Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
krb5-mini.9898
krb5.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File krb5.changes of Package krb5-mini.9898
------------------------------------------------------------------- Tue Jan 8 12:11:36 UTC 2019 - Samuel Cabrero <scabrero@suse.de> - Remove incorrect KDC assertion; (CVE-2018-20217); (bsc#1120489); - Added patches: * 0112-Remove-incorrect-KDC-assertion.patch ------------------------------------------------------------------- Tue Aug 21 10:57:47 UTC 2018 - aburlakov@suse.com - Introduce patch 0111-gssapi-assume-that-mechanism-from-acceptor-credentia.patch to all legacy GSS client applications to workaround compatibility issue by setting environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value. (bsc#1057662 bsc#1046415) ------------------------------------------------------------------- Wed May 9 10:43:32 UTC 2018 - ckowalczyk@suse.com - Fix for resolving krb5 GSS creds if time_rec is requested 0110-resolve-krb5-GSS-creds-if-time_rec-is-requested.patch (bsc#1088921) ------------------------------------------------------------------- Tue Feb 27 09:44:06 UTC 2018 - hguo@suse.com - Fix a GSS failure in legacy applications (bsc#1081725) with patch 0109-Do-not-indicate-deprecated-GSS-mechanisms.patch ------------------------------------------------------------------- Thu Jul 28 14:44:43 UTC 2016 - hguo@suse.com - Fix CVE-2016-3120 (bsc#991088) with patch: 0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch ------------------------------------------------------------------- Tue May 10 12:41:14 UTC 2016 - hguo@suse.com - Remove source file ccapi/common/win/OldCC/autolock.hxx that is not needed and does not carry an acceptable license. (bsc#968111) ------------------------------------------------------------------- Wed Mar 23 12:48:58 UTC 2016 - hguo@suse.com - Introduce patch 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch to fix CVE-2016-3119 (bsc#971942) ------------------------------------------------------------------- Thu Jan 28 15:26:32 UTC 2016 - hguo@suse.com - Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character (bsc#963968) with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request (bsc#963975) with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask (bsc#963964) with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch ------------------------------------------------------------------- Tue Nov 10 14:23:27 UTC 2015 - hguo@suse.com - Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch to fix a memory corruption regression introduced by resolution of CVE-2015-2698. bsc#954204 ------------------------------------------------------------------- Wed Oct 28 13:54:39 UTC 2015 - hguo@suse.com - Make kadmin.local man page available without having to install krb5-client. bsc#948011 - Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch to fix build_principal memory bug [CVE-2015-2697] bsc#952190 - Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 - Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 - Fix patch content of bnc#912002.diff that was missing a diff header. ------------------------------------------------------------------- Mon Jul 13 06:54:00 UTC 2015 - varkoly@suse.com - bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass patches: 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch ------------------------------------------------------------------- Wed Mar 11 18:13:01 UTC 2015 - varkoly@suse.com - bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message patches: 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch ------------------------------------------------------------------- Wed Mar 11 14:55:56 UTC 2015 - varkoly@suse.com - bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries patches: krb5-1.12.2-CVE-2014-5353.patch krb5-1.12.2-CVE-2014-5354.patch ------------------------------------------------------------------- Wed Jan 7 12:36:45 UTC 2015 - varkoly@suse.com - bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423: krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token - added patches: * bnc#912002.diff ------------------------------------------------------------------- Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com - Work around replay cache creation race; (bnc#898439). krb5-1.13-work-around-replay-cache-creation-race.patch ------------------------------------------------------------------- Tue Sep 23 12:27:55 UTC 2014 - varkoly@suse.com - bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff ------------------------------------------------------------------- Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com - buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch ------------------------------------------------------------------- Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com - Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch Fix null deref in SPNEGO acceptor [CVE-2014-4344] krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch ------------------------------------------------------------------- Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com - denial of service flaws when handling RFC 1964 tokens (bnc#886016) krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch - start krb5kdc after slapd (bnc#886102) ------------------------------------------------------------------- Fri Jun 6 11:08:08 UTC 2014 - ckornacker@suse.com - obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) similar functionality is provided by krb5-plugin-preauth-pkinit ------------------------------------------------------------------- Tue Feb 18 15:25:57 UTC 2014 - ckornacker@suse.com - don't