhai
d41320b7c1
drop patch for RT#7836, fixed in 1.12.2
2014-08-15 14:37:24 -04:00
Nalin Dahyabhai
1d44a8f927
drop patch for RT#7818, fixed in 1.12.2
2014-08-15 14:35:45 -04:00
Nalin Dahyabhai
f543a683b0
Drop patch for #231147 , fixed in 1.12.2
2014-08-15 14:13:21 -04:00
Nalin Dahyabhai
e5a4698cf5
drop patch for RT#7820, merged in 1.12.2
2014-08-15 14:02:13 -04:00
Nalin Dahyabhai
c042f71c80
Update collection cache patch set for ksu
...
- replace older proposed changes for ksu with backports of the changes
after review and merging upstream (#1015559 , #1026099 , #1118347 )
2014-08-15 14:00:14 -04:00
Nalin Dahyabhai
b324000e34
fix MITKRB5-SA-2014-001 (CVE-2014-4345)
...
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
2014-08-07 19:25:49 -04:00
Nalin Dahyabhai
38595f5338
Add patch for CVE-2014-4344
...
- gssapi: pull in upstream fix for a possible NULL dereference
in spnego (CVE-2014-4344)
2014-07-21 17:51:10 -04:00
Nalin Dahyabhai
24f7f1a446
Update to upstream patch
...
Update to the as-committed version of this patch, which affects the
comments it includes.
2014-07-21 17:19:42 -04:00
Nalin Dahyabhai
9594be4f3a
Add proposed fix for a double-free in gss clients
...
- gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, #1117963 )
2014-07-16 15:14:38 -04:00
Tom Callaway
79897b3c5d
fix license handling
2014-07-12 18:45:11 -04:00
Nalin Dahyabhai
e2bc024559
Pull in fix for CVE-2014-4341/CVE-2014-4342
...
- pull in fix for denial of service by injection of malformed GSSAPI
tokens (CVE-2014-4341, CVE-2014-4342, #1116181 )
2014-07-07 17:56:12 -04:00
Nalin Dahyabhai
40e2189ede
Backport support for scanning /etc/gss/mech.d/*.conf
...
- pull in changes from upstream which add processing of the contents of
/etc/gss/mech.d/*.conf when loading GSS modules (#1102839 )
2014-06-24 16:47:17 -04:00
Nalin Dahyabhai
47d56d9162
Fix FTBFS #1107061 using a patch from upstream
...
- pull in fix for building against tcl 8.6 (#1107061 )
2014-06-12 16:23:15 -04:00
Nalin Dahyabhai
790a56ba59
Add a buildrequires: on texlive-pdftex
...
We were having trouble building the PDFs due to a missing pdfcolor.tex
after the latest update to python-sphinx, but an even newer
texlive-pdftex provides that, so add it as a BuildRequires:
2014-06-12 12:04:06 -04:00
Dennis Gilmore
dd2e1e4398
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
2014-06-07 22:22:03 -05:00
Nathaniel McCallum
44d0e80df0
Backport fix for change password requests when using FAST (RT#7868)
2014-03-04 11:22:42 -05:00
Nalin Dahyabhai
2550f0f56b
Backport fix for RT#7858
...
- spnego: pull in patch from master to restore preserving the OID of the
mechanism the initiator requested when we have multiple OIDs for the
same mechanism, so that we reply using the same mechanism OID and the
initiator doesn't get confused (#1066000 , RT#7858)
2014-02-17 21:06:07 -05:00
Nalin Dahyabhai
c0d64aa79f
Note that "runstatedir" changes are also #1040056
2014-02-10 14:17:15 -05:00
Nalin Dahyabhai
bdb8c58c53
Move the default directory for OTP sockets to /var/run/krb5kdc
...
- pull in patch from master to move the default directory which the KDC
uses when computing the socket path for a local OTP daemon from the
database directory (/var/kerberos/krb5kdc) to the newly-added run
directory (/run/krb5kdc), in line with what we're expecting in 1.13
(RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
boot-time
- own /var/run/krb5kdc
2014-02-07 16:13:29 -05:00
Nalin Dahyabhai
419c14d6ac
Pull from the right wrapper branches
...
... and add our local patch to fix the bind-then-connect case.
