Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

krb5-1.12.1-24.1 Source RPM

From OpenSuSE leap updates for 42.1 / oss / src

Name: krb5 Distribution: openSUSE Leap 42.1
Version: 1.12.1 Vendor: openSUSE
Release: 24.1 Build date: Fri Dec 18 18:19:54 2015
Group: Productivity/Networking/Security Build host: build22
Size: 12341495 Source RPM:
Packager: http://bugs.opensuse.org
Url: http://web.mit.edu/kerberos/www/
Summary: MIT Kerberos5 Implementation--Libraries
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.

Provides

Requires

License

MIT

Changelog

* Tue Nov 10 2015 hguo@suse.com
  - Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
    to fix a memory corruption regression introduced by resolution of
    CVE-2015-2698. bsc#954204
* Wed Oct 28 2015 hguo@suse.com
  - Make kadmin.local man page available without having to install krb5-client. bsc#948011
  - Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
    to fix build_principal memory bug [CVE-2015-2697] bsc#952190
  - Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
    to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
  - Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
    to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
  - Fix patch content of bnc#912002.diff that was missing a diff header.
* Mon Jul 13 2015 varkoly@suse.com
  - bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues
    in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass
    patches:
    0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch
* Wed Mar 11 2015 varkoly@suse.com
  - bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message
    patches:
    0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch
* Wed Mar 11 2015 varkoly@suse.com
  - bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name
  - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries
    patches:
    krb5-1.12.2-CVE-2014-5353.patch
    krb5-1.12.2-CVE-2014-5354.patch
* Wed Jan 07 2015 varkoly@suse.com
  - bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423:
    krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
  - added patches:
    * bnc#912002.diff
* Thu Sep 25 2014 ddiss@suse.com
  - Work around replay cache creation race; (bnc#898439).
    krb5-1.13-work-around-replay-cache-creation-race.patch
* Tue Sep 23 2014 varkoly@suse.com
  - bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
  - added patches:
    * bnc#897874-CVE-2014-5351.diff
* Fri Aug 08 2014 ckornacker@suse.com
  - buffer overrun in kadmind with LDAP backend
    CVE-2014-4345 (bnc#891082)
    krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
* Mon Jul 28 2014 ckornacker@suse.com
  - Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
    krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
    Fix null deref in SPNEGO acceptor [CVE-2014-4344]
    krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
* Thu Jul 10 2014 ckornacker@suse.com
  - denial of service flaws when handling RFC 1964 tokens (bnc#886016)
    krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
  - start krb5kdc after slapd (bnc#886102)
* Fri Jun 06 2014 ckornacker@suse.com
  - obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
    similar functionality is provided by krb5-plugin-preauth-pkinit
* Tue Feb 18 2014 ckornacker@suse.com
  - don't deliver SysV init files to systemd distributions
* Tue Jan 21 2014 ckornacker@suse.com
  - update to version 1.12.1
    * Make KDC log service principal names more consistently during
      some error conditions, instead of "<unknown server>"
    * Fix several bugs related to building AES-NI support on less
      common configurations
    * Fix several bugs related to keyring credential caches
  - upstream obsoletes:
    krb5-1.12-copy_context.patch
    krb5-1.12-enable-NX.patch
    krb5-1.12-pic-aes-ni.patch
    krb5-master-no-malloc0.patch
    krb5-master-ignore-empty-unnecessary-final-token.patch
    krb5-master-gss_oid_leak.patch
    krb5-master-keytab_close.patch
    krb5-master-spnego_error_messages.patch
  - Fix Get time offsets for all keyring ccaches
    krb5-master-keyring-kdcsync.patch (RT#7820)
* Mon Jan 13 2014 ckornacker@suse.com
  - update to version 1.12
    * Add GSSAPI extensions for constructing MIC tokens using IOV lists
    * Add a FAST OTP preauthentication module for the KDC which uses
      RADIUS to validate OTP token values.
    * The AES-based encryption types will use AES-NI instructions
      when possible for improved performance.
