RPM Search

Changelog for krb5-devel-1.12.1-38.22.1.i586.rpm :
Tue Jan 8 13:00:00 2019 scabreroAATTsuse.de
- Remove incorrect KDC assertion; (CVE-2018-20217); (bsc#1120489);
- Added patches:

* 0112-Remove-incorrect-KDC-assertion.patch

Tue Aug 21 14:00:00 2018 aburlakovAATTsuse.com
- Introduce patch 0111-gssapi-assume-that-mechanism-from-acceptor-credentia.patch
to all legacy GSS client applications to workaround compatibility
issue by setting environment variable GSSAPI_ASSUME_MECH_MATCH to
a non-empty value. (bsc#1057662 bsc#1046415)

Wed May 9 14:00:00 2018 ckowalczykAATTsuse.com
- Fix for resolving krb5 GSS creds if time_rec is requested
0110-resolve-krb5-GSS-creds-if-time_rec-is-requested.patch
(bsc#1088921)

Tue Feb 27 13:00:00 2018 hguoAATTsuse.com
- Fix a GSS failure in legacy applications (bsc#1081725) with patch
0109-Do-not-indicate-deprecated-GSS-mechanisms.patch

Thu Jul 28 14:00:00 2016 hguoAATTsuse.com
- Fix CVE-2016-3120 (bsc#991088) with patch:
0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch

Tue May 10 14:00:00 2016 hguoAATTsuse.com
- Remove source file ccapi/common/win/OldCC/autolock.hxx
that is not needed and does not carry an acceptable license.
(bsc#968111)

Wed Mar 23 13:00:00 2016 hguoAATTsuse.com
- Introduce patch
0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
to fix CVE-2016-3119 (bsc#971942)

Thu Jan 28 13:00:00 2016 hguoAATTsuse.com
- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn\'t check for
terminating null character (bsc#963968)
with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null
principal name in request (bsc#963975)
with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
- Fix CVE-2015-8630: krb5: krb5 doesn\'t check for null policy when
KADM5_POLICY is set in the mask (bsc#963964)
with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch

Tue Nov 10 13:00:00 2015 hguoAATTsuse.com
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
to fix a memory corruption regression introduced by resolution of
CVE-2015-2698. bsc#954204

Wed Oct 28 13:00:00 2015 hguoAATTsuse.com
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
- Fix patch content of bnc#912002.diff that was missing a diff header.

Mon Jul 13 14:00:00 2015 varkolyAATTsuse.com
- bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues
in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass
patches:
0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch

Wed Mar 11 13:00:00 2015 varkolyAATTsuse.com
- bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message
patches:
0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch

Wed Mar 11 13:00:00 2015 varkolyAATTsuse.com
- bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name
- bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries
patches:
krb5-1.12.2-CVE-2014-5353.patch
krb5-1.12.2-CVE-2014-5354.patch

Wed Jan 7 13:00:00 2015 varkolyAATTsuse.com
- bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423:
krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
- added patches:

* bnc#912002.diff

Thu Sep 25 14:00:00 2014 ddissAATTsuse.com
- Work around replay cache creation race; (bnc#898439).
krb5-1.13-work-around-replay-cache-creation-race.patch

Tue Sep 23 14:00:00 2014 varkolyAATTsuse.com
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- added patches:

* bnc#897874-CVE-2014-5351.diff

Fri Aug 8 14:00:00 2014 ckornackerAATTsuse.com
- buffer overrun in kadmind with LDAP backend
CVE-2014-4345 (bnc#891082)
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch

Mon Jul 28 14:00:00 2014 ckornackerAATTsuse.com
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch

Thu Jul 10 14:00:00 2014 ckornackerAATTsuse.com
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
- start krb5kdc after slapd (bnc#886102)

Fri Jun 6 14:00:00 2014 ckornackerAATTsuse.com
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
similar functionality is provided by krb5-plugin-preauth-pkinit

Tue Feb 18 13:00:00 2014 ckornackerAATTsuse.com
- don\'t deliver SysV init files to systemd distributions

Tue Jan 21 13:00:00 2014 ckornackerAATTsuse.com
- update to version 1.12.1

* Make KDC log service principal names more consistently during
some error conditions, instead of \"\"

* Fix several bugs related to building AES-NI support on less
common configurations