deliver SysV init files to systemd distributions ------------------------------------------------------------------- Tue Jan 21 14:23:37 UTC 2014 - ckornacker@suse.com - update to version 1.12.1 * Make KDC log service principal names more consistently during some error conditions, instead of "<unknown server>" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch krb5-master-gss_oid_leak.patch krb5-master-keytab_close.patch krb5-master-spnego_error_messages.patch - Fix Get time offsets for all keyring ccaches krb5-master-keyring-kdcsync.patch (RT#7820) ------------------------------------------------------------------- Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com - update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * The AES-based encryption types will use AES-NI instructions when possible for improved performance. - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch * krb5-1.11-pam.patch -> krb5-1.12-pam.patch * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch * krb5-1.8-api.patch -> krb5-1.12-api.patch * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch * krb5-1.9-debuginfo.patch * krb5-1.9-kprop-mktemp.patch * krb5-kvno-230379.patch - added upstream patches - Fix krb5_copy_context * krb5-1.12-copy_context.patch - Mark AESNI files as not needing executable stacks * krb5-1.12-enable-NX.patch * krb5-1.12-pic-aes-ni.patch - Fix memory leak in SPNEGO initiator * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch - Test SPNEGO error message in t_s4u.py * krb5-master-spnego_error_messages.patch ------------------------------------------------------------------- Tue Dec 10 02:43:32 UTC 2013 - nfbrown@suse.com - Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct. ------------------------------------------------------------------- Fri Nov 15 13:33:53 UTC 2013 - ckornacker@suse.com - update to version 1.11.4 - Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration. - Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms. - Fix a number of bugs related to KDC master key rollover. ------------------------------------------------------------------- Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com - install and enable systemd service files also in -mini package ------------------------------------------------------------------- Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org - remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs. ------------------------------------------------------------------- Sun Jun 9 14:14:48 UTC 2013 - mc@suse.com - update to version 1.11.3 - Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] - Improve interoperability with some Windows native PKINIT clients. - install translation files - remove outdated configure options ------------------------------------------------------------------- Tue May 28 17:08:01 UTC 2013 - mc@suse.com - cleanup systemd files (remove syslog.target) ------------------------------------------------------------------- Fri May 3 09:43:47 CEST 2013 - mc@suse.de - let krb5-mini conflict with all main packages ------------------------------------------------------------------- Thu May 2 16:43:16 CEST 2013 - mc@suse.de - add conflicts between krb5-mini and krb5-server ------------------------------------------------------------------- Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de - update to version 1.11.2 * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch ------------------------------------------------------------------- Thu Apr 4 15:10:19 CEST 2013 - mc@suse.de - add conflicts between krb5-mini-devel and krb5-devel ------------------------------------------------------------------- Tue Apr 2 17:32:08 CEST 2013 - mc@suse.de - add conflicts between krb5-mini and krb5 and krb5-client ------------------------------------------------------------------- Wed Mar 27 11:36:00 CET 2013 - mc@suse.de - enable selinux and set openssl as crypto implementation ------------------------------------------------------------------- Fri Mar 22 10:34:55 CET 2013 - mc@suse.de - fix path to executables in service files (bnc#810926) ------------------------------------------------------------------- Fri Mar 15 11:14:21 CET 2013 - mc@suse.de - update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - changes of patches: * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: upstream * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: upstream * krb5-1.10-gcc47.patch: upstream * krb5-1.10-selinux-label.patch replaced by krb5-1.11-selinux-label.patch * krb5-1.10-spin-loop.patch: upstream * krb5-1.3.5-perlfix.dif: the tool was removed from upstream * krb5-1.8-pam.patch replaced by krb5-1.11-pam.patch ------------------------------------------------------------------- Wed Mar 6 12:01:32 CET 2013 - mc@suse.de - fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif ------------------------------------------------------------------- Mon Mar 4 11:23:10 CET 2013 - mc@suse.de - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif ------------------------------------------------------------------- Fri Jan 25 15:29:37 CET 2013 - mc@suse.de - package missing file (bnc#794784) ------------------------------------------------------------------- Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com - krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc (bnc#793336) ------------------------------------------------------------------- Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com - revert the -p usage in %postun to fix SLE build ------------------------------------------------------------------- Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com - buildrequire systemd