  - revert dependency on libcom_err-mini-devel since it's not yet
    available
  - update and rebase patches
    * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
    * krb5-1.11-pam.patch -> krb5-1.12-pam.patch
    * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
    * krb5-1.8-api.patch -> krb5-1.12-api.patch
    * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
    * krb5-1.9-debuginfo.patch
    * krb5-1.9-kprop-mktemp.patch
    * krb5-kvno-230379.patch
  - added upstream patches
    - Fix krb5_copy_context
    * krb5-1.12-copy_context.patch
    - Mark AESNI files as not needing executable stacks
    * krb5-1.12-enable-NX.patch
    * krb5-1.12-pic-aes-ni.patch
    - Fix memory leak in SPNEGO initiator
    * krb5-master-gss_oid_leak.patch
    - Fix SPNEGO one-hop interop against old IIS
    * krb5-master-ignore-empty-unnecessary-final-token.patch
    - Fix GSS krb5 acceptor acquire_cred error handling
    * krb5-master-keytab_close.patch
    - Avoid malloc(0) in SPNEGO get_input_token
    * krb5-master-no-malloc0.patch
    - Test SPNEGO error message in t_s4u.py
    * krb5-master-spnego_error_messages.patch
* Tue Dec 10 2013 nfbrown@suse.com
  - Reduce build dependencies for krb5-mini by removing
    doxygen and changing libcom_err-devel to
    libcom_err-mini-devel
  - Small fix to pre_checkin.sh so krb5-mini.spec is correct.
* Fri Nov 15 2013 ckornacker@suse.com
  - update to version 1.11.4
    - Fix a KDC null pointer dereference [CVE-2013-1417] that could
      affect realms with an uncommon configuration.
    - Fix a KDC null pointer dereference [CVE-2013-1418] that could
      affect KDCs that serve multiple realms.
    - Fix a number of bugs related to KDC master key rollover.
* Mon Jun 24 2013 mc@suse.com
  - install and enable systemd service files also in -mini package
* Fri Jun 21 2013 crrodriguez@opensuse.org
  - remove fstack-protector-all from CFLAGS, just use the
    lighter/fast version already present in %optflags
  - Use LFS_CFLAGS to build in 32 bit archs.
* Sun Jun 09 2013 mc@suse.com
  - update to version 1.11.3
    - Fix a UDP ping-pong vulnerability in the kpasswd
      (password changing) service. [CVE-2002-2443]
    - Improve interoperability with some Windows native PKINIT clients.
  - install translation files
  - remove outdated configure options
* Tue May 28 2013 mc@suse.com
  - cleanup systemd files (remove syslog.target)
* Fri May 03 2013 mc@suse.de
  - let krb5-mini conflict with all main packages
* Thu May 02 2013 mc@suse.de
  - add conflicts between krb5-mini and krb5-server
* Sun Apr 28 2013 mc@suse.de
  - update to version 1.11.2
    * Incremental propagation could erroneously act as if a slave's
      database were current after the slave received a full dump
      that failed to load.
    * gss_import_sec_context incorrectly set internal state that
      identifies whether an imported context is from an interposer
      mechanism or from the underlying mechanism.
  - upstream fix obsolete krb5-lookup_etypes-leak.patch
* Thu Apr 04 2013 mc@suse.de
  - add conflicts between krb5-mini-devel and krb5-devel
* Tue Apr 02 2013 mc@suse.de
  - add conflicts between krb5-mini and krb5 and krb5-client
* Wed Mar 27 2013 mc@suse.de
  - enable selinux and set openssl as crypto implementation
* Fri Mar 22 2013 mc@suse.de
  - fix path to executables in service files
    (bnc#810926)
* Fri Mar 15 2013 mc@suse.de
  - update to version 1.11.1
    * Improve ASN.1 support code, making it table-driven for
      decoding as well as encoding
    * Refactor parts of KDC
    * Documentation consolidation
    * build docs in the main package
    * bugfixing
  - changes of patches:
    * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:
      upstream
    * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:
      upstream
    * krb5-1.10-gcc47.patch: upstream
    * krb5-1.10-selinux-label.patch replaced by
      krb5-1.11-selinux-label.patch
    * krb5-1.10-spin-loop.patch: upstream
    * krb5-1.3.5-perlfix.dif: the tool was removed from upstream
    * krb5-1.8-pam.patch replaced by
      krb5-1.11-pam.patch
* Wed Mar 06 2013 mc@suse.de
  - fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
    CVE-2012-1016 (bnc#807556)
    bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
* Mon Mar 04 2013 mc@suse.de
