eb1f8e54b9- fix included in 1.9
Nalin Dahyabhai
2010-11-05 15:09:31 -0400
a048f0f12e- fix included in 1.9
Nalin Dahyabhai
2010-11-05 15:09:04 -0400
c4fcdebf25- fix included in 1.9
Nalin Dahyabhai
2010-11-05 15:07:40 -0400
01711b78ff- fix included in 1.9
Nalin Dahyabhai
2010-11-05 15:06:39 -0400
7bf6313a47- fix included in 1.9
Nalin Dahyabhai
2010-11-05 15:06:01 -0400
e2734a2f40- update to apply to 1.9
Nalin Dahyabhai
2010-11-05 15:03:55 -0400
99e4741184- update to match current context in krb5.conf(5)
Nalin Dahyabhai
2010-11-05 15:00:13 -0400
cd6903bceb- fix context for applying to krb5.conf(5)
Nalin Dahyabhai
2010-11-05 14:59:48 -0400
60f5ea8eaf- incorporate upstream patch to fix uninitialized pointer crash in the KDC's authorization data handling (CVE-2010-1322, #636335)
Nalin Dahyabhai
2010-10-05 15:29:32 -0400
e84327e216- pull down patches from trunk to implement k5login_authoritative and k5login_directory settings for krb5.conf (#539423)
Nalin Dahyabhai
2010-10-04 19:01:38 -0400
0d4651fac9- pull down patches from trunk to implement k5login_authoritative and k5login_directory settings for krb5.conf (#539423)
Nalin Dahyabhai
2010-10-04 15:34:24 -0400
f44b554d1b- fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022, RT#6775) - fix selection of pkinit client certs when one or more don't include a subjectAltName extension (part of #629022, RT#6774)
Nalin Dahyabhai
2010-09-16 19:32:06 -0400
3fe7ccdb92- fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022, RT#6775)
Nalin Dahyabhai
2010-09-16 19:31:54 -0400
188111911c- fix selection of pkinit client certs when one or more don't include a subjectAltName extension (part of #629022, RT#6774)
Nalin Dahyabhai
2010-09-16 19:31:40 -0400
3f5343a0b9- build with -fstack-protector-all instead of the default -fstack-protector, so that we add checking to more functions (i.e., all of them) (#629950)
Nalin Dahyabhai
2010-09-03 13:50:17 -0400
a7376e1a41- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
Nalin Dahyabhai
2010-09-03 13:08:45 -0400
6130f43a46- fix a logic bug in computing key expiration times (RT#6762, #627022)
Nalin Dahyabhai
2010-08-24 18:29:42 -0400
0c20d8744b- update to 1.8.3 - drop backports of fixes for gss context expiration and error table registration/deregistration mismatch - drop patch for upstream #6750
Nalin Dahyabhai
2010-08-04 18:22:20 -0400
eed65b02ae- fix a typo in the changelog
Nalin Dahyabhai
2010-07-15 15:47:39 +0000
45b591b3eb- fix parsing of the pidfile option in the KDC (upstream #6750)
Nalin Dahyabhai
2010-07-07 20:56:07 +0000
8b8653b9be- add logrotate configuration files for krb5kdc and kadmind (#462658)
Nalin Dahyabhai
2010-07-07 18:09:05 +0000
a0ca6e4d98- tell krb5kdc and kadmind to create pid files, since they can
Nalin Dahyabhai
2010-07-07 17:41:39 +0000
cb407c5fa1- libgssapi: pull in patch from svn to stop returning context-expired errors when the ticket which was used to set up the context expires (#605366, upstream #6739)
Nalin Dahyabhai
2010-06-21 18:26:35 +0000
da92cbb7b4- pull up fix for upstream #6745, in which the gssapi library would add the wrong error table but subsequently attempt to unload the right one
Nalin Dahyabhai
2010-06-21 18:11:40 +0000
a1c8e26f59- this shouldn't be here -> krb5-appl
Nalin Dahyabhai
2010-06-10 22:24:08 +0000
e067cf87fe- update to 1.8.2 - drop patches for CVE-2010-1320, CVE-2010-1321
Nalin Dahyabhai
2010-06-10 22:21:43 +0000