2014-02-04 15:31:21 -05:00
Nalin Dahyabhai
956ccfdfb4
refresh nss_wrapper, add socket_wrapper
2014-01-31 16:56:05 -05:00
Nalin Dahyabhai
5c7bab5883
Take x bit off of an html doc file, fix whitespace
2014-01-31 16:55:11 -05:00
Nalin Dahyabhai
9b18d26ce3
Add proposed ksu KEYRING+default_ccache_name patch
...
- add currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1015559,#1026099)
2014-01-31 16:55:05 -05:00
Nalin Dahyabhai
2eb0567065
Backport changes to allow "rcache" credstores
...
- pull in multiple changes to allow replay caches to be added to a GSS
credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
#1056078/#1056080)
2014-01-21 18:52:57 -05:00
Nalin Dahyabhai
792d78fa47
Backport fixes for timesync with keyring caches
...
add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607 )
2014-01-17 10:58:19 -05:00
Nalin Dahyabhai
4dec248a05
Drop obsolete patches
2014-01-17 10:55:16 -05:00
Nalin Dahyabhai
8ae5258eb3
Drop obsolete patch
2014-01-17 10:48:08 -05:00
Nalin Dahyabhai
29afef6c24
Drop obsolete patch
2014-01-17 10:47:01 -05:00
Nalin Dahyabhai
007e77a2b3
Drop obsolete patch
2014-01-17 10:17:19 -05:00
Nalin Dahyabhai
6a8573e3af
Drop obsolete patch
2014-01-17 10:08:58 -05:00
Nalin Dahyabhai
0b6ebaab00
Drop obsolete patch
2014-01-17 09:59:39 -05:00
Nalin Dahyabhai
6265fcabf5
Drop obsolete patch
2014-01-17 09:58:40 -05:00
Nalin Dahyabhai
aef7c262b1
Update the textrel patch for x86
...
- update the PIC patch for iaesx86.s to not use ELF relocations
(RT#7815, #1045699 ) to the version that landed upstream
2014-01-13 11:41:47 -05:00
Nalin Dahyabhai
8fe7e82068
Note why we started saving ebx
2014-01-09 13:20:22 -05:00
Nalin Dahyabhai
6e03c5ada1
Link shared libs using -Wl,--warn-shared-textrel
...
- pass -Wl,--warn-shared-textrel to the compiler when we're creating shared
libraries
2014-01-09 13:13:30 -05:00
Nalin Dahyabhai
5de1fa728f
bump release for a new build
2014-01-09 11:03:45 -05:00
Nalin Dahyabhai
8a1df153c6
Save/restore ebx in functions where we modify it
...
- amend the PIC patch for iaesx86.s to also save/restore ebx in the
functions where we modify it
2014-01-09 11:02:26 -05:00
Nalin Dahyabhai
75edc7c7ca
Try to remove execmod from 32-bit AES-NI k5crypto
...
- make a guess at making the 32-bit AES-NI implementation sufficiently
position-independent to not require execmod permissions for libk5crypto
(more of #1045699 )
2014-01-06 18:53:03 -05:00
Nalin Dahyabhai
05c4140d32
Switch to as-committed version
...
- grab a more-commented version of the most recent patch from upstream
master
2014-01-06 15:58:20 -05:00
Nalin Dahyabhai
480b9efaa3
Add Dhiru Kholia's patch to restore noexecstack
...
- add patch from Dhiru Kholia for the AES-NI implementations to allow
libk5crypto to be properly marked as not needing an executable stack
on arches where they're used (#1045699 , and so many others)
2014-01-02 23:46:42 -05:00
Nalin Dahyabhai
13df2d5386
Remove the BuildRequires: on yasm for now
...
Go back to not using AES-NI, until we sort out execstack (#1045699 ).
2014-01-02 17:08:52 -05:00
Nalin Dahyabhai
911b9e932d
Add the buildrequires: for AES-NI support
...
- add yasm as a build requirement for AES-NI support, on arches that have
yasm and AES-NI
2013-12-19 13:07:54 -05:00
Nalin Dahyabhai
e1cb527238
Pull in fix to improve SPNEGO error messages
...
- pull in fix from master to make reporting of errors encountered by the
SPNEGO mechanism work better (RT#7045, part of #1043962 )
2013-12-19 11:52:30 -05:00
Nalin Dahyabhai
45d93c6d1c
Enable pyrad-based tests
...