  - fix PKINIT null pointer deref
    CVE-2013-1415 (bnc#806715)
    bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
* Fri Jan 25 2013 mc@suse.de
  - package missing file (bnc#794784)
* Tue Jan 22 2013 lchiquitto@suse.com
  - krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
    (bnc#793336)
* Tue Oct 16 2012 coolo@suse.com
  - revert the -p usage in %postun to fix SLE build
* Tue Oct 16 2012 coolo@suse.com
  - buildrequire systemd by pkgconfig provide to get systemd-mini
* Sat Oct 13 2012 coolo@suse.com
  - do not require systemd in krb5-mini
* Fri Oct 05 2012 mc@suse.de
  - add systemd service files for kadmind, krb5kdc and kpropd
  - add sysconfig templates for kadmind and krb5kdc
* Wed Jun 13 2012 coolo@suse.com
  - fix %files section for krb5-mini
* Thu Jun 07 2012 mc@suse.de
  - fix gcc47 issues
* Wed Jun 06 2012 mc@suse.de
  - update to version 1.10.2
    obsolte patches:
    * krb5-1.7-nodeplibs.patch
    * krb5-1.9.1-ai_addrconfig.patch
    * krb5-1.9.1-ai_addrconfig2.patch
    * krb5-1.9.1-sendto_poll.patch
    * krb5-1.9-canonicalize-fallback.patch
    * krb5-1.9-paren.patch
    * krb5-klist_s.patch
    * krb5-pkinit-cms2.patch
    * krb5-trunk-chpw-err.patch
    * krb5-trunk-gss_delete_sec.patch
    * krb5-trunk-kadmin-oldproto.patch
    * krb5-1.9-MITKRB5-SA-2011-006.dif
    * krb5-1.9-gss_display_status-iakerb.patch
    * krb5-1.9.1-sendto_poll2.patch
    * krb5-1.9.1-sendto_poll3.patch
    * krb5-1.9-MITKRB5-SA-2011-007.dif
  - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
    Controllers.
  - Update a workaround for a glibc bug that would cause DNS PTR queries
    to occur even when rdns = false.
  - Fix a kadmind denial of service issue (null pointer dereference),
    which could only be triggered by an administrator with the "create"
    privilege.  [CVE-2012-1013]
  - Fix access controls for KDB string attributes [CVE-2012-1012]
  - Make the ASN.1 encoding of key version numbers interoperate with
    Windows Read-Only Domain Controllers
  - Avoid generating spurious password expiry warnings in cases where
    the KDC sends an account expiry time without a password expiry time
  - Make PKINIT work with FAST in the client library.
  - Add the DIR credential cache type, which can hold a collection of
    credential caches.
  - Enhance kinit, klist, and kdestroy to support credential cache
    collections if the cache type supports it.
  - Add the kswitch command, which changes the selected default cache
    within a collection.
  - Add heuristic support for choosing client credentials based on
    the service realm.
  - Add support for $HOME/.k5identity, which allows credential
    choice based on configured rules.
* Sun Feb 26 2012 stefan.bruens@rwth-aachen.de
  - add autoconf macro to devel subpackage
* Tue Jan 31 2012 meissner@suse.de
  - fix license in krb5-mini
* Tue Dec 20 2011 coolo@suse.com
  - add autoconf as buildrequire to avoid implicit dependency
* Tue Dec 20 2011 coolo@suse.com
  - remove call to suse_update_config, very old work around
* Mon Nov 21 2011 mc@suse.de
  - fix KDC null pointer dereference in TGS handling
    (MITKRB5-SA-2011-007, bnc#730393)
    CVE-2011-1530
* Mon Nov 21 2011 mc@suse.de
  - fix KDC HA feature introduced with implementing KDC poll
    (RT#6951, bnc#731648)
* Fri Nov 18 2011 rhafer@suse.de
  - fix minor error messages for the IAKERB GSSAPI mechanism
    (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
* Mon Oct 17 2011 mc@suse.de
  - fix kdc remote denial of service
    (MITKRB5-SA-2011-006, bnc#719393)
    CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
* Tue Aug 23 2011 mc@suse.de
  - use --without-pam to build krb5-mini
* Sun Aug 21 2011 mc@novell.com
  - add patches from Fedora and upstream
  - fix init scripts (bnc#689006)
* Fri Aug 19 2011 mc@novell.com
  - update to version 1.9.1
    * obsolete patches:
      MITKRB5-SA-2010-007-1.8.dif
      krb5-1.8-MITKRB5-SA-2010-006.dif
      krb5-1.8-MITKRB5-SA-2011-001.dif
      krb5-1.8-MITKRB5-SA-2011-002.dif
      krb5-1.8-MITKRB5-SA-2011-003.dif
      krb5-1.8-MITKRB5-SA-2011-004.dif
      krb5-1.4.3-enospc.dif
    * replace krb5-1.6.1-compile_pie.dif
* Thu Apr 14 2011 mc@suse.de
  - fix kadmind invalid pointer free()
    (MITKRB5-SA-2011-004, bnc#687469)
    CVE-2011-0285
* Tue Mar 01 2011 mc@suse.de