* Fix several bugs related to keyring credential caches
- upstream obsoletes:
krb5-1.12-copy_context.patch
krb5-1.12-enable-NX.patch
krb5-1.12-pic-aes-ni.patch
krb5-master-no-malloc0.patch
krb5-master-ignore-empty-unnecessary-final-token.patch
krb5-master-gss_oid_leak.patch
krb5-master-keytab_close.patch
krb5-master-spnego_error_messages.patch
- Fix Get time offsets for all keyring ccaches
krb5-master-keyring-kdcsync.patch (RT#7820)

Mon Jan 13 13:00:00 2014 ckornackerAATTsuse.com
- update to version 1.12

* Add GSSAPI extensions for constructing MIC tokens using IOV lists

* Add a FAST OTP preauthentication module for the KDC which uses
RADIUS to validate OTP token values.

* The AES-based encryption types will use AES-NI instructions
when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it\'s not yet
available
- update and rebase patches

* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch

* krb5-1.11-pam.patch -> krb5-1.12-pam.patch

* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch

* krb5-1.8-api.patch -> krb5-1.12-api.patch

* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch

* krb5-1.9-debuginfo.patch

* krb5-1.9-kprop-mktemp.patch

* krb5-kvno-230379.patch
- added upstream patches
- Fix krb5_copy_context

* krb5-1.12-copy_context.patch
- Mark AESNI files as not needing executable stacks

* krb5-1.12-enable-NX.patch

* krb5-1.12-pic-aes-ni.patch
- Fix memory leak in SPNEGO initiator

* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS

* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling

* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token

* krb5-master-no-malloc0.patch
- Test SPNEGO error message in t_s4u.py

* krb5-master-spnego_error_messages.patch

Tue Dec 10 13:00:00 2013 nfbrownAATTsuse.com
- Reduce build dependencies for krb5-mini by removing
doxygen and changing libcom_err-devel to
libcom_err-mini-devel
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.

Fri Nov 15 13:00:00 2013 ckornackerAATTsuse.com
- update to version 1.11.4
- Fix a KDC null pointer dereference [CVE-2013-1417] that could
affect realms with an uncommon configuration.
- Fix a KDC null pointer dereference [CVE-2013-1418] that could
affect KDCs that serve multiple realms.
- Fix a number of bugs related to KDC master key rollover.

Mon Jun 24 14:00:00 2013 mcAATTsuse.com
- install and enable systemd service files also in -mini package

Fri Jun 21 14:00:00 2013 crrodriguezAATTopensuse.org
- remove fstack-protector-all from CFLAGS, just use the
lighter/fast version already present in %optflags
- Use LFS_CFLAGS to build in 32 bit archs.

Sun Jun 9 14:00:00 2013 mcAATTsuse.com
- update to version 1.11.3
- Fix a UDP ping-pong vulnerability in the kpasswd
(password changing) service. [CVE-2002-2443]
- Improve interoperability with some Windows native PKINIT clients.
- install translation files
- remove outdated configure options

Tue May 28 14:00:00 2013 mcAATTsuse.com
- cleanup systemd files (remove syslog.target)

Fri May 3 14:00:00 2013 mcAATTsuse.de
- let krb5-mini conflict with all main packages

Thu May 2 14:00:00 2013 mcAATTsuse.de
- add conflicts between krb5-mini and krb5-server

Sun Apr 28 14:00:00 2013 mcAATTsuse.de
- update to version 1.11.2

* Incremental propagation could erroneously act as if a slave\'s
database were current after the slave received a full dump
that failed to load.

* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
- upstream fix obsolete krb5-lookup_etypes-leak.patch

Thu Apr 4 14:00:00 2013 mcAATTsuse.de
- add conflicts between krb5-mini-devel and krb5-devel

Tue Apr 2 14:00:00 2013 mcAATTsuse.de
- add conflicts between krb5-mini and krb5 and krb5-client

Wed Mar 27 13:00:00 2013 mcAATTsuse.de
- enable selinux and set openssl as crypto implementation

Fri Mar 22 13:00:00 2013 mcAATTsuse.de
- fix path to executables in service files
(bnc#810926)

Fri Mar 15 13:00:00 2013 mcAATTsuse.de
- update to version 1.11.1

* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding

* Refactor parts of KDC

* Documentation consolidation

* build docs in the main package

* bugfixing
- changes of patches:

* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:
upstream

* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:
upstream

* krb5-1.10-gcc47.patch: upstream

* krb5-1.10-selinux-label.patch replaced by
krb5-1.11-selinux-label.patch

* krb5-1.10-spin-loop.patch: upstream

* krb5-1.3.5-perlfix.dif: the tool was removed from upstream

* krb5-1.8-pam.patch replaced by
krb5-1.11-pam.patch

Wed Mar 6 13:00:00 2013 mcAATTsuse.de
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
CVE-2012-1016 (bnc#807556)
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif

Mon Mar 4 13:00:00 2013 mcAATTsuse.de
- fix PKINIT null pointer deref
CVE-2013-1415 (bnc#806715)
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif

Fri Jan 25 13:00:00 2013 mcAATTsuse.de
- package missing file (bnc#794784)

Tue Jan 22 13:00:00 2013 lchiquittoAATTsuse.com
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
(bnc#793336)

Tue Oct 16 14:00:00 2012 cooloAATTsuse.com
- revert the -p usage in %postun to fix SLE build

Tue Oct 16 14:00:00 2012 cooloAATTsuse.com
- buildrequire systemd by pkgconfig provide to get systemd-mini

Sat Oct 13 14:00:00 2012 cooloAATTsuse.com
- do not require systemd in krb5-mini

Fri Oct 5 14:00:00 2012 mcAATTsuse.de
- add systemd service files for kadmind, krb5kdc and kpropd
- add sysconfig templates for kadmind and krb5kdc

Wed Jun 13 14:00:00 2012 cooloAATTsuse.com
- fix %files section for krb5-mini

Thu Jun 7 14:00:00 2012 mcAATTsuse.de
- fix gcc47 issues

Wed Jun 6 14:00:00 2012 mcAATTsuse.de
- update to version 1.10.2
obsolte patches:

* krb5-1.7-nodeplibs.patch

* krb5-1.9.1-ai_addrconfig.patch

* krb5-1.9.1-ai_addrconfig2.patch

* krb5-1.9.1-sendto_poll.patch

* krb5-1.9-canonicalize-fallback.patch

* krb5-1.9-paren.patch

* krb5-klist_s.patch

* krb5-pkinit-cms2.patch

* krb5-trunk-chpw-err.patch

* krb5-trunk-gss_delete_sec.patch

* krb5-trunk-kadmin-oldproto.patch

* krb5-1.9-MITKRB5-SA-2011-006.dif

* krb5-1.9-gss_display_status-iakerb.patch

* krb5-1.9.1-sendto_poll2.patch

* krb5-1.9.1-sendto_poll3.patch

* krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the \"create\"
privilege. [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time
- Make PKINIT work with FAST in the client library.
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on
the service realm.
- Add support for $HOME/.k5identity, which allows credential
choice based on configured rules.

Sun Feb 26 13:00:00 2012 stefan.bruensAATTrwth-aachen.de
- add autoconf macro to devel subpackage

Tue Jan 31 13:00:00 2012 meissnerAATTsuse.de
- fix license in krb5-mini

Tue Dec 20 13:00:00 2011 cooloAATTsuse.com
- add autoconf as buildrequire to avoid implicit dependency

Tue Dec 20 13:00:00 2011 cooloAATTsuse.com
- remove call to suse_update_config, very old work around

Mon Nov 21 13:00:00 2011 mcAATTsuse.de
- fix KDC null pointer dereference in TGS handling
(MITKRB5-SA-2011-007, bnc#730393)
CVE-2011-1530

Mon Nov 21 13:00:00 2011 mcAATTsuse.de
- fix KDC HA feature introduced with implementing KDC poll
(RT#6951, bnc#731648)

Fri Nov 18 13:00:00 2011 rhaferAATTsuse.de
- fix minor error messages for the IAKERB GSSAPI mechanism
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

Mon Oct 17 14:00:00 2011 mcAATTsuse.de
- fix kdc remote denial of service
(MITKRB5-SA-2011-006, bnc#719393)
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529

Tue Aug 23 14:00:00 2011 mcAATTsuse.de
- use --without-pam to build krb5-mini

Sun Aug 21 14:00:00 2011 mcAATTnovell.com
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)

Fri Aug 19 14:00:00 2011 mcAATTnovell.com
- update to version 1.9.1

* obsolete patches:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.4.3-enospc.dif