by pkgconfig provide to get systemd-mini ------------------------------------------------------------------- Sat Oct 13 16:50:59 UTC 2012 - coolo@suse.com - do not require systemd in krb5-mini ------------------------------------------------------------------- Fri Oct 5 15:50:38 CEST 2012 - mc@suse.de - add systemd service files for kadmind, krb5kdc and kpropd - add sysconfig templates for kadmind and krb5kdc ------------------------------------------------------------------- Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com - fix %files section for krb5-mini ------------------------------------------------------------------- Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de - fix gcc47 issues ------------------------------------------------------------------- Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de - update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time - Make PKINIT work with FAST in the client library. - Add the DIR credential cache type, which can hold a collection of credential caches. - Enhance kinit, klist, and kdestroy to support credential cache collections if the cache type supports it. - Add the kswitch command, which changes the selected default cache within a collection. - Add heuristic support for choosing client credentials based on the service realm. - Add support for $HOME/.k5identity, which allows credential choice based on configured rules. ------------------------------------------------------------------- Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de - add autoconf macro to devel subpackage ------------------------------------------------------------------- Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de - fix license in krb5-mini ------------------------------------------------------------------- Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com - add autoconf as buildrequire to avoid implicit dependency ------------------------------------------------------------------- Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com - remove call to suse_update_config, very old work around ------------------------------------------------------------------- Mon Nov 21 11:24:12 CET 2011 - mc@suse.de - fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530 ------------------------------------------------------------------- Mon Nov 21 11:11:54 CET 2011 - mc@suse.de - fix KDC HA feature introduced with implementing KDC poll (RT#6951, bnc#731648) ------------------------------------------------------------------- Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de - fix minor error messages for the IAKERB GSSAPI mechanism (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) ------------------------------------------------------------------- Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de - fix kdc remote denial of service (MITKRB5-SA-2011-006, bnc#719393) CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 ------------------------------------------------------------------- Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de - use --without-pam to build krb5-mini ------------------------------------------------------------------- Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com - add patches from Fedora and upstream - fix init scripts (bnc#689006) ------------------------------------------------------------------- Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com - update to version 1.9.1 * obsolete patches: MITKRB5-SA-2010-007-1.8.dif krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.4.3-enospc.dif * replace krb5-1.6.1-compile_pie.dif ------------------------------------------------------------------- Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de - fix kadmind invalid pointer free() (MITKRB5-SA-2011-004, bnc#687469) CVE-2011-0285 ------------------------------------------------------------------- Tue Mar 1 12:43:22 CET 2011 - mc@suse.de - Fix vulnerability to a double-free condition in KDC daemon (MITKRB5-SA-2011-003, bnc#671717) CVE-2011-0284 ------------------------------------------------------------------- Wed Jan 19 14:42:27 CET 2011 - mc@suse.de - Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 ------------------------------------------------------------------- Wed Dec 1 11:44:15 CET 2010 - mc@suse.de - Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery ------------------------------------------------------------------- Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de - fix csh profile (bnc#649856) ------------------------------------------------------------------- Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de - update to krb5-1.8.3 * remove patches which are now upstrem - krb5-1.7-MITKRB5-SA-2010-004.dif - krb5-1.8.1-gssapi-error-table.dif - krb5-MITKRB5-SA-2010-005.dif ------------------------------------------------------------------- Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de - change environment variable PATH directly for csh (bnc#642080) ------------------------------------------------------------------- Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de - fix a dereference of an uninitialized pointer while processing authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) ------------------------------------------------------------------- Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com - add correct error table when initializing gss-krb5 (bnc#606584, bnc#608295) ------------------------------------------------------------------- Wed May 19 14:27:19 CEST 2010 - mc@suse.de - fix GSS-API library null pointer dereference CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) ------------------------------------------------------------------- Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de - fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) ------------------------------------------------------------------- Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de - update to version 1.8.1 * include krb5-1.8-POST.dif * include MITKRB5-SA-2010-002 ------------------------------------------------------------------- Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de - update krb5-1.8-POST.dif ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de - fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de - add post 1.8 fixes * Add IPv6 support to changepw.c * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 ------------------------------------------------------------------- Thu Mar 4 10:42:29 CET 2010 - mc@suse.de - update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de - add baselibs.conf as a source ------------------------------------------------------------------- Fri Nov 13 16:51:37 CET 2009 - mc@suse.de - enhance '$PATH' only if the directories are available and not empty (bnc#544949) ------------------------------------------------------------------- Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com - readd lost baselibs.conf ------------------------------------------------------------------- Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de - update to final 1.7 release ------------------------------------------------------------------- Wed May 13 11:30:42 CEST 2009 - mc@suse.de - update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. ------------------------------------------------------------------- Mon Feb 16 13:04:26 CET 2009 - mc@suse.de - update to pre 1.7 version * Remove support for version 4 of the Kerberos protocol (krb4). * New libdefaults configuration variable "allow_weak_crypto". * Client library now follows client principal referrals, for compatibility with Windows. * KDC can issue realm referrals for service principals based on domain names. * Encryption algorithm negotiation (RFC 4537). * In the replay cache, use a hash over the complete ciphertext to avoid false-positive replay indications. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. * DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation. * KDC support for principal aliases, if the back end supports them. * Microsoft set/change password (RFC 3244) protocol in kadmind. * Master key rollover support. ------------------------------------------------------------------- Wed Jan 14 09:21:36 CET 2009 - olh@suse.de - obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit ------------------------------------------------------------------- Thu Dec 11 14:12:57 CET 2008 - mc@suse.de - do not query IPv6 addresses if no IPv6 address exists on this host [bnc#449143] ------------------------------------------------------------------- Wed Dec 10 12:34:56 CET 2008 - olh@suse.de - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade (bnc#437293) ------------------------------------------------------------------- Thu Oct 30 12:34:56 CET 2008 - olh@suse.de - obsolete old -XXbit packages (bnc#437293) ------------------------------------------------------------------- Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de - in case we use ldap as database backend, ldap should be started before krb5kdc ------------------------------------------------------------------- Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de - add new fixes to post 1.6.3 patch * fix mem leak in krb5_gss_accept_sec_context() * keep minor_status * kadm5_decrypt_key: A ktype of -1 is documented as meaning "to be ignored" * Reject socket fds > FD_SETSIZE ------------------------------------------------------------------- Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de - add patches from SVN post 1.6.3 * krb5_string_to_keysalts: Fix an infinite loop * fix some mutex issues * better recovery from corrupt rcache files * some more small fixes ------------------------------------------------------------------- Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de - add case-insensitive.dif (FATE#300771) - minor fixes for ktutil man page - reduce rpmlint warnings ------------------------------------------------------------------- Wed May 14 17:44:59 CEST 2008 - mc@suse.de - Fall back to TCP on kdc-unresolvable/unreachable errors. - restore valid sequence number before generating requests (fix changing passwords in mixed ipv4/ipv6 enviroments) ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support ------------------------------------------------------------------- Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de - modify krb5-config to not output rpath and cflags in --libs (bnc#378270) ------------------------------------------------------------------- Fri Mar 14 11:27:55 CET 2008 - mc@suse.de - fix two security bugs: * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) fix double free [bnc#361373] * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) Memory corruption while too many open file descriptors [bnc#363151] - change default config file. Comment out the examples. ------------------------------------------------------------------- Fri Dec 14 10:48:52 CET 2007 - mc@suse.de - fix several security bugs: * CVE-2007-5894 apparent uninit length * CVE-2007-5902 integer overflow * CVE-2007-5971 free of non-heap pointer and double-free * CVE-2007-5972 double fclose() [#346745, #346748, #346746, #346749, #346747] ------------------------------------------------------------------- Tue Dec 4 16:36:07 CET 2007 - mc@suse.de - improve GSSAPI error messages ------------------------------------------------------------------- Tue Nov 6 13:53:17 CET 2007 - mc@suse.de - add coreutils to PreReq ------------------------------------------------------------------- Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de - update to krb5 version 1.6.3 * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow * fix CVE-2007-4000 modify_policy vulnerability * Add PKINIT support - remove patches which are upstream now - enhance init scripts and xinetd profiles ------------------------------------------------------------------- Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that that the client library will not failover to the next KDC. [#310540] ------------------------------------------------------------------- Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. * patch for referrals loop ------------------------------------------------------------------- Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de - fix a problem with the originally published patch for MITKRB5-SA-2007-006 - CVE-2007-3999 [#302377] ------------------------------------------------------------------- Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de - fix execute arbitrary code (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) [#302377] ------------------------------------------------------------------- Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the session key enctype of a returned credential for the final service is among the enctypes explicitly selected by the application, and retry with old_use_conf_ktypes if it is not. * If mkstemp() is available, the new ccache file gets created but the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. ------------------------------------------------------------------- Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release ------------------------------------------------------------------- Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de - change requires to libcom_err-devel ------------------------------------------------------------------- Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree * rd_req_decoded needs to deal with referral realms * fix buffer overflow in kadmind (MITKRB5-SA-2007-005 - CVE-2007-2798) [#278689] * fix kadmind code execution bug (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) [#271191] ------------------------------------------------------------------- Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de - fix unstripped-binary-or-object rpmlint warning ------------------------------------------------------------------- Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de - fixing rpmlint warnings and errors: * merged logrotate scripts kadmin and krb5kdc into a single file krb5-server. * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. adapted krb5.spec and README.ConvertHeimdalMIT accordingly. * added surpression filter for "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" (see [#147912]). * set default runlevel of init scripts in chkconfig line to 3 and 5 ------------------------------------------------------------------- Wed May 9 15:30:53 CEST 2007 - mc@suse.de - fix uninitialized salt length - add extra check for keytab file ------------------------------------------------------------------- Thu May 3 12:11:29 CEST 2007 - mc@suse.de - adding krb5-1.6.1-post.dif * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes ------------------------------------------------------------------- Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de - update to final 1.6.1 version ------------------------------------------------------------------- Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de - add plugin directories to main package ------------------------------------------------------------------- Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de - update to version 1.6.1 Beta1 - remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch ------------------------------------------------------------------- Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de - update krb5-1.6-post.dif * fix kadmind stack overflow in krb5_klog_syslog (MITKRB5-SA-2007-002 - CVE-2007-0957) [#253548] * fix double free attack in the RPC library (MITKRB5-SA-2007-003 - CVE-2007-1216) [#252487] * fix krb5 telnetd login injection (MIT-SA-2007-001 - CVE-2007-0956) #247765 ------------------------------------------------------------------- Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de - add ncurses-devel and bison to BuildRequires - rework some patches ------------------------------------------------------------------- Mon Mar 5 11:01:20 CET 2007 - mc@suse.de - move SuSEFirewall service definitions to /etc/sysconfig/SuSEfirewall2.d/services ------------------------------------------------------------------- Thu Feb 22 11:13:48 CET 2007 - mc@suse.de - add firewall definition to krb5-server, FATE #300687 ------------------------------------------------------------------- Mon Feb 19 13:59:43 CET 2007 - mc@suse.de - update krb5-1.6-post.dif - move some applications into the right package ------------------------------------------------------------------- Fri Feb 9 13:31:22 CET 2007 - mc@suse.de - update krb5-1.6-post.dif ------------------------------------------------------------------- Mon Jan 29 11:27:23 CET 2007 - mc@suse.de - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif are now upstream. Remove patches. - fix leak in krb5_kt_resolve and krb5_kt_wresolve ------------------------------------------------------------------- Tue Jan 23 17:21:12 CET 2007 - mc@suse.de - fix "local variable used before set" in ftp.c [#237684] ------------------------------------------------------------------- Mon