  - Fix vulnerability to a double-free condition in KDC daemon
    (MITKRB5-SA-2011-003, bnc#671717)
    CVE-2011-0284
* Wed Jan 19 2011 mc@suse.de
  - Fix kpropd denial of service
    (MITKRB5-SA-2011-001, bnc#662665)
    CVE-2010-4022
  - Fix KDC denial of service attacks with LDAP back end
    (MITKRB5-SA-2011-002, bnc#663619)
    CVE-2011-0281, CVE-2011-0282
* Wed Dec 01 2010 mc@suse.de
  - Fix multiple checksum handling vulnerabilities
    (MITKRB5-SA-2010-007, bnc#650650)
    CVE-2010-1324
    * krb5 GSS-API applications may accept unkeyed checksums
    * krb5 application services may accept unkeyed PAC checksums
    * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
    CVE-2010-1323
    * krb5 clients may accept unkeyed SAM-2 challenge checksums
    * krb5 may accept KRB-SAFE checksums with low-entropy derived keys
    CVE-2010-4020
    * krb5 may accept authdata checksums with low-entropy derived keys
    CVE-2010-4021
    * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
* Thu Oct 28 2010 mc@suse.de
  - fix csh profile (bnc#649856)
* Fri Oct 22 2010 mc@suse.de
  - update to krb5-1.8.3
    * remove patches which are now upstrem
    - krb5-1.7-MITKRB5-SA-2010-004.dif
    - krb5-1.8.1-gssapi-error-table.dif
    - krb5-MITKRB5-SA-2010-005.dif
* Fri Oct 22 2010 mc@suse.de
  - change environment variable PATH directly for csh
    (bnc#642080)
* Mon Sep 27 2010 mc@suse.de
  - fix a dereference of an uninitialized pointer while processing
    authorization data.
    CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
* Mon Jun 21 2010 lchiquitto@novell.com
  - add correct error table when initializing gss-krb5 (bnc#606584,
    bnc#608295)
* Wed May 19 2010 mc@suse.de
  - fix GSS-API library null pointer dereference
    CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
* Wed Apr 14 2010 mc@suse.de
  - fix a double free vulnerability in the KDC
    CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
* Fri Apr 09 2010 mc@suse.de
  - update to version 1.8.1
    * include krb5-1.8-POST.dif
    * include MITKRB5-SA-2010-002
* Tue Apr 06 2010 mc@suse.de
  - update krb5-1.8-POST.dif
* Tue Mar 23 2010 mc@suse.de
  - fix a bug where an unauthenticated remote attacker could cause
    a GSS-API application including the Kerberos administration
    daemon (kadmind) to crash.
    CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
* Tue Mar 23 2010 mc@suse.de
  - add post 1.8 fixes
    * Add IPv6 support to changepw.c
    * fix two problems in kadm5_get_principal mask handling
    * Ignore improperly encoded signedpath AD elements
    * handle NT_SRV_INST in service principal referrals
    * dereference options while checking
      KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
    * Fix the kpasswd fallback from the ccache principal name
    * Document the ticket_lifetime libdefaults setting
    * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
* Thu Mar 04 2010 mc@suse.de
  - update to version 1.8
    * Increase code quality
    * Move toward improved KDB interface
    * Investigate and remedy repeatedly-reported performance
      bottlenecks.
    * Reduce DNS dependence by implementing an interface that allows
      client library to track whether a KDC supports service
      principal referrals.
    * Disable DES by default
    * Account lockout for repeated login failures
    * Bridge layer to allow Heimdal HDB modules to act as KDB
      backend modules
    * FAST enhancements
    * Microsoft Services for User (S4U) compatibility
    * Anonymous PKINIT
  - fix KDC denial of service
    CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
  - fix KDC denial of service in cross-realm referral processing
    CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
  - fix integer underflow in AES and RC4 decryption
    CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
  - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
* Mon Dec 14 2009 jengelh@medozas.de
  - add baselibs.conf as a source
* Fri Nov 13 2009 mc@suse.de
  - enhance '$PATH' only if the directories are available
    and not empty (bnc#544949)
* Sun Jul 12 2009 coolo@novell.com
  - readd lost baselibs.conf
* Wed Jun 03 2009 mc@suse.de
  - update to final 1.7 release
* Wed May 13 2009 mc@suse.de
  - update to version 1.7 Beta2
    * Incremental propagation support for the KDC database.
