Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

krb5-1.21.2-5.1 RPM for x86_64

From OpenSuSE Tumbleweed for x86_64

Name: krb5 Distribution: openSUSE Tumbleweed
Version: 1.21.2 Vendor: openSUSE
Release: 5.1 Build date: Mon May 13 16:06:29 2024
Group: Unspecified Build host: reproducible
Size: 2340580 Source RPM: krb5-1.21.2-5.1.src.rpm
Summary: MIT Kerberos5 implementation
Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of clear text passwords.






* Mon May 13 2024 Andreas Schneider <>
  - Enable the LMDB backend for KDB
* Thu May 02 2024 Thorsten Kukuk <>
  - Remove requires for not used cron
* Fri Mar 22 2024 Samuel Cabrero <>
  - Fix memory leaks, add patch 0009-Fix-three-memory-leaks.patch
    * CVE-2024-26458, bsc#1220770
    * CVE-2024-26461, bsc#1220771
    * CVE-2024-26462, bsc#1220772
* Thu Feb 29 2024 Pedro Monreal <>
  - Add crypto-policies support [bsc#1211301]
    * Update krb5.conf in vendor-files.tar.bz2
* Wed Dec 20 2023 Dirk Müller <>
  - update to 1.21.2 (bsc#1218211, CVE-2023-39975):
    * Fix double-free in KDC TGS processing [CVE-2023-39975].
* Sat Jul 15 2023 Dirk Müller <>
  - update to 1.21.1 (CVE-2023-36054):
    * Fix potential uninitialized pointer free in kadm5 XDR parsing
      [CVE-2023-36054]; (bsc#1214054).
    * Added a credential cache type providing compatibility with
      the macOS 11 native credential cache.
    * libkadm5 will use the provided krb5_context object to read
      configuration values, instead of creating its own.
    * Added an interface to retrieve the ticket session key
      from a GSS context.
    * The KDC will no longer issue tickets with RC4 or triple-DES
      session keys unless explicitly configured with the new
      allow_rc4 or allow_des3 variables respectively.
    * The KDC will assume that all services can handle aes256-sha1
      session keys unless the service principal has a
      session_enctypes string attribute.
    * Support for PAC full KDC checksums has been added to
      mitigate an S4U2Proxy privilege escalation attack.
    * The PKINIT client will advertise a more modern set
      of supported CMS algorithms.
    * Removed unused code in libkrb5, libkrb5support,
      and the PKINIT module.
    * Modernized the KDC code for processing TGS requests,
      the code for encrypting and decrypting key data,
      the PAC handling code, and the GSS library packet
      parsing and composition code.
    * Improved the test framework's detection of memory
      errors in daemon processes when used with asan.
* Thu May 04 2023 Frederic Crozat <>
  - Add _multibuild to define additional spec files as additional
    Eliminates the need for source package links in OBS.
* Fri Mar 03 2023 Samuel Cabrero <>
  - Update 0007-SELinux-integration.patch for SELinux 3.5;
* Tue Dec 27 2022 Stefan Schubert <>
  - Migration of PAM settings to /usr/lib/pam.d
* Tue Dec 13 2022 Samuel Cabrero <>
  - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
    already fixed in release 1.20.0
* Wed Nov 16 2022 Samuel Cabrero <>
  - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
    * Fix integer overflows in PAC parsing [CVE-2022-42898].
    * Fix null deref in KDC when decoding invalid NDR.
    * Fix memory leak in OTP kdcpreauth module.
    * Fix PKCS11 module path search.
* Sun May 29 2022 Dirk Müller <>
  - update to 1.20.0:
    * Added a "disable_pac" realm relation to suppress adding PAC authdata
      to tickets, for realms which do not need to support S4U requests.
    * Most credential cache types will use atomic replacement when a cache
      is reinitialized using kinit or refreshed from the client keytab.
    * kprop can now propagate databases with a dump size larger than 4GB,
      if both the client and server are upgraded.
    * kprop can now work over NATs that change the destination IP address,
      if the client is upgraded.
    * Updated the KDB interface.  The sign_authdata() method is replaced
      with the issue_pac() method, allowing KDB modules to add logon info
      and other buffers to the PAC issued by the KDC.
    * Host-based initiator names are better supported in the GSS krb5
    * Replaced AD-SIGNEDPATH authdata with minimal PACs.
    * To avoid spurious replay errors, password change requests will not
      be attempted over UDP until the attempt over TCP fails.
    * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
    * Updated all code using OpenSSL to be compatible with OpenSSL 3.
    * Reorganized the libk5crypto build system to allow the OpenSSL
      back-end to pull in material from the builtin back-end depending on
      the OpenSSL version.
    * Simplified the PRNG logic to always use the platform PRNG.
    * Converted the remaining Tcl tests to Python.
* Sat Apr 09 2022 Dirk Müller <>
  - update to 1.19.3 (bsc#1189929, CVE-2021-37750):
    * Fix a denial of service attack against the KDC [CVE-2021-37750].
    * Fix KDC null deref on TGS inner body null server
    * Fix conformance issue in GSSAPI tests
* Thu Jan 27 2022 David Mulder <>
  - Resolve "Credential cache directory /run/user/0/krb5cc does not
    exist while opening default credentials cache" by using a kernel
    keyring instead of a dir cache; (bsc#1109830);
* Thu Sep 30 2021 Johannes Segitz <>
  - Added hardening to systemd services; (bsc#1181400);
* Mon Aug 30 2021 Samuel Cabrero <>
  - Fix KDC null pointer dereference via a FAST inner body that
    lacks a server field; (CVE-2021-37750); (bsc#1189929);
  - Added patches:
    * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
* Mon Aug 02 2021 Samuel Cabrero <>
  - Update to 1.19.2
    * Fix a denial of service attack against the KDC encrypted challenge
      code; (CVE-2021-36222);
    * Fix a memory leak when gss_inquire_cred() is called without a
      credential handle.
* Mon May 03 2021 Rodrigo Lourenço <>
  - Build with full Cyrus SASL support
    * Negotiating SASL credentials with an EXTERNAL bind mechanism requires
      interaction. Kerberos provides its own interaction function that skips
      all interaction, thus preventing the mechanism from working.
* Thu Apr 22 2021 Samuel Cabrero <>
  - Use /run instead of /var/run for daemon PID files; (bsc#1185163);
* Wed Apr 07 2021 Dirk Müller <>
  - do not own %sbindir, it comes from filesystem package
* Fri Feb 19 2021 Samuel Cabrero <>
  - Update to 1.19.1
    * Fix a linking issue with Samba.
    * Better support multiple pkinit_identities values by checking whether
      certificates can be loaded for each value.
* Fri Feb 05 2021 Samuel Cabrero <>
  - Update to 1.19
    Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
    Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
    Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.
    * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
      extension, which causes channel bindings to be required for the
      initiator if the acceptor provided them. The client will send this
      option if the client_aware_gss_bindings profile option is set.
    User experience
    * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
      used in the reply. This encryption type will be deprecated and removed
      in future releases.
    * Added kvno flags --out-cache, --no-store, and --cached-only
      (inspired by Heimdal's kgetcred).



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 10:32:09 2024