- update a test wrapper to properly handle things that the new libkrad does,
and add python-pyrad as a build requirement so that we can run its tests
2013-12-19 11:17:28 -05:00
Nalin Dahyabhai
9f2cb9776b
For completeness, also initialize an unused field
2013-12-18 18:01:30 -05:00
Nalin Dahyabhai
82c5b9f9b2
Backport fixes for krb5_copy_context
...
- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
2013-12-18 17:38:54 -05:00
Nalin Dahyabhai
2550a37b4f
Pull in a fix for a mem leak from master (RT#7805)
...
- pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805, part
of #1043962 )
2013-12-18 14:33:23 -05:00
Nalin Dahyabhai
460d74d224
Pull in a fix for a mem leak from master (RT#7803)
...
- pull in fix from master to avoid a memory leak when a mechanism's
init_sec_context function fails (RT#7803, part of #1043962 )
2013-12-18 14:23:21 -05:00
Nalin Dahyabhai
39888b7c42
Pick up another interop fix from master (RT#7797)
...
- pull in fix from master to ignore an empty token from an acceptor if
we've already finished authenticating (RT#7797, part of #1043962 )
2013-12-18 14:22:24 -05:00
Nalin Dahyabhai
735b73ebbb
Pick up an interop fix from master (RT#7794)
...
- pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part of
#1043962 )
2013-12-18 14:20:57 -05:00
Nalin Dahyabhai
3a1e355f38
Update to 1.12 final
2013-12-11 10:52:40 -05:00
Nalin Dahyabhai
93ae18a6c5
Whoops, grab the beta 2 PDFs
2013-12-02 11:58:32 -05:00
Nalin Dahyabhai
f002059e62
Update to 1.12 beta2
...
- drop obsolete backports for storing KDC time offsets and expiration times
in keyring credential caches
2013-12-02 11:47:40 -05:00
Nalin Dahyabhai
88c0c528bd
Update to 1.12 beta
2013-11-19 18:08:43 -05:00
Nalin Dahyabhai
3c08a1616e
BuildRequire: pkgconfig and package pkgconfig data
2013-11-19 17:40:02 -05:00
Nalin Dahyabhai
f8f559ef32
Drop backports for RT#7656 and RT#7657
2013-11-19 17:39:59 -05:00
Nalin Dahyabhai
447ee6c9e6
Update for 1.12's removal of krb5_xfree()
2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
f619caa9c9
Drop OTP backport
2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
7448cea67e
Untweak for 1.11.3
2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
00cf6df3e6
Drop backport for RT#7590 and partial for RT#7680
2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
19bc209a19
Drop backport for RT#7709
2013-11-19 17:38:54 -05:00
Nalin Dahyabhai
13b2f96a29
Drop backports for RT#7682
2013-11-19 17:38:46 -05:00
Nalin Dahyabhai
0b296b8b04
Drop obsolete patches to skip GSSRPC-over-UDP test
...
- drop patches from master to not test GSSRPC-over-UDP and to not
depend on the portmapper, which are areas where our build systems
often give us trouble, too; obsolete
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
25fe69d885
Drop backport for RT#7643
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
a2e5f1f872
Drop backport for RT#7642
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
9e1d45535e
Drop backport for RT#7172
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
bd8c46afd2
Drop backport for RT#7598
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
286168174b
Drop patch to teach config.* about aarch64-linux
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
11656c4fe0
Drop obsolete patch fixing a test use-before-init
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
9c8c2d53ba
Update for 1.12
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
d2ea586766
Update for 1.12
2013-11-19 17:32:19 -05:00
Nalin Dahyabhai
f618776e18
Update for 1.12
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
d175d043f1
Update for 1.12
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
daca172770
Update patch for 1.12
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
15dceb5da6
Drop backport for RT#7689
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
b1f558a0f5
Drop backported patch
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
8a39d5ff72
Start rebasing to 1.12 alpha1
2013-11-19 17:32:18 -05:00
Nalin Dahyabhai
a77ee55771
Pull in keyring expiration from RT#7769
...
- pull in fix to set expiration times on keyrings used for storing keyring
credential caches (RT#7769, #1031724 )
2013-11-18 18:02:20 -05:00
Nalin Dahyabhai
81715b1776
Pull in keyring offset storage from RT#7768
...
- pull in fix to store KDC time offsets in keyring credential caches
(RT#7768, #1030607 )
2013-11-18 17:14:07 -05:00
Nalin Dahyabhai
dee7ae00a4
Note where CVE-2013-6800 was fixed
...