    * Flexible Authentication Secure Tunneling (FAST), a preauthentiation
      framework that can protect the AS exchange from dictionary attack.
    * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
      allows a GSS application to request credential delegation only if
      permitted by KDC policy.
    * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
      various vulnerabilities in SPNEGO and ASN.1 code.
* Mon Feb 16 2009 mc@suse.de
  - update to pre 1.7 version
    * Remove support for version 4 of the Kerberos protocol (krb4).
    * New libdefaults configuration variable "allow_weak_crypto".
    * Client library now follows client principal referrals, for
      compatibility with Windows.
    * KDC can issue realm referrals for service principals based on domain
      names.
    * Encryption algorithm negotiation (RFC 4537).
    * In the replay cache, use a hash over the complete ciphertext to
      avoid false-positive replay indications.
    * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
      similar to the equivalent SSPI functionality.
    * DCE RPC, including three-leg GSS context setup and unencapsulated
      GSS tokens.
    * NTLM recognition support in GSS-API, to facilitate dropping in an
      NTLM implementation.
    * KDC support for principal aliases, if the back end supports them.
    * Microsoft set/change password (RFC 3244) protocol in kadmind.
    * Master key rollover support.
* Wed Jan 14 2009 olh@suse.de
  - obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit
* Thu Dec 11 2008 mc@suse.de
  - do not query IPv6 addresses if no IPv6 address exists on this host
    [bnc#449143]
* Wed Dec 10 2008 olh@suse.de
  - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
    (bnc#437293)
* Thu Oct 30 2008 olh@suse.de
  - obsolete old -XXbit packages (bnc#437293)
* Fri Sep 26 2008 mc@suse.de
  - in case we use ldap as database backend, ldap should be
    started before krb5kdc
* Mon Jul 28 2008 mc@suse.de
  - add new fixes to post 1.6.3 patch
    * fix mem leak in krb5_gss_accept_sec_context()
    * keep minor_status
    * kadm5_decrypt_key: A ktype of -1 is documented as meaning
      "to be ignored"
    * Reject socket fds > FD_SETSIZE
* Fri Jul 25 2008 mc@suse.de
  - add patches from SVN post 1.6.3
    * krb5_string_to_keysalts: Fix an infinite loop
    * fix some mutex issues
    * better recovery from corrupt rcache files
    * some more small fixes
* Wed Jun 18 2008 mc@suse.de
  - add case-insensitive.dif (FATE#300771)
  - minor fixes for ktutil man page
  - reduce rpmlint warnings
* Wed May 14 2008 mc@suse.de
  - Fall back to TCP on kdc-unresolvable/unreachable errors.
  - restore valid sequence number before generating requests
    (fix changing passwords in mixed ipv4/ipv6 enviroments)
* Thu Apr 10 2008 ro@suse.de
  - added baselibs.conf file to build xxbit packages
    for multilib support
* Wed Apr 09 2008 mc@suse.de
  - modify krb5-config to not output rpath and cflags in --libs
    (bnc#378270)
* Fri Mar 14 2008 mc@suse.de
  - fix two security bugs:
    * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
      fix double free [bnc#361373]
    * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
      Memory corruption while too many open file descriptors
      [bnc#363151]
  - change default config file. Comment out the examples.
* Fri Dec 14 2007 mc@suse.de
  - fix several security bugs:
    * CVE-2007-5894 apparent uninit length
    * CVE-2007-5902 integer overflow
    * CVE-2007-5971 free of non-heap pointer and double-free
    * CVE-2007-5972 double fclose()
    [#346745, #346748, #346746, #346749, #346747]
* Tue Dec 04 2007 mc@suse.de
  - improve GSSAPI error messages
* Tue Nov 06 2007 mc@suse.de
  - add coreutils to PreReq
* Tue Oct 23 2007 mc@suse.de
  - update to krb5 version 1.6.3
    * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
    * fix CVE-2007-4000 modify_policy vulnerability
    * Add PKINIT support
  - remove patches which are upstream now
  - enhance init scripts and xinetd profiles
* Fri Sep 14 2007 mc@suse.de
  - update krb5-1.6.2-post.dif
    * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
      that the client library will not failover to the next KDC.
      [#310540]
* Tue Sep 11 2007 mc@suse.de
  - update krb5-1.6.2-post.dif
    * new -S sname option for kvno
    * read_entropy_from_device on partial read will not fill buffer
    * Bail out if encoded "ticket" doesn't decode correctly.