1313c14673- reference the right bug -- this wasn't a problem until the revision
Nalin Dahyabhai
2010-05-27 21:10:28 +0000
17238354c3don't skip the PAM account check for root or the same user (more of #477033)
Nalin Dahyabhai
2010-05-27 20:53:30 +0000
ccdc4a4228- ksu: move session management calls to before we drop privileges, like su does (#596887)
Nalin Dahyabhai
2010-05-27 20:01:43 +0000
b60e63ef2b- that -fno-strict-aliasing change merits a rebuild
Nalin Dahyabhai
2010-05-24 22:15:15 +0000
ab9e2985db- go back to building without strict aliasing (compiler warnings in gssrpc)
Nalin Dahyabhai
2010-05-24 21:31:38 +0000
5d72216a22- drop explicit linking with libtinfo for applications that use libss, now that readline itself links with libtinfo (as of readline-5.2-3, since fedora 7 or so)
Nalin Dahyabhai
2010-05-24 20:42:04 +0000
c430745262- make krb5-server-ldap also depend on the same version-release of krb5-libs, as the other subpackages do, if only to make it clearer than it is when we just do it through krb5-server
Nalin Dahyabhai
2010-05-24 20:07:09 +0000
b3e836cce9- add patch to correct GSSAPI library null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #582466)
Nalin Dahyabhai
2010-05-18 18:14:30 +0000
59f0148016- fix output of kprop's init script's "status" and "reload" commands (#588222)
Nalin Dahyabhai
2010-05-04 19:32:52 +0000
98bc7d7d76- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922)
Nalin Dahyabhai
2010-04-20 18:26:39 +0000
044f184f7a- fix a typo in kerberos.ldif
Nalin Dahyabhai
2010-04-14 14:28:32 +0000
b48f2bcb58- update to 1.8.1 - no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628 - replace buildrequires on tetex-latex with one on texlive-latex, which is the package that provides it now
Nalin Dahyabhai
2010-04-09 13:44:05 +0000
6b3df78771- kdc.conf: no more need to suggest a v4 mode, or listening on the v4 port
Nalin Dahyabhai
2010-04-08 21:27:15 +0000
8d606a93f5- drop patch to suppress key expiration warnings sent from the KDC in the last-req field, as the KDC is expected to just be configured to either send them or not as a particular key approaches expiration (#556495)
Nalin Dahyabhai
2010-04-08 19:14:31 +0000
dc32b53c2d- note why we're going to drop this patch
Nalin Dahyabhai
2010-04-08 18:53:15 +0000
665fa22b0f- add bug numbers for the fix for CVE-2010-0628
Nalin Dahyabhai
2010-03-23 22:56:35 +0000
cac63d2dfa- kdc.conf: no more need to suggest keeping keys with v4-compatible salting
Nalin Dahyabhai
2010-03-23 18:18:32 +0000
4a2bf7dc5d- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628)
Nalin Dahyabhai
2010-03-23 18:07:13 +0000
1f83fab4c7- remove the krb5-appl bits (the -workstation-clients and -workstation-servers subpackages) now that krb5-appl is its own package
Nalin Dahyabhai
2010-03-19 21:15:33 +0000
5d2ca1d225- replace our patch for #563431 (kpasswd doesn't fall back to guessing your principal name using your user name if you don't have a ccache) with the on upstream uses
Nalin Dahyabhai
2010-03-19 21:15:10 +0000
39cf8a4b2d- whoops, -p level off by one
Nalin Dahyabhai
2010-03-12 22:26:03 +0000
fafc4a2352- add the RT entry number
Nalin Dahyabhai
2010-03-12 22:13:15 +0000
ecf57bb1a5- the last members of the ops structure are pointers
Nalin Dahyabhai
2010-03-12 21:09:55 +0000
8ba624d90a- this needs to be more portable before we try to send it upstream
Nalin Dahyabhai
2010-03-12 21:09:35 +0000
be17b47a39- note Sam's RT entry that this fixes
Nalin Dahyabhai
2010-03-12 21:08:54 +0000
f3d0ea68ff- oh wait, i did that
Nalin Dahyabhai
2010-03-12 21:08:20 +0000
fe99267cdf- add documentation for the ticket_lifetime option (#561174)
Nalin Dahyabhai
2010-03-12 20:44:02 +0000
daa38f9cf3- drop this; we're not going to worry about it
Nalin Dahyabhai
2010-03-11 19:24:17 +0000
5ade34aee9- add a header describing the what and why here
Nalin Dahyabhai
2010-03-11 19:23:59 +0000
e03499409a- drop this; it's not sufficient any more anyway
Nalin Dahyabhai
2010-03-11 19:20:22 +0000
fde0ac5843- note the RT number
Nalin Dahyabhai
2010-03-11 19:19:55 +0000
0f6f154014- correct a few typos - note the review bug for splitting out krb5-appl
Nalin Dahyabhai
2010-03-08 20:10:52 +0000
a32fda650f- this patch is no longer needed; at some point between 1.7 and 1.8 this was fixed in SVN
Nalin Dahyabhai
2010-03-08 18:16:23 +0000
516763ea91- pull up patch to get the client libraries to correctly perform password changes over IPv6 (Sumit Bose, RT#6661)
Nalin Dahyabhai
2010-03-08 16:47:24 +0000
70840ba4e4- whoops, need these lists, too
Nalin Dahyabhai
2010-03-05 22:27:37 +0000
75b08040ff- update to 1.8 - temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM
Nalin Dahyabhai
2010-03-05 22:19:38 +0000
5ee10a1ffb- fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasn't known to the local system, limited to being triggerable by gssapi-authenticated clients by the default xinetd config (Olivier Fourdan, #569472)
Nalin Dahyabhai
2010-03-03 16:09:47 +0000
d605c80ae2- fix a regression (not labeling a kdb database lock file correctly, #569902)
Nalin Dahyabhai
2010-03-02 23:01:23 +0000
669a15d24b- move the package changelog to the end to match the usual style (jdennis) - scrub out references to $RPM_SOURCE_DIR (jdennis) - include a symlink to the readme with the name LICENSE so that people can find it more easily (jdennis)
Nalin Dahyabhai
2010-02-25 23:00:23 +0000
33efa14da1- pull up the change to make kpasswd's behavior better match the docs when there's no ccache (#563431)
Nalin Dahyabhai
2010-02-17 23:25:50 +0000
6a46621b1a- forwardable=yes -> forwardable=true, which should mean the same thing, but matches the man page better - take port numbers off of the server names; i'm assuming that it's rare for them to need specifying because i assume the defaults are used more often than not
Nalin Dahyabhai
2010-02-16 22:38:25 +0000
20683b0e60- whoops, that's the wrong filename for the patch
Nalin Dahyabhai
2010-02-16 22:15:46 +0000
19c7a3451b- upstream patch to correct a denial-of-service in KDCs in 1.7 and later
Nalin Dahyabhai
2010-02-16 21:53:47 +0000
c84cd0185b- apply patch from upstream to fix KDC denial of service (CVE-2010-0283, #566002)
Nalin Dahyabhai
2010-02-16 21:45:25 +0000
edcbea8d17- update to 1.7.1 - don't trip AD lockout on wrong password (#542687, #554351) - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 - fixes gss_krb5_copy_ccache() when SPNEGO is used - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to the devel subpackage, better lining up with the expected krb5/krb5-appl split in 1.8 - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already depends on -workstation which also includes them
Nalin Dahyabhai
2010-02-03 17:11:35 +0000
f20db54891- tighten up default permissions on kdc.conf and kadm5.acl (#558343)
Nalin Dahyabhai
2010-01-25 16:58:14 +0000
9a31789f24- use portreserve correctly -- portrelease takes the basename of the file whose entries should be released, so we need three files, not one
Nalin Dahyabhai
2010-01-22 15:08:24 +0000
304c10003d- suppress warnings of impending password expiration if expiration is more than seven days away when the KDC reports it via the last-req field, just as we already do when it reports expiration via the key-expiration field (#556495) - link with libtinfo rather than libncurses, when we can, in future RHEL
Nalin Dahyabhai
2010-01-18 20:13:04 +0000
fba11018d1- suppress warnings of impending password expiration if expiration is more than seven days away when the KDC reports it via the last-req field, just as we already do when it reports expiration via the key-expiration field (#556495)
Nalin Dahyabhai
2010-01-18 20:03:17 +0000
da536a5974- krb5_get_init_creds_password: check opte->flags instead of options->flags when checking whether or not we get to use the prompter callback (#555875)
Nalin Dahyabhai
2010-01-15 20:24:36 +0000
2baf72c02f- use portreserve to make sure the KDC can always bind to the kerberos-iv port, kpropd can always bind to the krb5_prop port, and that kadmind can always bind to the kerberos-adm port (#555279) - correct inadvertent use of macros in the changelog (rpmlint)
Nalin Dahyabhai
2010-01-14 21:14:26 +0000
60b2cbeb09- fix the description of the problem
Nalin Dahyabhai
2010-01-12 19:27:00 +0000
c81c7789b7- add upstream patches for KDC crash during AES and RC4 decryption (CVE-2009-4212), via Tom Yu (#545015)
Nalin Dahyabhai
2010-01-12 19:24:24 +0000
3ad86e219a- back down to the earlier version of the patch for #551764; the backported alternate version was incomplete
Nalin Dahyabhai
2010-01-06 23:54:23 +0000
abd49c944b- put the conditional back for the -devel subpackage
Nalin Dahyabhai
2010-01-06 20:05:00 +0000
f6701d5d64- revise this to look more like what's been done in upstream trunk
Nalin Dahyabhai
2010-01-05 23:38:49 +0000
b199476767- pull up proposed patch for creating previously-not-there lock files for kdb databases when 'kdb5_util' is called to 'load' (#551764)
Nalin Dahyabhai
2010-01-05 22:55:55 +0000
65631fa1bb- use %%global instead of %%define - fix conditional for future RHEL
Nalin Dahyabhai
2010-01-05 22:55:30 +0000
14efc0c6dd- add tracking bug ID for the latest security patch
Nalin Dahyabhai
2010-01-04 15:59:00 +0000
795e5e14a6- add upstream patch for KDC crash during referral processing (CVE-2009-3295), via Tom Yu
Nalin Dahyabhai
2010-01-04 15:56:24 +0000
a019df8a50- fix a typo
Nalin Dahyabhai
2009-12-21 19:41:25 +0000
cc8c049fe1refresh patch for #542868 from trunk
Nalin Dahyabhai
2009-12-21 19:27:25 +0000
439a1c75e7- add the upstream RT number
Nalin Dahyabhai
2009-12-11 18:08:12 +0000
ec702e8192- move man pages that live in the -libs subpackage into the regular %%{_mandir} tree where they'll still be found if that package is the only one %installed (#529319)
Nalin Dahyabhai
2009-12-10 22:50:50 +0000
bfccd3939a- re-enable this change: - try to make gss_krb5_copy_ccache() work correctly for spnego (#542868)
Nalin Dahyabhai
2009-12-09 21:40:48 +0000
ca17214610- if the result of our attempt to look up the context is NULL, either because the right function returned NULL or we failed to initialize the library, just skip it, as that's all we can do
Nalin Dahyabhai
2009-12-09 00:18:58 +0000