CVE-2013-6800 appears to be fixed by the same patch that fixes
CVE-2013-1418, so mention the first in changelog entries that refer to
the second.
2013-11-18 16:24:33 -05:00
Nalin Dahyabhai
cac86c9df2
Bump the release to 1
2013-11-12 16:32:02 -05:00
Nalin Dahyabhai
8f876bbbeb
Drop patch for CVE-2013-1418, included in 1.11.4
2013-11-12 16:25:26 -05:00
Nalin Dahyabhai
1f02b0bc49
Drop patch for RT#7706, obsoleted as RT#7723
2013-11-12 16:23:38 -05:00
Nalin Dahyabhai
0c6ad14521
Drop patch for RT#7650, included in 1.11.4
2013-11-12 16:20:49 -05:00
Nalin Dahyabhai
2b359c527a
Start updating to 1.11.4
2013-11-12 16:20:31 -05:00
Nalin Dahyabhai
b3399eb8fb
Switch to the upstream patch for #1029110
...
Switch to the simplified version of the patch for #1029110 that ended up
being committed upstream (RT#7764).
2013-11-12 13:20:50 -05:00
Nalin Dahyabhai
11d14a1e7c
Fix a typo in a changelog entry
2013-11-11 14:34:29 -05:00
Nalin Dahyabhai
49c8edfa6b
Catch more strtol() failures when using KEYRINGs
...
- check more thorougly for errors when resolving KEYRING ccache names of type
"persistent", which should only have a numeric UID as the next part of the
name (#1029110 )
2013-11-11 14:11:29 -05:00
Nalin Dahyabhai
bfdc4351bf
Point to the RT for the patch for the right branch
2013-11-05 13:43:32 -05:00
Nalin Dahyabhai
a244d8f93c
Incorporate patch for RT#7755 (CVE-2013-1418)
...
- incorporate upstream patch for remote crash of KDCs which serve multiple
realms simultaneously (RT#7755, CVE-2013-1418)
2013-11-04 16:11:59 -05:00
Nalin Dahyabhai
a00c810e4e
Drop call-access()-more patch for ksu
...
- drop patch to add additional access() checks to ksu - they add to breakage
when non-FILE: caches are in use (#1026099 ), shouldn't be resulting in any
benefit, and clash with proposed changes to fix its cache handling
2013-11-04 10:26:41 -05:00
Nalin Dahyabhai
433fcb1772
Expand on comments in the daemon wrapper scripts
...
- add some minimal description to the top of the wrapper scripts we use
when starting krb5kdc and kadmind to describe why they exist (tooling)
2013-10-22 17:48:49 -04:00
Nalin Dahyabhai
31e8e33c43
Create and own /etc/gss ( #1019937 )
2013-10-16 18:12:24 -04:00
Nalin Dahyabhai
16e749771f
Pull up fix for reimporting ccaches in gssapi
...
- pull up fix for importing previously-exported credential caches in the
gssapi library (RT# 7706, #1019420 )
2013-10-15 14:40:24 -04:00
Nalin Dahyabhai
84fe7d69da
Finish fixing the don't-call-NULL-prompters bug
...
- extract the rest of the fix #965721/#1016690 from the changes for RT#7680
2013-10-14 14:07:56 -04:00
Nalin Dahyabhai
822059250e
Use the prompter callback for PEM files
...
- backport the callback to use the libkrb5 prompter when we can't load
PEM files for PKINIT (RT#7590, includes part of #965721/#1016690)
2013-10-14 14:07:19 -04:00
Nalin Dahyabhai
37f8b28f7d
fix trigger's invocation of sed ( #1016945 )
...
- fix trigger scriptlet's invocation of sed (#1016945 )
2013-10-14 12:42:56 -04:00
Nalin Dahyabhai
52b6b401df
- rebuild with keyutils 1.5.8 (part of #1012043 )
...
Rebuild against a keyutils which tags the new symbols we're using with a
newer symbol version, so that RPM can tell the difference between
versions of the package which contain a shared library that doesn't
include them and versions of the package which contain a shared library
which does.
2013-10-04 09:47:38 -04:00
Nalin Dahyabhai
494e7adbb0
Updated persistent-keyring changes, set as default
...