* replace krb5-1.6.1-compile_pie.dif

Thu Apr 14 14:00:00 2011 mcAATTsuse.de
- fix kadmind invalid pointer free()
(MITKRB5-SA-2011-004, bnc#687469)
CVE-2011-0285

Tue Mar 1 13:00:00 2011 mcAATTsuse.de
- Fix vulnerability to a double-free condition in KDC daemon
(MITKRB5-SA-2011-003, bnc#671717)
CVE-2011-0284

Wed Jan 19 13:00:00 2011 mcAATTsuse.de
- Fix kpropd denial of service
(MITKRB5-SA-2011-001, bnc#662665)
CVE-2010-4022
- Fix KDC denial of service attacks with LDAP back end
(MITKRB5-SA-2011-002, bnc#663619)
CVE-2011-0281, CVE-2011-0282

Wed Dec 1 13:00:00 2010 mcAATTsuse.de
- Fix multiple checksum handling vulnerabilities
(MITKRB5-SA-2010-007, bnc#650650)
CVE-2010-1324

* krb5 GSS-API applications may accept unkeyed checksums

* krb5 application services may accept unkeyed PAC checksums

* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
CVE-2010-1323

* krb5 clients may accept unkeyed SAM-2 challenge checksums

* krb5 may accept KRB-SAFE checksums with low-entropy derived keys
CVE-2010-4020

* krb5 may accept authdata checksums with low-entropy derived keys
CVE-2010-4021

* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery

Thu Oct 28 14:00:00 2010 mcAATTsuse.de
- fix csh profile (bnc#649856)

Fri Oct 22 14:00:00 2010 mcAATTsuse.de
- update to krb5-1.8.3

* remove patches which are now upstrem
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif

Fri Oct 22 14:00:00 2010 mcAATTsuse.de
- change environment variable PATH directly for csh
(bnc#642080)

Mon Sep 27 14:00:00 2010 mcAATTsuse.de
- fix a dereference of an uninitialized pointer while processing
authorization data.
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)

Mon Jun 21 14:00:00 2010 lchiquittoAATTnovell.com
- add correct error table when initializing gss-krb5 (bnc#606584,
bnc#608295)

Wed May 19 14:00:00 2010 mcAATTsuse.de
- fix GSS-API library null pointer dereference
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)

Wed Apr 14 14:00:00 2010 mcAATTsuse.de
- fix a double free vulnerability in the KDC
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)

Fri Apr 9 14:00:00 2010 mcAATTsuse.de
- update to version 1.8.1

* include krb5-1.8-POST.dif

* include MITKRB5-SA-2010-002

Tue Apr 6 14:00:00 2010 mcAATTsuse.de
- update krb5-1.8-POST.dif

Tue Mar 23 13:00:00 2010 mcAATTsuse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)

Tue Mar 23 13:00:00 2010 mcAATTsuse.de
- add post 1.8 fixes

* Add IPv6 support to changepw.c

* fix two problems in kadm5_get_principal mask handling

* Ignore improperly encoded signedpath AD elements

* handle NT_SRV_INST in service principal referrals

* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT

* Fix the kpasswd fallback from the ccache principal name

* Document the ticket_lifetime libdefaults setting

* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512

Thu Mar 4 13:00:00 2010 mcAATTsuse.de
- update to version 1.8

* Increase code quality

* Move toward improved KDB interface

* Investigate and remedy repeatedly-reported performance
bottlenecks.

* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
principal referrals.

* Disable DES by default

* Account lockout for repeated login failures

* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules

* FAST enhancements

* Microsoft Services for User (S4U) compatibility

* Anonymous PKINIT
- fix KDC denial of service
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
- fix KDC denial of service in cross-realm referral processing
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl

Mon Dec 14 13:00:00 2009 jengelhAATTmedozas.de
- add baselibs.conf as a source

Fri Nov 13 13:00:00 2009 mcAATTsuse.de
- enhance \'$PATH\' only if the directories are available
and not empty (bnc#544949)

Sun Jul 12 14:00:00 2009 cooloAATTnovell.com
- readd lost baselibs.conf

Wed Jun 3 14:00:00 2009 mcAATTsuse.de
- update to final 1.7 release

Wed May 13 14:00:00 2009 mcAATTsuse.de
- update to version 1.7 Beta2

* Incremental propagation support for the KDC database.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.

* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.