    * patch for referrals loop
* Thu Sep 06 2007 mc@suse.de
  - fix a problem with the originally published patch
    for MITKRB5-SA-2007-006 - CVE-2007-3999
    [#302377]
* Wed Sep 05 2007 mc@suse.de
  - fix execute arbitrary code
    (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
    [#302377]
* Tue Aug 07 2007 mc@suse.de
  - add krb5-1.6.2-post.dif
    * during the referrals loop, check to see if the
      session key enctype of a returned credential for the final
      service is among the enctypes explicitly selected by the
      application, and retry with old_use_conf_ktypes if it is not.
    * If mkstemp() is available, the new ccache file gets created but
      the subsequent open(O_CREAT|O_EXCL) call fails because the file
      was already created by mkstemp(). Apply patch from Apple to keep
      the file descriptor open.
* Thu Jul 12 2007 mc@suse.de
  - update to version 1.6.2
  - remove krb5-1.6.1-post.dif all fixes are included in this release
* Thu Jul 05 2007 mc@suse.de
  - change requires to libcom_err-devel
* Mon Jul 02 2007 mc@suse.de
  - update krb5-1.6.1-post.dif
    * fix leak in krb5_walk_realm_tree
    * rd_req_decoded needs to deal with referral realms
    * fix buffer overflow in kadmind
      (MITKRB5-SA-2007-005 - CVE-2007-2798)
      [#278689]
    * fix kadmind code execution bug
      (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
      [#271191]
* Thu Jun 14 2007 mc@suse.de
  - fix unstripped-binary-or-object rpmlint warning
* Mon Jun 11 2007 sschober@suse.de
  - fixing rpmlint warnings and errors:
    * merged logrotate scripts kadmin and krb5kdc into a single file
      krb5-server.
    * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
      from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
      adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
    * added surpression filter for
      "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"
      (see [#147912]).
    * set default runlevel of init scripts in chkconfig line to 3 and
      5
* Wed May 09 2007 mc@suse.de
  - fix uninitialized salt length
  - add extra check for keytab file
* Thu May 03 2007 mc@suse.de
  - adding krb5-1.6.1-post.dif
    * fix segfault in krb5_get_init_creds_password
    * remove debug output in ftp client
    * profile stores empty string values without double quotes
* Mon Apr 23 2007 mc@suse.de
  - update to final 1.6.1 version
* Wed Apr 18 2007 mc@suse.de
  - add plugin directories to main package
* Mon Apr 16 2007 mc@suse.de
  - update to version 1.6.1 Beta1
  - remove obsolete patches
    (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
  - rework compile_pie patch
* Wed Apr 11 2007 mc@suse.de
  - update krb5-1.6-post.dif
    * fix kadmind stack overflow in krb5_klog_syslog
      (MITKRB5-SA-2007-002 - CVE-2007-0957)
      [#253548]
    * fix double free attack in the RPC library
      (MITKRB5-SA-2007-003 - CVE-2007-1216)
      [#252487]
    * fix krb5 telnetd login injection
      (MIT-SA-2007-001 - CVE-2007-0956)
      [#247765]
* Thu Mar 29 2007 mc@suse.de
  - add ncurses-devel and bison to BuildRequires
  - rework some patches
* Mon Mar 05 2007 mc@suse.de
  - move SuSEFirewall service definitions to
    /etc/sysconfig/SuSEfirewall2.d/services
* Thu Feb 22 2007 mc@suse.de
  - add firewall definition to krb5-server, FATE #300687
* Mon Feb 19 2007 mc@suse.de
  - update krb5-1.6-post.dif
  - move some applications into the right package
* Fri Feb 09 2007 mc@suse.de
  - update krb5-1.6-post.dif
* Mon Jan 29 2007 mc@suse.de
  - krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
    are now upstream. Remove patches.
  - fix leak in krb5_kt_resolve and krb5_kt_wresolve
* Tue Jan 23 2007 mc@suse.de
  - fix "local variable used before set" in ftp.c
    [#237684]
* Mon Jan 22 2007 mc@suse.de
  - krb5-devel should require keyutils-devel
* Mon Jan 22 2007 mc@suse.de
  - update to version 1.6
    * Major changes in 1.6 include
    * Partial client implementation to handle server name referrals.
    * Pre-authentication plug-in framework, donated by Red Hat.
    * LDAP KDB plug-in, donated by Novell.