- switch to the version of persistent-keyring that was just merged to
master (RT#7711), along with related changes to kinit (RT#7689)
- go back to setting default_ccache_name to a KEYRING type
2013-10-02 14:46:20 -04:00
Nalin Dahyabhai
682dc07d28
pull up fix to call kdb check-transited-path first
...
- pull up fix for not calling a kdb plugin's check-transited-path
method before calling the library's default version, which only knows
how to read what's in the configuration file (RT#7709, #1013664 )
2013-09-30 11:26:50 -04:00
Nalin Dahyabhai
43d2548f26
configure --without-krb5-config
...
- configure --without-krb5-config so that we don't pull in the old default
ccache name when we want to stop setting a default ccache name at configure-
time
2013-09-26 14:38:01 -04:00
Nalin Dahyabhai
e43f75f274
- fix broken dependency on awk (rdieter)
...
- fix broken dependency on awk (should be gawk, rdieter)
2013-09-25 12:34:03 -04:00
Nalin Dahyabhai
a375099fe1
add missing dependency on newer keyutils-libs
...
- add missing dependency on newer keyutils-libs (#1012034 )
2013-09-25 11:26:19 -04:00
Nalin Dahyabhai
3bc9a0ec21
Back to DIR: caches by default, for now
...
- back out setting default_ccache_name to the new default for now, resetting
it to the old default while the kernel/keyutils bits get sorted (sgallagh)
2013-09-24 17:10:48 -04:00
Nalin Dahyabhai
ee7be3f07f
buildrequire the newest keyutils
...
- add explicit build-time dependency on a version of keyutils that's new
enough to include keyctl_get_persistent() (more of #991148 )
2013-09-23 13:32:21 -04:00
Nalin Dahyabhai
df24e0aeda
pull in an updated persistent_keyring.patch
...
- incorporate Simo's updated backport of his updated persistent-keyring
changes (more of #991148 )
2013-09-19 16:29:52 -04:00
Nalin Dahyabhai
00da3519ec
Don't break during %%check with revoked keyrings
...
If the session keyring is revoked, we'll to walk the ccache collections.
Work around that so that we don't have to go and disable more tests.
2013-09-13 18:21:09 -04:00
Nalin Dahyabhai
21b73fcc00
pull the newer F21 defaults back to F20 (sgallagh)
2013-09-13 09:13:37 -04:00
Nalin Dahyabhai
5128324677
Only create /run/user/0 on releases where we use it
...
- only apply the patch to autocreate /run/user/0 when we're hard-wiring the
default ccache location to be under it; otherwise it's unnecessary
2013-09-09 13:15:18 -04:00
Nalin Dahyabhai
b81045ccea
Don't pass a "script" to ldconfig
...
- don't let comments intended for one scriptlet become part of the "script"
that gets passed to ldconfig as part of another one (Mattias Ellert, #1005675 )
2013-09-09 09:43:05 -04:00
Nalin Dahyabhai
4404e63e31
Conditional triggerun to set default_ccache_name
...
- on releases where we expect krb5.conf to be configured with a
default_ccache_name, add it whenever we upgrade from an older version of
the package that wouldn't have included it in its default configuration
file (#991148 )
2013-09-06 17:32:20 -04:00
Nalin Dahyabhai
16afa92610
Set the default ccname via config, not at build
...
- restore build-time default DEFCCNAME on Fedora 21 and later and EL, and
instead set it in the default krb5.conf's [libdefaults] section (#991148 )
2013-09-06 16:05:14 -04:00
Nalin Dahyabhai
b0c672125e
- restore build-time default DEFCCNAME on F21, EL
...
- restore build-time default DEFCCNAME on Fedora 21 and later and EL (#991148 )
2013-09-06 14:13:31 -04:00
Nalin Dahyabhai
bf2b6cb4e7
- incorporate backported persistent-keyring (Simo)
...
- incorporate Simo's backport of his persistent-keyring changes (#991148 )
2013-09-06 14:12:24 -04:00
Nalin Dahyabhai
e6591a5194
ship an nss_wrappers snapshot, not a git repo
...
- switch to just the snapshot of nss_wrapper we were using, since we
no longer need to carry anything that isn't in the cwrap.org repository
(ssorce)
2013-08-23 14:21:20 -04:00
Nalin Dahyabhai
c3f5bd1fb8
UnversionedDocdirs, take two
...
- take another stab at accounting for UnversionedDocdirs for the -libs
subpackage (spotted by ssorce)
2013-08-23 14:08:59 -04:00