Mon Feb 16 13:00:00 2009 mcAATTsuse.de
- update to pre 1.7 version

* Remove support for version 4 of the Kerberos protocol (krb4).

* New libdefaults configuration variable \"allow_weak_crypto\".

* Client library now follows client principal referrals, for
compatibility with Windows.

* KDC can issue realm referrals for service principals based on domain
names.

* Encryption algorithm negotiation (RFC 4537).

* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.

* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.

* DCE RPC, including three-leg GSS context setup and unencapsulated
GSS tokens.

* NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation.

* KDC support for principal aliases, if the back end supports them.

* Microsoft set/change password (RFC 3244) protocol in kadmind.

* Master key rollover support.

Wed Jan 14 13:00:00 2009 olhAATTsuse.de
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit

Thu Dec 11 13:00:00 2008 mcAATTsuse.de
- do not query IPv6 addresses if no IPv6 address exists on this host
[bnc#449143]

Wed Dec 10 13:00:00 2008 olhAATTsuse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)

Thu Oct 30 13:00:00 2008 olhAATTsuse.de
- obsolete old -XXbit packages (bnc#437293)

Fri Sep 26 14:00:00 2008 mcAATTsuse.de
- in case we use ldap as database backend, ldap should be
started before krb5kdc

Mon Jul 28 14:00:00 2008 mcAATTsuse.de
- add new fixes to post 1.6.3 patch

* fix mem leak in krb5_gss_accept_sec_context()

* keep minor_status

* kadm5_decrypt_key: A ktype of -1 is documented as meaning
\"to be ignored\"

* Reject socket fds > FD_SETSIZE

Fri Jul 25 14:00:00 2008 mcAATTsuse.de
- add patches from SVN post 1.6.3

* krb5_string_to_keysalts: Fix an infinite loop

* fix some mutex issues

* better recovery from corrupt rcache files

* some more small fixes

Wed Jun 18 14:00:00 2008 mcAATTsuse.de
- add case-insensitive.dif (FATE#300771)
- minor fixes for ktutil man page
- reduce rpmlint warnings

Wed May 14 14:00:00 2008 mcAATTsuse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)

Thu Apr 10 14:00:00 2008 roAATTsuse.de
- added baselibs.conf file to build xxbit packages
for multilib support

Wed Apr 9 14:00:00 2008 mcAATTsuse.de
- modify krb5-config to not output rpath and cflags in --libs
(bnc#378270)

Fri Mar 14 13:00:00 2008 mcAATTsuse.de
- fix two security bugs:

* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
fix double free [bnc#361373]

* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
Memory corruption while too many open file descriptors
[bnc#363151]
- change default config file. Comment out the examples.

Fri Dec 14 13:00:00 2007 mcAATTsuse.de
- fix several security bugs:

* CVE-2007-5894 apparent uninit length

* CVE-2007-5902 integer overflow

* CVE-2007-5971 free of non-heap pointer and double-free

* CVE-2007-5972 double fclose()
[#346745, #346748, #346746, #346749, #346747]

Tue Dec 4 13:00:00 2007 mcAATTsuse.de
- improve GSSAPI error messages

Tue Nov 6 13:00:00 2007 mcAATTsuse.de
- add coreutils to PreReq

Tue Oct 23 14:00:00 2007 mcAATTsuse.de
- update to krb5 version 1.6.3

* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow

* fix CVE-2007-4000 modify_policy vulnerability

* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles

Fri Sep 14 14:00:00 2007 mcAATTsuse.de
- update krb5-1.6.2-post.dif

* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]

Tue Sep 11 14:00:00 2007 mcAATTsuse.de
- update krb5-1.6.2-post.dif

* new -S sname option for kvno

* read_entropy_from_device on partial read will not fill buffer

* Bail out if encoded \"ticket\" doesn\'t decode correctly.

* patch for referrals loop

Thu Sep 6 14:00:00 2007 mcAATTsuse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]

Wed Sep 5 14:00:00 2007 mcAATTsuse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]

Tue Aug 7 14:00:00 2007 mcAATTsuse.de
- add krb5-1.6.2-post.dif

* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.

* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.