  - remove obsolete patches
* Wed Jan 10 2007 mc@suse.de
  - fix for
      kadmind (via RPC library) calls uninitialized function pointer
      (CVE-2006-6143)(Bug #225990)
      krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif
  - fix for
      kadmind (via GSS-API mechglue) frees uninitialized pointers
      (CVE-2006-6144)(Bug #225992)
      krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif
* Tue Jan 02 2007 mc@suse.de
  - Fix Requires in krb5-devel
    [Bug #231008]
* Mon Nov 06 2006 mc@suse.de
  - fix "local variable used before set" [#217692]
  - fix strncat warning
* Fri Oct 27 2006 mc@suse.de
  - add a default kadm5.dict file
  - require $network on daemon start
* Wed Sep 13 2006 mc@suse.de
  - fix function call with too few arguments [#203837]
* Thu Aug 24 2006 mc@suse.de
  - update to version 1.5.1
  - remove obsolete patches which are now included upstream
    * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
    * trunk-fix-uninitialized-vars.dif
* Fri Aug 11 2006 mc@suse.de
  - krb5 setuid return check fixes
    krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
    [#182351]
* Mon Aug 07 2006 mc@suse.de
  - remove update-messages
* Mon Jul 24 2006 mc@suse.de
  - add check for krb5_prop in services to kpropd init script.
    [#192446]
* Mon Jul 03 2006 mc@suse.de
  - update to version 1.5
    * KDB abstraction layer, donated by Novell.
    * plug-in architecture, allowing for extension modules to be
      loaded at run-time.
    * multi-mechanism GSS-API implementation ("mechglue"),
      donated by Sun Microsystems
    * Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
      implementation, donated by Sun Microsystems
  - remove obsolete patches and add some new
* Fri May 26 2006 ro@suse.de
  - libcom is not in e2fsck-devel but in its own package now, change
    Requires accordingly.
* Mon Mar 27 2006 mc@suse.de
  - add all daemons to %stop_on_removal and %restart_on_update
  - add reload to kpropd init script
  - add force-reload to all init scripts
* Mon Mar 13 2006 mc@suse.de
  - add libgssapi_krb5.so link to main package [#147912]
* Fri Feb 03 2006 mc@suse.de
  - fix logging section for kadmind in convert script
* Wed Jan 25 2006 mls@suse.de
  - converted neededforbuild to BuildRequires
* Fri Jan 13 2006 mc@suse.de
  - change the logging defaults
* Wed Jan 11 2006 mc@suse.de
  - add tools and README for heimdal => MIT update
* Mon Jan 09 2006 mc@suse.de
  - fix build problems, define _GNU_SOURCE
    (krb5-1.4.3-set_gnu_source.dif )
* Tue Jan 03 2006 mc@suse.de
  - added "make %{?jobs:-j%jobs}"
* Fri Nov 18 2005 mc@suse.de
  - update to version 1.4.3
    * some memmory leaks fixed
    * fix for "AS_REP padata has wrong enctype"
    * fix for "AS_REP padata missing PA-ETYPE-INFO"
    * ... and more
* Wed Nov 02 2005 dmueller@suse.de
  - don't build as root
* Tue Oct 11 2005 mc@suse.de
  - update to version 1.4.2
  - remove some obsolet patches
* Mon Aug 08 2005 mc@suse.de
  - build with --disable-static
* Thu Aug 04 2005 ro@suse.de
  - remove devel-static subpackage
* Thu Jun 30 2005 mc@suse.de
  - better patch for princ_comp problem
* Mon Jun 27 2005 mc@suse.de
  - update to version 1.4.1
  - remove obsolet patches
    - krb5-1.4-gcc4.dif
    - krb5-1.4-reduce-namespace-polution.dif
    - krb5-1.4-VUL-0-telnet.dif
* Thu Jun 23 2005 mc@suse.de
  - fixed krb5 KDC heap corruption by random free
    [#80574, CAN-2005-1174, MITKRB5-SA-2005-002]
  - fixed krb5 double free()
    [#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
  - fix krb5 NULL pointer reference while comparing principals
    [#91600]
* Fri Jun 17 2005 mc@suse.de
  - fix uninitialized variables
  - compile with -fPIE/ link with -pie
* Wed Apr 20 2005 mc@suse.de
  - fixed wrong xinetd files [#77149]
* Fri Apr 08 2005 mt@suse.de
  - removed krb5-1.4-fix-error_tables.dif patch obsoleted
    by libcom_err locking patches
* Thu Apr 07 2005 mc@suse.de
  - fixed missing descriptions in init files
    [#76164, #76165, #76166, #76169]
* Wed Mar 30 2005 mc@suse.de
  - enhance $PATH via /etc/profile.d/ [#74018]
  - remove the "links to important programs"
* Fri Mar 18 2005 mc@suse.de
  - fixed not running converter script [#72854]
* Thu Mar 17 2005 mc@suse.de
  - Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
      Overflow
  - Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
      Overflow
    [#73618]
* Wed Mar 16 2005 mc@suse.de
  - fixed wrong PreReqs [#73020]
* Tue Mar 15 2005 mc@suse.de
  - add a simple krb5.conf converter [#72854]
* Mon Mar 14 2005 mc@suse.de
  - fixed: rckrb5kdc restart gives wrong status with non-running service
    [#72446]
* Thu Mar 10 2005 mc@suse.de
  - add requires: e2fsprogs-devel to krb5-devel package [#71732]
* Fri Feb 25 2005 mc@suse.de
  - fix double free [#66534]
    krb5-1.4-fix-error_tables.dif
* Fri Feb 11 2005 mc@suse.de
  - change mode for shared libraries to 755
* Fri Feb 04 2005 mc@suse.de
  - remove spx.c from tarball because of legal risk
  - add README.Source which tell the user about this
    action.
