SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for krb5-1.10.7-10.36.1.x86_64.rpm :
Mon Aug 11 14:00:00 2014 ckornackerAATTsuse.com
- buffer overrun in kadmind with LDAP backend
CVE-2014-4345 (bnc#891082)
bug-891082-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.dif

Mon Jul 28 14:00:00 2014 ckornackerAATTsuse.com
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch

Tue Jul 15 14:00:00 2014 ckornackerAATTsuse.com
- fix denial of service flaws when handling RFC 1964 tokens
CVE-2014-4341 CVE-2014-4342 (bnc#886016)
bug-886016-CVE-2014-4341-CVE-2014-4342-denial-of-service-flaws-when-handling-RFC-1964-tokens.dif

Mon Jun 16 14:00:00 2014 lmuelleAATTsuse.com
- update to version 1.10.7

* Fix a KDC locking issue that could lead to the KDC process holding a
persistent lock, preventing administrative actions such as password
changes.

* Fix a number of bugs related to KDC master key rollover.

* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs
that serve multiple realms.
- update to version 1.10.6

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
service. [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.
- update to version 1.10.5

* Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416]

* Incremental propagation could erroneously act as if a slave\'s database
were current after the slave received a full dump that failed to load.
- update to version 1.10.4

* Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016,
CVE-2013-1415]

* Prevent the KDC from returning a host-based service principal referral to
the local realm.
- update to version 1.10.3

* Fix KDC uninitialized pointer vulnerabilities that could lead to a denial
of service [CVE-2012-1014] or remote code execution [CVE-2012-1015].

* Correctly use default_tgs_enctypes instead of default_tkt_enctypes for TGS
requests.
- obsolted patches:

* krb5-1.10-gcc47.patch

* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif

* bug-816413-CVE-2013-1416-prep_reprocess_req-NULL-ptr-deref.dif

* bug-825985-CVE-2002-2443-fix-UDP-ping-pong.dif

* bug-849240-CVE-2013-1418-fix-multi-realm-kdc-null-deref.dif

Fri Nov 8 13:00:00 2013 ckornackerAATTsuse.de
- fix Multi-realm KDC null deref
CVE-2013-1418 (bnc#849240)
+ added bug-849240-CVE-2013-1418-fix-multi-realm-kdc-null-deref.dif

Fri Jun 21 14:00:00 2013 mcAATTsuse.de
- fix kpasswd UDP ping-pong
CVE-2002-2443 (bnc#825985)

Mon Apr 22 14:00:00 2013 mcAATTsuse.de
- fix prep_reprocess_req NULL pointer deref
CVE-2013-1416 (bnc#816413)
bug-816413-CVE-2013-1416-prep_reprocess_req-NULL-ptr-deref.dif

Fri Mar 22 13:00:00 2013 mcAATTsuse.de
- fix path to executables in service files
(bnc#810926)

Wed Mar 6 13:00:00 2013 mcAATTsuse.de
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
CVE-2012-1016 (bnc#807556)
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif

Mon Mar 4 13:00:00 2013 mcAATTsuse.de
- fix PKINIT null pointer deref
CVE-2013-1415 (bnc#806715)
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

Fri Jan 25 13:00:00 2013 mcAATTsuse.de
- package missing file (bnc#794784)

Tue Jan 22 13:00:00 2013 lchiquittoAATTsuse.com
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
(bnc#793336)

Tue Oct 16 14:00:00 2012 cooloAATTsuse.com
- revert the -p usage in %postun to fix SLE build

Tue Oct 16 14:00:00 2012 cooloAATTsuse.com
- buildrequire systemd by pkgconfig provide to get systemd-mini

Sat Oct 13 14:00:00 2012 cooloAATTsuse.com
- do not require systemd in krb5-mini

Fri Oct 5 14:00:00 2012 mcAATTsuse.de
- add systemd service files for kadmind, krb5kdc and kpropd
- add sysconfig templates for kadmind and krb5kdc

Wed Jun 13 14:00:00 2012 cooloAATTsuse.com
- fix %files section for krb5-mini

Thu Jun 7 14:00:00 2012 mcAATTsuse.de
- fix gcc47 issues

Wed Jun 6 14:00:00 2012 mcAATTsuse.de
- update to version 1.10.2
obsolte patches:

* krb5-1.7-nodeplibs.patch

* krb5-1.9.1-ai_addrconfig.patch

* krb5-1.9.1-ai_addrconfig2.patch

* krb5-1.9.1-sendto_poll.patch

* krb5-1.9-canonicalize-fallback.patch

* krb5-1.9-paren.patch

* krb5-klist_s.patch

* krb5-pkinit-cms2.patch

* krb5-trunk-chpw-err.patch

* krb5-trunk-gss_delete_sec.patch

* krb5-trunk-kadmin-oldproto.patch

* krb5-1.9-MITKRB5-SA-2011-006.dif

* krb5-1.9-gss_display_status-iakerb.patch

* krb5-1.9.1-sendto_poll2.patch

* krb5-1.9.1-sendto_poll3.patch

* krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the \"create\"
privilege. [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time
- Make PKINIT work with FAST in the client library.
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on
the service realm.
- Add support for $HOME/.k5identity, which allows credential
choice based on configured rules.

Sun Feb 26 13:00:00 2012 stefan.bruensAATTrwth-aachen.de
- add autoconf macro to devel subpackage

Tue Jan 31 13:00:00 2012 meissnerAATTsuse.de
- fix license in krb5-mini

Tue Dec 20 13:00:00 2011 cooloAATTsuse.com
- add autoconf as buildrequire to avoid implicit dependency

Tue Dec 20 13:00:00 2011 cooloAATTsuse.com
- remove call to suse_update_config, very old work around

Mon Nov 21 13:00:00 2011 mcAATTsuse.de
- fix KDC null pointer dereference in TGS handling
(MITKRB5-SA-2011-007, bnc#730393)
CVE-2011-1530

Mon Nov 21 13:00:00 2011 mcAATTsuse.de
- fix KDC HA feature introduced with implementing KDC poll
(RT#6951, bnc#731648)

Fri Nov 18 13:00:00 2011 rhaferAATTsuse.de
- fix minor error messages for the IAKERB GSSAPI mechanism
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

Mon Oct 17 14:00:00 2011 mcAATTsuse.de
- fix kdc remote denial of service
(MITKRB5-SA-2011-006, bnc#719393)
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529

Tue Aug 23 14:00:00 2011 mcAATTsuse.de
- use --without-pam to build krb5-mini

Sun Aug 21 14:00:00 2011 mcAATTnovell.com
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)

Fri Aug 19 14:00:00 2011 mcAATTnovell.com
- update to version 1.9.1

* obsolete patches:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.4.3-enospc.dif

* replace krb5-1.6.1-compile_pie.dif

Thu Apr 14 14:00:00 2011 mcAATTsuse.de
- fix kadmind invalid pointer free()
(MITKRB5-SA-2011-004, bnc#687469)
CVE-2011-0285

Tue Mar 1 13:00:00 2011 mcAATTsuse.de
- Fix vulnerability to a double-free condition in KDC daemon
(MITKRB5-SA-2011-003, bnc#671717)
CVE-2011-0284

Wed Jan 19 13:00:00 2011 mcAATTsuse.de
- Fix kpropd denial of service
(MITKRB5-SA-2011-001, bnc#662665)
CVE-2010-4022
- Fix KDC denial of service attacks with LDAP back end
(MITKRB5-SA-2011-002, bnc#663619)
CVE-2011-0281, CVE-2011-0282

Wed Dec 1 13:00:00 2010 mcAATTsuse.de
- Fix multiple checksum handling vulnerabilities
(MITKRB5-SA-2010-007, bnc#650650)
CVE-2010-1324

* krb5 GSS-API applications may accept unkeyed checksums

* krb5 application services may accept unkeyed PAC checksums

* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
CVE-2010-1323

* krb5 clients may accept unkeyed SAM-2 challenge checksums

* krb5 may accept KRB-SAFE checksums with low-entropy derived keys
CVE-2010-4020

* krb5 may accept authdata checksums with low-entropy derived keys
CVE-2010-4021

* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery

Thu Oct 28 14:00:00 2010 mcAATTsuse.de
- fix csh profile (bnc#649856)

Fri Oct 22 14:00:00 2010 mcAATTsuse.de
- update to krb5-1.8.3

* remove patches which are now upstrem
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif

Fri Oct 22 14:00:00 2010 mcAATTsuse.de
- change environment variable PATH directly for csh
(bnc#642080)

Mon Sep 27 14:00:00 2010 mcAATTsuse.de
- fix a dereference of an uninitialized pointer while processing
authorization data.
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)

Mon Jun 21 14:00:00 2010 lchiquittoAATTnovell.com
- add correct error table when initializing gss-krb5 (bnc#606584,
bnc#608295)

Wed May 19 14:00:00 2010 mcAATTsuse.de
- fix GSS-API library null pointer dereference
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)

Wed Apr 14 14:00:00 2010 mcAATTsuse.de
- fix a double free vulnerability in the KDC
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)

Fri Apr 9 14:00:00 2010 mcAATTsuse.de
- update to version 1.8.1

* include krb5-1.8-POST.dif

* include MITKRB5-SA-2010-002

Tue Apr 6 14:00:00 2010 mcAATTsuse.de
- update krb5-1.8-POST.dif

Tue Mar 23 13:00:00 2010 mcAATTsuse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)

Tue Mar 23 13:00:00 2010 mcAATTsuse.de
- add post 1.8 fixes

* Add IPv6 support to changepw.c

* fix two problems in kadm5_get_principal mask handling

* Ignore improperly encoded signedpath AD elements

* handle NT_SRV_INST in service principal referrals

* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT

* Fix the kpasswd fallback from the ccache principal name

* Document the ticket_lifetime libdefaults setting

* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512

Thu Mar 4 13:00:00 2010 mcAATTsuse.de
- update to version 1.8

* Increase code quality

* Move toward improved KDB interface

* Investigate and remedy repeatedly-reported performance
bottlenecks.

* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
principal referrals.

* Disable DES by default

* Account lockout for repeated login failures

* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules

* FAST enhancements

* Microsoft Services for User (S4U) compatibility

* Anonymous PKINIT
- fix KDC denial of service
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
- fix KDC denial of service in cross-realm referral processing
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl

Mon Dec 14 13:00:00 2009 jengelhAATTmedozas.de
- add baselibs.conf as a source

Fri Nov 13 13:00:00 2009 mcAATTsuse.de
- enhance \'$PATH\' only if the directories are available
and not empty (bnc#544949)

Sun Jul 12 14:00:00 2009 cooloAATTnovell.com
- readd lost baselibs.conf

Wed Jun 3 14:00:00 2009 mcAATTsuse.de
- update to final 1.7 release

Wed May 13 14:00:00 2009 mcAATTsuse.de
- update to version 1.7 Beta2

* Incremental propagation support for the KDC database.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.

* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.


  
ICM