Jan 22 16:39:27 CET 2007 - mc@suse.de - krb5-devel should require keyutils-devel ------------------------------------------------------------------- Mon Jan 22 12:19:49 CET 2007 - mc@suse.de - update to version 1.6 * Major changes in 1.6 include * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. - remove obsolete patches ------------------------------------------------------------------- Wed Jan 10 11:16:30 CET 2007 - mc@suse.de - fix for kadmind (via RPC library) calls uninitialized function pointer (CVE-2006-6143)(Bug #225990) krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif - fix for kadmind (via GSS-API mechglue) frees uninitialized pointers (CVE-2006-6144)(Bug #225992) krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif ------------------------------------------------------------------- Tue Jan 2 14:53:33 CET 2007 - mc@suse.de - Fix Requires in krb5-devel [Bug #231008] ------------------------------------------------------------------- Mon Nov 6 11:49:39 CET 2006 - mc@suse.de - fix "local variable used before set" [#217692] - fix strncat warning ------------------------------------------------------------------- Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de - add a default kadm5.dict file - require $network on daemon start ------------------------------------------------------------------- Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de - fix function call with too few arguments [#203837] ------------------------------------------------------------------- Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif * trunk-fix-uninitialized-vars.dif ------------------------------------------------------------------- Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de - krb5 setuid return check fixes krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif [#182351] ------------------------------------------------------------------- Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de - remove update-messages ------------------------------------------------------------------- Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de - add check for krb5_prop in services to kpropd init script. [#192446] ------------------------------------------------------------------- Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de - update to version 1.5 * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be loaded at run-time. * multi-mechanism GSS-API implementation ("mechglue"), donated by Sun Microsystems * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems - remove obsolete patches and add some new ------------------------------------------------------------------- Fri May 26 14:50:00 CEST 2006 - ro@suse.de - libcom is not in e2fsck-devel but in its own package now, change Requires accordingly. ------------------------------------------------------------------- Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de - add all daemons to %stop_on_removal and %restart_on_update - add reload to kpropd init script - add force-reload to all init scripts ------------------------------------------------------------------- Mon Mar 13 18:20:36 CET 2006 - mc@suse.de - add libgssapi_krb5.so link to main package [#147912] ------------------------------------------------------------------- Fri Feb 3 18:17:01 CET 2006 - mc@suse.de - fix logging section for kadmind in convert script ------------------------------------------------------------------- Wed Jan 25 21:30:24 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Fri Jan 13 14:44:24 CET 2006 - mc@suse.de - change the logging defaults ------------------------------------------------------------------- Wed Jan 11 12:59:08 CET 2006 - mc@suse.de - add tools and README for heimdal => MIT update ------------------------------------------------------------------- Mon Jan 9 14:41:07 CET 2006 - mc@suse.de - fix build problems, define _GNU_SOURCE (krb5-1.4.3-set_gnu_source.dif ) ------------------------------------------------------------------- Tue Jan 3 16:00:13 CET 2006 - mc@suse.de - added "make %{?jobs:-j%jobs}" ------------------------------------------------------------------- Fri Nov 18 12:12:01 CET 2005 - mc@suse.de - update to version 1.4.3 * some memmory leaks fixed * fix for "AS_REP padata has wrong enctype" * fix for "AS_REP padata missing PA-ETYPE-INFO" * ... and more ------------------------------------------------------------------- Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de - don't build as root ------------------------------------------------------------------- Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de - update to version 1.4.2 - remove some obsolet patches ------------------------------------------------------------------- Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de - build with --disable-static ------------------------------------------------------------------- Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de - remove devel-static subpackage ------------------------------------------------------------------- Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de - better patch for princ_comp problem ------------------------------------------------------------------- Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de - update to version 1.4.1 - remove obsolet patches - krb5-1.4-gcc4.dif - krb5-1.4-reduce-namespace-polution.dif - krb5-1.4-VUL-0-telnet.dif ------------------------------------------------------------------- Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de - fixed krb5 KDC heap corruption by random free [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] - fixed krb5 double