  - add a check for spx.c in the spec-file
  - use rich-text for update-messages [#50250]
* Tue Feb 01 2005 mc@suse.de
  - add krb5-1.4-reduce-namespace-polution.dif
    reduce namespace polution in gssapi.h [#50356]
* Fri Jan 28 2005 mc@suse.de
  - update to version 1.4
  - Add implementation of the RPCSEC_GSS authentication flavor to the
    RPC library.
  - Thread safety for krb5 libraries.
  - Merged Athena telnetd changes for creating a new option for
    requiring encryption.
  - The kadmind4 backwards-compatibility admin server and the v5passwdd
    backwards-compatibility password-changing server have been removed.
  - Yarrow code now uses AES.
  - Merged Athena changes to allow ftpd to require encrypted passwords.
  - Incorporate gss_krb5_set_allowable_enctypes() and
    gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
  - remove obsolet patches
* Mon Jan 17 2005 mc@suse.de
  - add proofreaded update-messages
* Fri Jan 14 2005 mc@suse.de
  - remove Conflicts: and add Provides:
  - add some insserv stuff
* Thu Jan 13 2005 mc@suse.de
  - move vendor files to vendor-files.tar.bz2
  - add obsoletes: heimdal
  - add %pre and %post sections to detect update
    from heimdal and backup invalid configuration files
  - add update-messages for heimdal update
* Mon Jan 10 2005 mc@suse.de
  - update to version 1.3.6
  - fix for: heap buffer overflow in libkadm5srv
    [CAN-2004-1189 / MITKRB5-SA-2004-004]
* Tue Dec 14 2004 mc@suse.de
  - build doc subpackage in an own specfile
  - removed unnecessary neededforbuild requirements
* Wed Nov 24 2004 coolo@suse.de
  - fix build with gcc 4
* Mon Nov 15 2004 mc@suse.de
  - added Conflicts with heimdal*
  - rename some manpages to avoid conflicts
* Thu Nov 04 2004 mc@suse.de
  - new init scripts
  - fix logrotate scripts
  - add some 64Bit fixes
  - add default krb5.conf, kdc.conf and kadm5.acl
* Wed Nov 03 2004 mc@suse.de
  - add e2fsprogs to NFB
  - use system-et and system-ss
  - fix includes of com_err.h
* Thu Oct 28 2004 mc@suse.de
  - Initital checkin

Files

0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch
0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch
0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
baselibs.conf
bnc#897874-CVE-2014-5351.diff
bnc#912002.diff
krb5-1.10-kpasswd_tcp.patch
krb5-1.10-ksu-access.patch
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
krb5-1.12-api.patch
krb5-1.12-buildconf.patch
krb5-1.12-ksu-path.patch
krb5-1.12-pam.patch
krb5-1.12-selinux-label.patch
krb5-1.12.1.tar.gz
krb5-1.12.2-CVE-2014-5353.patch
krb5-1.12.2-CVE-2014-5354.patch
krb5-1.13-work-around-replay-cache-creation-race.patch
krb5-1.6.3-gssapi_improve_errormessages.dif
krb5-1.6.3-ktutil-manpage.dif
krb5-1.7-doublelog.patch
krb5-1.9-debuginfo.patch
krb5-1.9-kprop-mktemp.patch
krb5-1.9-manpaths.dif
krb5-kvno-230379.patch
krb5-master-keyring-kdcsync.patch
krb5-rpmlintrc
krb5.spec
vendor-files.tar.bz2


Generated by rpm2html 1.8.1

Fabrice Bellet, Mon Jun 11 00:43:02 2018