Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: krb5 | Distribution: openSUSE Tumbleweed |
Version: 1.21.3 | Vendor: openSUSE |
Release: 1.1 | Build date: Mon Jul 1 09:50:59 2024 |
Group: Unspecified | Build host: reproducible |
Size: 2589917 | Source RPM: krb5-1.21.3-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://kerberos.org/dist/ | |
Summary: MIT Kerberos5 implementation |
Kerberos V5 is a trusted-third-party network authentication system, which can improve network security by eliminating the insecure practice of clear text passwords.
MIT
* Mon Jul 01 2024 Samuel Cabrero <scabrero@suse.de> - Update to 1.21.3 * Fix vulnerabilities in GSS message token handling: * CVE-2024-37370, bsc#1227186 * CVE-2024-37371, bsc#1227187 * Fix a potential bad pointer free in krb5_cccol_have_contents() * Fix a memory leak in the macOS ccache type - Update patch 0009-Fix-three-memory-leaks.patch * Mon May 13 2024 Andreas Schneider <asn@cryptomilk.org> - Enable the LMDB backend for KDB * Thu May 02 2024 Thorsten Kukuk <kukuk@suse.com> - Remove requires for not used cron * Fri Mar 22 2024 Samuel Cabrero <scabrero@suse.de> - Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch * CVE-2024-26458, bsc#1220770 * CVE-2024-26461, bsc#1220771 * CVE-2024-26462, bsc#1220772 * Thu Feb 29 2024 Pedro Monreal <pmonreal@suse.com> - Add crypto-policies support [bsc#1211301] * Update krb5.conf in vendor-files.tar.bz2 * Wed Dec 20 2023 Dirk Müller <dmueller@suse.com> - update to 1.21.2 (bsc#1218211, CVE-2023-39975): * Fix double-free in KDC TGS processing [CVE-2023-39975]. * Sat Jul 15 2023 Dirk Müller <dmueller@suse.com> - update to 1.21.1 (CVE-2023-36054): * Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054]; (bsc#1214054). * Added a credential cache type providing compatibility with the macOS 11 native credential cache. * libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. * Added an interface to retrieve the ticket session key from a GSS context. * The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. * Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. * The PKINIT client will advertise a more modern set of supported CMS algorithms. * Removed unused code in libkrb5, libkrb5support, and the PKINIT module. * Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. * Improved the test framework's detection of memory errors in daemon processes when used with asan. * Thu May 04 2023 Frederic Crozat <fcrozat@suse.com> - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. * Fri Mar 03 2023 Samuel Cabrero <scabrero@suse.de> - Update 0007-SELinux-integration.patch for SELinux 3.5; (bsc#1208887); * Tue Dec 27 2022 Stefan Schubert <schubi@suse.com> - Migration of PAM settings to /usr/lib/pam.d * Tue Dec 13 2022 Samuel Cabrero <scabrero@suse.de> - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, already fixed in release 1.20.0 * Wed Nov 16 2022 Samuel Cabrero <scabrero@suse.de> - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898); * Fix integer overflows in PAC parsing [CVE-2022-42898]. * Fix null deref in KDC when decoding invalid NDR. * Fix memory leak in OTP kdcpreauth module. * Fix PKCS11 module path search. * Sun May 29 2022 Dirk Müller <dmueller@suse.com> - update to 1.20.0: * Added a "disable_pac" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests. * Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab. * kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded. * kprop can now work over NATs that change the destination IP address, if the client is upgraded. * Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC. * Host-based initiator names are better supported in the GSS krb5 mechanism. * Replaced AD-SIGNEDPATH authdata with minimal PACs. * To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails. * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. * Updated all code using OpenSSL to be compatible with OpenSSL 3. * Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version. * Simplified the PRNG logic to always use the platform PRNG. * Converted the remaining Tcl tests to Python. * Sat Apr 09 2022 Dirk Müller <dmueller@suse.com> - update to 1.19.3 (bsc#1189929, CVE-2021-37750): * Fix a denial of service attack against the KDC [CVE-2021-37750]. * Fix KDC null deref on TGS inner body null server * Fix conformance issue in GSSAPI tests * Thu Jan 27 2022 David Mulder <dmulder@suse.com> - Resolve "Credential cache directory /run/user/0/krb5cc does not exist while opening default credentials cache" by using a kernel keyring instead of a dir cache; (bsc#1109830); * Thu Sep 30 2021 Johannes Segitz <jsegitz@suse.com> - Added hardening to systemd services; (bsc#1181400); * Mon Aug 30 2021 Samuel Cabrero <scabrero@suse.de> - Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929); - Added patches: * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch * Mon Aug 02 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19.2 * Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222); * Fix a memory leak when gss_inquire_cred() is called without a credential handle. * Mon May 03 2021 Rodrigo Lourenço <rzl@rzl.ooo> - Build with full Cyrus SASL support * Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working. * Thu Apr 22 2021 Samuel Cabrero <scabrero@suse.de> - Use /run instead of /var/run for daemon PID files; (bsc#1185163); * Wed Apr 07 2021 Dirk Müller <dmueller@suse.com> - do not own %sbindir, it comes from filesystem package * Fri Feb 19 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19.1 * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. * Fri Feb 05 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred).
/etc/krb5.conf /etc/krb5.conf.d /etc/krb5.conf.d/crypto-policies /usr/lib64/krb5 /usr/lib64/krb5/plugins /usr/lib64/krb5/plugins/kdb /usr/lib64/krb5/plugins/libkrb5 /usr/lib64/krb5/plugins/preauth /usr/lib64/krb5/plugins/tls /usr/lib64/krb5/plugins/tls/k5tls.so /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/libgssrpc.so.4 /usr/lib64/libgssrpc.so.4.2 /usr/lib64/libk5crypto.so.3 /usr/lib64/libk5crypto.so.3.1 /usr/lib64/libkadm5clnt_mit.so.12 /usr/lib64/libkadm5clnt_mit.so.12.0 /usr/lib64/libkadm5srv_mit.so.12 /usr/lib64/libkadm5srv_mit.so.12.0 /usr/lib64/libkdb5.so.10 /usr/lib64/libkdb5.so.10.0 /usr/lib64/libkrad.so.0 /usr/lib64/libkrad.so.0.0 /usr/lib64/libkrb5.so.3 /usr/lib64/libkrb5.so.3.3 /usr/lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so.0.1 /usr/share/doc/packages/krb5 /usr/share/doc/packages/krb5/README /usr/share/locale/de/LC_MESSAGES/mit-krb5.mo /usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo /usr/share/locale/ka/LC_MESSAGES/mit-krb5.mo /var/log/krb5
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Oct 30 02:47:48 2024