Thu Jul 12 14:00:00 2007 mcAATTsuse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release

Thu Jul 5 14:00:00 2007 mcAATTsuse.de
- change requires to libcom_err-devel

Mon Jul 2 14:00:00 2007 mcAATTsuse.de
- update krb5-1.6.1-post.dif

* fix leak in krb5_walk_realm_tree

* rd_req_decoded needs to deal with referral realms

* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]

* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]

Thu Jun 14 14:00:00 2007 mcAATTsuse.de
- fix unstripped-binary-or-object rpmlint warning

Mon Jun 11 14:00:00 2007 sschoberAATTsuse.de
- fixing rpmlint warnings and errors:

* merged logrotate scripts kadmin and krb5kdc into a single file
krb5-server.

* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.

* added surpression filter for
\"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so\"
(see [#147912]).

* set default runlevel of init scripts in chkconfig line to 3 and
5

Wed May 9 14:00:00 2007 mcAATTsuse.de
- fix uninitialized salt length
- add extra check for keytab file

Thu May 3 14:00:00 2007 mcAATTsuse.de
- adding krb5-1.6.1-post.dif

* fix segfault in krb5_get_init_creds_password

* remove debug output in ftp client

* profile stores empty string values without double quotes

Mon Apr 23 14:00:00 2007 mcAATTsuse.de
- update to final 1.6.1 version

Wed Apr 18 14:00:00 2007 mcAATTsuse.de
- add plugin directories to main package

Mon Apr 16 14:00:00 2007 mcAATTsuse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch

Wed Apr 11 14:00:00 2007 mcAATTsuse.de
- update krb5-1.6-post.dif

* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]

* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]

* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
[#247765]

Thu Mar 29 14:00:00 2007 mcAATTsuse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches

Mon Mar 5 13:00:00 2007 mcAATTsuse.de
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services

Thu Feb 22 13:00:00 2007 mcAATTsuse.de
- add firewall definition to krb5-server, FATE #300687

Mon Feb 19 13:00:00 2007 mcAATTsuse.de
- update krb5-1.6-post.dif
- move some applications into the right package

Fri Feb 9 13:00:00 2007 mcAATTsuse.de
- update krb5-1.6-post.dif

Mon Jan 29 13:00:00 2007 mcAATTsuse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve

Tue Jan 23 13:00:00 2007 mcAATTsuse.de
- fix \"local variable used before set\" in ftp.c
[#237684]

Mon Jan 22 13:00:00 2007 mcAATTsuse.de
- krb5-devel should require keyutils-devel

Mon Jan 22 13:00:00 2007 mcAATTsuse.de
- update to version 1.6

* Major changes in 1.6 include

* Partial client implementation to handle server name referrals.

* Pre-authentication plug-in framework, donated by Red Hat.

* LDAP KDB plug-in, donated by Novell.
- remove obsolete patches

Wed Jan 10 13:00:00 2007 mcAATTsuse.de
- fix for
kadmind (via RPC library) calls uninitialized function pointer
(CVE-2006-6143)(Bug #225990)
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif
- fix for
kadmind (via GSS-API mechglue) frees uninitialized pointers
(CVE-2006-6144)(Bug #225992)
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif

Tue Jan 2 13:00:00 2007 mcAATTsuse.de
- Fix Requires in krb5-devel
[Bug #231008]

Mon Nov 6 13:00:00 2006 mcAATTsuse.de
- fix \"local variable used before set\" [#217692]
- fix strncat warning

Fri Oct 27 14:00:00 2006 mcAATTsuse.de
- add a default kadm5.dict file
- require $network on daemon start

Wed Sep 13 14:00:00 2006 mcAATTsuse.de
- fix function call with too few arguments [#203837]

Thu Aug 24 14:00:00 2006 mcAATTsuse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream

* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif

* trunk-fix-uninitialized-vars.dif

Fri Aug 11 14:00:00 2006 mcAATTsuse.de
- krb5 setuid return check fixes
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
[#182351]

Mon Aug 7 14:00:00 2006 mcAATTsuse.de
- remove update-messages

Mon Jul 24 14:00:00 2006 mcAATTsuse.de
- add check for krb5_prop in services to kpropd init script.
[#192446]

Mon Jul 3 14:00:00 2006 mcAATTsuse.de
- update to version 1.5

* KDB abstraction layer, donated by Novell.

* plug-in architecture, allowing for extension modules to be
loaded at run-time.

* multi-mechanism GSS-API implementation (\"mechglue\"),
donated by Sun Microsystems

* Simple and Protected GSS-API negotiation mechanism (\"SPNEGO\")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new