free() [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] - fix krb5 NULL pointer reference while comparing principals [#91600] ------------------------------------------------------------------- Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de - fix uninitialized variables - compile with -fPIE/ link with -pie ------------------------------------------------------------------- Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de - fixed wrong xinetd files [#77149] ------------------------------------------------------------------- Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de - removed krb5-1.4-fix-error_tables.dif patch obsoleted by libcom_err locking patches ------------------------------------------------------------------- Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de - fixed missing descriptions in init files [#76164, #76165, #76166, #76169] ------------------------------------------------------------------- Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de - enhance $PATH via /etc/profile.d/ [#74018] - remove the "links to important programs" ------------------------------------------------------------------- Fri Mar 18 11:09:43 CET 2005 - mc@suse.de - fixed not running converter script [#72854] ------------------------------------------------------------------- Thu Mar 17 14:15:17 CET 2005 - mc@suse.de - Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer Overflow - Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer Overflow [#73618] ------------------------------------------------------------------- Wed Mar 16 13:10:18 CET 2005 - mc@suse.de - fixed wrong PreReqs [#73020] ------------------------------------------------------------------- Tue Mar 15 19:54:58 CET 2005 - mc@suse.de - add a simple krb5.conf converter [#72854] ------------------------------------------------------------------- Mon Mar 14 17:08:59 CET 2005 - mc@suse.de - fixed: rckrb5kdc restart gives wrong status with non-running service [#72446] ------------------------------------------------------------------- Thu Mar 10 10:48:07 CET 2005 - mc@suse.de - add requires: e2fsprogs-devel to krb5-devel package [#71732] ------------------------------------------------------------------- Fri Feb 25 17:35:37 CET 2005 - mc@suse.de - fix double free [#66534] krb5-1.4-fix-error_tables.dif ------------------------------------------------------------------- Fri Feb 11 14:01:32 CET 2005 - mc@suse.de - change mode for shared libraries to 755 ------------------------------------------------------------------- Fri Feb 4 16:48:16 CET 2005 - mc@suse.de - remove spx.c from tarball because of legal risk - add README.Source which tell the user about this action. - add a check for spx.c in the spec-file - use rich-text for update-messages [#50250] ------------------------------------------------------------------- Tue Feb 1 12:13:45 CET 2005 - mc@suse.de - add krb5-1.4-reduce-namespace-polution.dif reduce namespace polution in gssapi.h [#50356] ------------------------------------------------------------------- Fri Jan 28 13:25:42 CET 2005 - mc@suse.de - update to version 1.4 - Add implementation of the RPCSEC_GSS authentication flavor to the RPC library. - Thread safety for krb5 libraries. - Merged Athena telnetd changes for creating a new option for requiring encryption. - The kadmind4 backwards-compatibility admin server and the v5passwdd backwards-compatibility password-changing server have been removed. - Yarrow code now uses AES. - Merged Athena changes to allow ftpd to require encrypted passwords. - Incorporate gss_krb5_set_allowable_enctypes() and gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. - remove obsolet patches ------------------------------------------------------------------- Mon Jan 17 11:34:52 CET 2005 - mc@suse.de - add proofreaded update-messages ------------------------------------------------------------------- Fri Jan 14 14:38:25 CET 2005 - mc@suse.de - remove Conflicts: and add Provides: - add some insserv stuff ------------------------------------------------------------------- Thu Jan 13 11:54:01 CET 2005 - mc@suse.de - move vendor files to vendor-files.tar.bz2 - add obsoletes: heimdal - add %pre and %post sections to detect update from heimdal and backup invalid configuration files - add update-messages for heimdal update ------------------------------------------------------------------- Mon Jan 10 12:18:02 CET 2005 - mc@suse.de - update to version 1.3.6 - fix for: heap buffer overflow in libkadm5srv [CAN-2004-1189 / MITKRB5-SA-2004-004] ------------------------------------------------------------------- Tue Dec 14 15:30:23 CET 2004 - mc@suse.de - build doc subpackage in an own specfile - removed unnecessary neededforbuild requirements ------------------------------------------------------------------- Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de - fix build with gcc 4 ------------------------------------------------------------------- Mon Nov 15 17:25:56 CET 2004 - mc@suse.de - added Conflicts with heimdal* - rename some manpages to avoid conflicts ------------------------------------------------------------------- Thu Nov 4 18:03:11 CET 2004 - mc@suse.de - new init scripts - fix logrotate scripts - add some 64Bit fixes - add default krb5.conf, kdc.conf and kadm5.acl ------------------------------------------------------------------- Wed Nov 3 18:52:07 CET 2004 - mc@suse.de - add e2fsprogs to NFB - use system-et and system-ss - fix includes of com_err.h ------------------------------------------------------------------- Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de - Initital checkin
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor