|
|
|
|
Changelog for krb5-workstation-1.18.2-29.el8_10.x86_64.rpm :
* Mon Jul 01 2024 Julien Rische - 1.18.2-29- CVE-2024-37370 CVE-2024-37371 Fix vulnerabilities in GSS message token handling Resolves: RHEL-45398 RHEL-45386 * Tue Apr 09 2024 Julien Rische - 1.18.2-28- Fix leak of default credentials in gss_inquire_cred() Resolves: RHEL-32258 * Thu Mar 21 2024 Julien Rische - 1.18.2-27- Fix memory leak in GSSAPI interface Resolves: RHEL-27250- Fix memory leak in PMAP RPC interface Resolves: RHEL-27244- Make TCP waiting time configurable Resolves: RHEL-17131 * Wed Sep 27 2023 Julien Rische - 1.18.2-26- Allow to make AD-SIGNEDPATH optional Resolves: RHEL-10514 * Thu Jul 06 2023 Julien Rische - 1.18.2-25- Bump release number * Wed Jul 05 2023 Julien Rische - 1.18.2-24- Remove downloadable source signature file- Resolves: rhbz#2219654 * Wed May 31 2023 Julien Rische - 1.18.2-23- Support PAC with KDC extended signature and without ticket signature- Resolves: rhbz#2169477 * Tue Nov 08 2022 Julien Rische - 1.18.2-22- Fix integer overflows in PAC parsing (CVE-2022-42898)- Resolves: rhbz#2140968 * Fri Jul 01 2022 Julien Rische - 1.18.2-21- Backport fix of memory use after free during libkrad cleanup- Backport support for larger RADIUS attributes in libkrad- Resolves: rhbz#2103125 * Wed Apr 27 2022 Julien Rische - 1.18.2-19- Try harder to avoid password change replay errors- Resolves: #2077563 * Wed Apr 13 2022 Julien Rische - 1.18.2-18- Fix kprop for propagating dump files larger than 4GB- Resolves: #2026462 * Mon Mar 21 2022 Julien Rische - 1.18.2-15- Backport usage of SHA-256 instead of SHA-1 for PKINIT CMS digest- Resolves: #2066316 * Wed Aug 25 2021 Robbie Harwood - 1.18.2-14- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)- Resolves: #1997601 * Tue Jul 20 2021 Robbie Harwood - 1.18.2-13- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)- Resolves: #1983729 * Thu Jun 10 2021 Robbie Harwood - 1.18.2-12- Backport KCM performance enablements- Resolves: #1956388 * Thu Jun 10 2021 Robbie Harwood - 1.18.2-11- Add APIs for marshalling credentials- Resolves: #1964619 * Mon May 03 2021 Robbie Harwood - 1.18.2-10- Update tmpfiles dropin to use /run instead of /var/run- Resolves: #1945679 * Tue Apr 20 2021 Robbie Harwood - 1.18.2-9- Add support for start_realm cache config- Resolves: #1901195 * Wed Dec 16 2020 Robbie Harwood - 1.18.2-8- Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196)- Resolves: #1906492 * Tue Nov 24 2020 Robbie Harwood - 1.18.2-7- Document -k option in kvno(1) synopsis- Resolves: #1869055 * Wed Oct 21 2020 Robbie Harwood - 1.18.2-6- Enable MD5 override for FIPS RADIUS- Resolves: #1872689 * Thu Oct 15 2020 Robbie Harwood - 1.18.2-5.2- Unify kvno option documentation- Resolves: #1869055 * Wed Oct 14 2020 Robbie Harwood - 1.18.2-5.1- Fix upstream URLs in spec file- Resolves: #1868039 * Tue Aug 04 2020 Robbie Harwood - 1.18.2-5- Fix leak in KERB_AP_OPTIONS_CBT server support- Resolves: #1860831 * Tue Jul 28 2020 Robbie Harwood - 1.18.2-4- Ignore bad enctypes in krb5_string_to_keysalts()- Resolves: #1858322 * Mon Jun 15 2020 Robbie Harwood - 1.18.2-3- Match Heimdal behavior for channel bindings- Code hygiene + test stability fix included- Resolves: #1840518 * Wed May 27 2020 Robbie Harwood - 1.18.2-2- Drop DES3 from sample kdc.conf- Resolves: #1802334 * Fri May 22 2020 Robbie Harwood - 1.18.2-1- New upstream release (1.18.2)- Resolves: #1802334 * Fri May 08 2020 Robbie Harwood - 1.18.1-3- Omit KDC indicator check for S4U2Self requests- Resolves: #1802334 * Tue Apr 28 2020 Robbie Harwood - 1.18.1-2- Pass gss_localname() through SPNEGO- Resolves: #1802334 * Tue Apr 14 2020 Robbie Harwood - 1.18.1-1- New upstream version (1.18.1)- Resolves: #1802334 * Tue Apr 07 2020 Robbie Harwood - 1.18-1- New upstream version (1.18)- Resolves: #1802334- Resolves: #1820311- Resolves: #1791062- Resolves: #1784655 * Wed Feb 19 2020 Robbie Harwood - 1.17-18- Put KDB authdata first- Resolves: #1800575 * Thu Nov 21 2019 Robbie Harwood - 1.17-17- OpenSSL has an epoch, apparently- Resolves: #1754690 * Wed Nov 20 2019 Robbie Harwood - 1.17-16- Put openssl runtime requirement in the right place this time- Resolves: #1754690 * Wed Nov 20 2019 Robbie Harwood - 1.17-15- Restore accidentally dropped patch- Resolves: #1754690 * Wed Nov 20 2019 Robbie Harwood - 1.17-14- Fix krb5kdf support and add proper openssl version requirements- Resolves: #1754690 * Tue Nov 19 2019 Robbie Harwood - 1.17-13- Full FIPS compliance- Resolves: #1754690 * Tue Oct 15 2019 Robbie Harwood - 1.17-12- Backport soft-pkcs11 testing code- Resolves: #1734158 * Tue Oct 15 2019 Robbie Harwood - 1.17-11- Fix KCM client time offset propagation- Resolves: #1738553 * Tue Oct 15 2019 Robbie Harwood - 1.17-10- Fix source URLs in spec file- Resolves: #1755959 * Tue Sep 17 2019 Robbie Harwood - 1.17-9- Fix argument order on strlcpy() in enctype_name()- Resolves: #1754369 * Wed Aug 07 2019 Robbie Harwood - 1.17-8- Clean up etype display on KDC- Resolves: #1664157 * Tue Jun 04 2019 Robbie Harwood - 1.17-7- Fix pkinit_anchors path- Resolves: #1661339 * Wed May 15 2019 Robbie Harwood - 1.17-6- Re-provide krb5-kdb-version in -devel as well (IPA wants it)- Resolves: #1645594 * Thu Apr 18 2019 Robbie Harwood - 1.17-5- Move kdbversion info into -server for IPA (so we can rebase)- Resolves: #1645594 * Mon Apr 01 2019 Robbie Harwood - 1.17-4- FIPS: disable 3DES and ed25519- Resolves: #1616326 * Tue Mar 19 2019 Robbie Harwood - 1.17-3- Use openssl\'s PRNG in FIPS mode- Resolves: #1663571 * Tue Mar 19 2019 Robbie Harwood - 1.17-2- Address some optimized-out memset() calls- Resolves: #1663503 * Mon Mar 18 2019 Robbie Harwood - 1.17-1- New upstream version (1.17)- Resolves: #1645594 * Thu Feb 07 2019 Robbie Harwood - 1.16.1-22- Remove incorrect KDC assertion- Resolves: #1673016 * Fri Feb 01 2019 Robbie Harwood - 1.16.1-21- Fix RC4 blocking in FIPS mode- Resolves: #1660222 * Thu Dec 20 2018 Robbie Harwood - 1.16.1-20- Gain FIPS awareness- Resolves: #1660222 * Wed Aug 01 2018 Robbie Harwood - 1.16.1-19- In FIPS mode, add plaintext fallback for RC4 usages and taint * Thu Jul 26 2018 Robbie Harwood - 1.16.1-18- Fix k5test prompts for Python 3 * Thu Jul 19 2018 Robbie Harwood - 1.16.1-17- Remove outdated note in krb5kdc man page * Thu Jul 19 2018 Robbie Harwood - 1.16.1-16- Make krb5kdc -p affect TCP ports * Thu Jul 19 2018 Robbie Harwood - 1.16.1-15- Eliminate preprocessor-disabled dead code * Wed Jul 18 2018 Robbie Harwood - 1.16.1-14- Fix some broken tests for Python 3 * Mon Jul 16 2018 Robbie Harwood - 1.16.1-13- Zap copy of secret in RC4 string-to-key * Thu Jul 12 2018 Robbie Harwood - 1.16.1-12- Convert Python tests to Python 3 * Wed Jul 11 2018 Robbie Harwood - 1.16.1-11- Add build dependency on gcc * Tue Jul 10 2018 Robbie Harwood - 1.16.1-10- Use SHA-256 instead of MD5 for audit ticket IDs * Fri Jul 06 2018 Robbie Harwood - 1.16.1-9- Add BuildRequires on python2 so we can run tests at build-time * Fri Jul 06 2018 Robbie Harwood - 1.16.1-8- Explicitly look for python2 in configure.in * Thu Jun 14 2018 Robbie Harwood - 1.16.1-7- Add flag to disable encrypted timestamp on client * Thu Jun 14 2018 Robbie Harwood - 1.16.1-6- Switch to python3-sphinx for docs- Resolves: #1590928 * Thu Jun 14 2018 Robbie Harwood - 1.16.1-5- Make docs build python3-compatible- Resolves: #1590928 * Thu Jun 07 2018 Robbie Harwood - 1.16.1-4- Update includedir processing to match upstream * Fri Jun 01 2018 Robbie Harwood - 1.16.1-3- Log when non-root ksu authorization fails- Resolves: #1575771 * Fri May 04 2018 Robbie Harwood - 1.16.1-2- Remove \"-nodes\" option from make-certs scripts * Fri May 04 2018 Robbie Harwood - 1.16.1-1- New upstream release - 1.16.1 * Thu May 03 2018 Robbie Harwood - 1.16-27- Fix configuration of default ccache name to match file indentation * Mon Apr 30 2018 Robbie Harwood - 1.16-26- Set error message on KCM get_princ failure * Mon Apr 30 2018 Robbie Harwood - 1.16-25- Set error message on KCM get_princ failure * Tue Apr 24 2018 Robbie Harwood - 1.16-24- Fix KDC null dereference on large TGS replies * Mon Apr 23 2018 Robbie Harwood - 1.16-23- Explicitly use openssl rather than builtin crypto- Resolves: #1570910 * Tue Apr 17 2018 Robbie Harwood - 1.16-22- Merge duplicate subsections in profile library * Mon Apr 09 2018 Robbie Harwood - 1.16-21- Restrict pre-authentication fallback cases * Tue Apr 03 2018 Robbie Harwood - 1.16-20- Be more careful asking for AS key in SPAKE client * Mon Apr 02 2018 Robbie Harwood - 1.16-19- Zap data when freeing krb5_spake_factor * Thu Mar 29 2018 Robbie Harwood - 1.16-18- Continue after KRB5_CC_END in KCM cache iteration * Tue Mar 27 2018 Robbie Harwood - 1.16-17- Fix SPAKE memory leak * Tue Mar 27 2018 Robbie Harwood - 1.16-16- Fix gitignore problem with previous patchset * Tue Mar 27 2018 Robbie Harwood - 1.16-15- Add SPAKE support- Improve protections on internal sensitive buffers- Improve internal hex encoding/decoding * Tue Mar 20 2018 Robbie Harwood - 1.16-14- Fix problem with ccache_name logic in previous build * Tue Mar 20 2018 Robbie Harwood - 1.16-13- Add pkinit_anchors default value to krb5.conf- Reindent krb5.conf to not be terrible * Tue Mar 20 2018 Robbie Harwood - 1.16-12- Log preauth names in trace output- Misc bugfixes from upstream * Mon Mar 19 2018 Robbie Harwood - 1.16-11- Add PKINIT KDC support for freshness token * Wed Mar 14 2018 Robbie Harwood - 1.16-10- Exit with status 0 from kadmind * Tue Mar 13 2018 Robbie Harwood - 1.16-9- Fix hex conversion of PKINIT certid strings * Wed Mar 07 2018 Robbie Harwood - 1.16-8- Fix capaths \".\" values on client- Resolves: 1551099 * Tue Feb 13 2018 Robbie Harwood - 1.16-7- Fix flaws in LDAP DN checking- CVE-2018-5729, CVE-2018-5730 * Mon Feb 12 2018 Robbie Harwood - 1.16-6- Fix a leak in the previous commit- Restore dist macro that was accidentally removed- Resolves: #1540939 * Wed Feb 07 2018 Fedora Release Engineering - 1.16-5- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Sat Feb 03 2018 Igor Gnatenko - 1.16-4- Switch to %ldconfig_scriptlets * Mon Jan 29 2018 Robbie Harwood - 1.16-3- Process included directories in alphabetical order * Tue Dec 12 2017 Robbie Harwood - 1.16-2- Fix network service dependencies- Resolves: #1525230 * Wed Dec 06 2017 Robbie Harwood - 1.16-1- New upstream release (1.16)- No changes from beta2 * Mon Nov 27 2017 Robbie Harwood - 1.16-0.beta2.1- New upstream prerelease (1.16-beta2) * Tue Oct 24 2017 Robbie Harwood - 1.16-0.beta1.4- Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) * Mon Oct 23 2017 Robbie Harwood - 1.16-0.beta1.3- Drop dependency on python2-pyrad (dead upstream, broken with new python) * Mon Oct 09 2017 Robbie Harwood - 1.16-0.beta1.2- Actually bump kdbversion like I was supposed to * Thu Oct 05 2017 Robbie Harwood - 1.16-0.beta1.1- New upstream prerelease (1.16-beta1) * Thu Sep 28 2017 Robbie Harwood - 1.15.2-2- Add German translation * Mon Sep 25 2017 Robbie Harwood - 1.15.2-1- New upstream release - krb5-1.15.2- Adjust patches as appropriate * Wed Sep 06 2017 Robbie Harwood - 1.15.1-28- Save other programs from worrying about CVE-2017-11462- Resolves: #1488873- Resolves: #1488874 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-27- Add hostname-based ccselect module- Resolves: #1463665 * Tue Sep 05 2017 Robbie Harwood - 1.15.1-26- Backport upstream certauth EKU fixes * Fri Aug 25 2017 Robbie Harwood - 1.15.1-25- Backport certauth eku security fix * Mon Aug 21 2017 Robbie Harwood - 1.15.1-24- Backport kdc policy plugin, but this time with dependencies * Mon Aug 21 2017 Robbie Harwood - 1.15.1-23- Backport kdcpolicy interface * Wed Aug 16 2017 Robbie Harwood - 1.15.1-22 * Mon Aug 07 2017 Robbie Harwood - 1.15.1-21- Display an error message if ocsp pkinit is requested * Wed Aug 02 2017 Robbie Harwood - 1.15.1-20- Disable dns_canonicalize_hostname. This may break some setups. * Wed Aug 02 2017 Robbie Harwood - 1.15.1-19- Re-enable test suite on ppc64le (no other changes) * Wed Jul 26 2017 Fedora Release Engineering - 1.15.1-18- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Thu Jul 20 2017 Robbie Harwood - 1.15.1-17- Fix CVE-2017-11368 (remote triggerable assertion failure) * Wed Jul 19 2017 Robbie Harwood - 1.15.1-16- Explicitly require python2 packages * Wed Jul 19 2017 Robbie Harwood - 1.15.1-15- Add support to query the SSF of a context- Pick up rename of perl dependency * Thu Jul 06 2017 Robbie Harwood - 1.15.1-14- Fix leaks in gss_inquire_cred_by_oid() * Mon Jun 26 2017 Robbie Harwood - 1.15.1-13- Fix arch name (ppc64le, not ppc64el)- Related-to: #1464381 * Mon Jun 26 2017 Robbie Harwood - 1.15.1-12- Skip test suite on ppc64el- Related-to: #1464381 * Fri Jun 23 2017 Robbie Harwood - 1.15.1-11- Include more test suite changes from upstream- Resolves: #1464381 * Wed Jun 07 2017 Robbie Harwood - 1.15.1-10- Fix custom build with -DDEBUG * Wed May 24 2017 Robbie Harwood - 1.15.1-9- Use standard trigger logic for krb5 snippet * Fri Apr 28 2017 Robbie Harwood - 1.15.1-8- Add kprop service env config file * Wed Apr 19 2017 Robbie Harwood - 1.15.1-7- Update backports of certauth and corresponding test * Thu Apr 13 2017 Robbie Harwood - 1.15.1-6- Include fixes for previous commit- Resolves: #1433083 * Thu Apr 13 2017 Robbie Harwood - 1.15.1-5- Automatically add includedir where not present- Try removing sleep statement to see if it is still needed- Resolves: #1433083 * Fri Apr 07 2017 Robbie Harwood - 1.15.1-4- Fix use of enterprise principals with forwarding * Wed Mar 22 2017 Robbie Harwood - 1.15.1-3- Backport certauth plugin and related pkinit changes * Tue Mar 07 2017 Robbie Harwood - 1.15.1-2- Remove duplication between subpackages- Resolves: #1250228 * Fri Mar 03 2017 Robbie Harwood - 1.15.1-1- New upstream release - 1.15.1 * Wed Mar 01 2017 Robbie Harwood - 1.15-9- Patch build by disabling failing test; will fix properly soon * Fri Feb 17 2017 Robbie Harwood - 1.15-8- Hammer refresh around transient rawhide issue * Fri Feb 17 2017 Robbie Harwood - 1.15-7- Backport fix for GSSAPI fallback realm * Tue Feb 07 2017 Robbie Harwood - 1.15-6- Move krb5-kdb-version provides from -libs to -devel * Fri Jan 20 2017 Robbie Harwood - 1.15-5- Add free hook to KDB; increments KDB version- Add KDB version flag * Mon Dec 05 2016 Robbie Harwood - 1.15-4- New upstream release * Wed Nov 16 2016 Robbie Harwood - 1.15-beta2-3- New upstream release * Thu Nov 10 2016 Robbie Harwood - 1.15-beta1-2- Ensure we can build with the new CFLAGS- Remove the git versioning in patches * Thu Oct 20 2016 Robbie Harwood - 1.15-beta1-1- New upstream release- Update selinux with RHEL hygene- Resolves: #1314096 * Tue Oct 11 2016 Tomáš Mráz - 1.14.4-6- rebuild with OpenSSL 1.1.0, added backported upstream patch * Fri Sep 30 2016 Robbie Harwood - 1.14.4-5- Properly close krad sockets- Resolves: #1380836 * Fri Sep 30 2016 Robbie Harwood - 1.14.4-4- Fix backward check in kprop.service * Fri Sep 30 2016 Robbie Harwood - 1.14.4-3- Switch to using autosetup macro. - Patches come from git, so it is easiest to just make a git repo * Thu Sep 22 2016 Robbie Harwood - 1.14.4-2- Backport getrandom() support- Remove patch numbering * Mon Sep 19 2016 Robbie Harwood - 1.14.4-1- New upstream release- Update names and numbers to match external git * Mon Sep 19 2016 Robbie Harwood - 1.14.3-9- Add krb5_db_register_keytab- Resolves: #1376812 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-8- Use responder for non-preauth AS requests- Resolves: #1370622 * Mon Aug 29 2016 Robbie Harwood - 1.14.3-7- Guess Samba client mutual flag using ap_option- Resolves: #1370980 * Thu Aug 25 2016 Robbie Harwood - 1.14.3-6- Fix KDC return code and set prompt types for OTP client preauth- Resolves: #1370072 * Mon Aug 15 2016 Robbie Harwood - 1.14.3-5- Turn OFD locks back on with glibc workaround- Resolves: #1274922 * Wed Aug 10 2016 Robbie Harwood - 1.14.3-4- Fix use of KKDCPP with SNI- Resolves: #1365027 * Fri Aug 05 2016 Robbie Harwood - 1.14.3-3- Make krb5-devel depend on libkadm5- Resolves: #1364487 * Wed Aug 03 2016 Robbie Harwood - 1.14.3-2- Up-port a bunch of stuff from the el-7.3 cycle- Resolves: #1255450, #1314989 * Mon Aug 01 2016 Robbie Harwood - 1.14.3-1- New upstream version 1.14.3 * Thu Jul 28 2016 Robbie Harwood - 1.14.1-9- Fix CVE-2016-3120- Resolves: #1361051 * Wed Jun 22 2016 Robbie Harwood - 1.14.1-8- Fix incorrect recv() size calculation in libkrad * Thu Jun 16 2016 Robbie Harwood - 1.14.1-7- Separate out the kadm5 libs * Fri May 27 2016 Robbie Harwood - 1.14.1-6- Fix setting of AS key in OTP preauth failure * Tue Apr 05 2016 Robbie Harwood - 1.14.1-5- Use the correct patches this time.- Resolves: #1321135 * Mon Apr 04 2016 Robbie Harwood - 1.14.1-4- Add send/receive sendto_kdc hooks and corresponding tests- Resolves: #1321135 * Fri Mar 18 2016 Robbie Harwood - 1.14.1-3- Fix CVE-2016-3119 (NULL deref in LDAP module) * Thu Mar 17 2016 Robbie Harwood - 1.14.1-2- Backport OID mech fix- Resolves: #1317609 * Mon Feb 29 2016 Robbie Harwood - 1.14.1-1- New rawhide, new upstream version- Drop CVE patches- Rename fix_interposer.patch to acquire_cred_interposer.patch- Update acquire_cred_interposer.patch to apply to new source * Mon Feb 22 2016 Robbie Harwood - 1.14-23- Fix log file permissions patch with our selinux- Resolves: #1309421 * Fri Feb 19 2016 Robbie Harwood - 1.14-22- Backport my interposer fixes from upstream - Supersedes krb5-mechglue_inqure_attrs.patch * Tue Feb 16 2016 Robbie Harwood - 1.14-21- Adjust dependency on crypto-polices to be just the file we want- Patch courtesy of lslebodn- Resolves: #1308984 * Thu Feb 04 2016 Fedora Release Engineering - 1.14-20- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Thu Jan 28 2016 Robbie Harwood - 1.14-19- Replace _kadmin/_kprop with systemd macros- Remove traces of upstart from fedora package per policy- Resolves: #1290185 * Wed Jan 27 2016 Robbie Harwood - 1.14-18- Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 * Thu Jan 21 2016 Robbie Harwood - 1.14-17- Make krb5kdc.log not world-readable by default- Resolves: #1276484 * Thu Jan 21 2016 Robbie Harwood - 1.14-16- Allow verification of attributes on krb5.conf * Wed Jan 20 2016 Robbie Harwood - 1.14-15- Use \"new\" systemd macros for service handling. (Thanks vpavlin!)- Resolves: #850399 * Wed Jan 20 2016 Robbie Harwood - 1.14-14- Remove WITH_NSS macro (always false)- Remove WITH_SYSTEMD macro (always true)- Remove WITH_LDAP macro (always true)- Remove WITH_OPENSSL macro (always true) * Fri Jan 08 2016 Robbie Harwood - 1.14-13- Backport fix for chrome crash in spnego_gss_inquire_context- Resolves: #1295893 * Wed Dec 16 2015 Robbie Harwood - 1.14-12- Backport patch to fix mechglue for gss_inqure_attrs_for_mech() * Thu Dec 03 2015 Robbie Harwood - 1.14-11- Backport interposer fix (#1284985)- Drop workaround pwsize initialization patch (gcc has been fixed) * Tue Nov 24 2015 Robbie Harwood - 1.14-10- Fix FTBFS by no longer working around bug in nss_wrapper * Mon Nov 23 2015 Robbie Harwood - 1.14-9- Upstream release. No actual change from beta, just version bump- Clean up unused parts of spec file * Mon Nov 16 2015 Robbie Harwood - 1.14-beta2-8- New upstream beta version * Wed Nov 04 2015 Robbie Harwood - 1.14-beta1-7- Patch CVE-2015-2698 * Tue Oct 27 2015 Robbie Harwood - 1.14-beta1-6- Patch CVE-2015-2697, CVE-2015-2696, CVE-2015-2695 * Thu Oct 22 2015 Robbie Harwood - 1.14-beta1-5- Ensure pwsize is initialized in chpass_util.c * Thu Oct 22 2015 Robbie Harwood - 1.14-beta1-4- Fix typo of crypto-policies file in previous version * Mon Oct 19 2015 Robbie Harwood - 1.14-beta1-3- Start using crypto-policies * Mon Oct 19 2015 Robbie Harwood - 1.14-beta1-2- TEMPORARILY disable usage of OFD locks as a workaround for x86 * Thu Oct 15 2015 Robbie Harwood - 1.14-beta1-1- New upstream beta version * Thu Oct 08 2015 Robbie Harwood - 1.13.2-13- Work around KDC client prinicipal in referrals issue (#1259844) * Thu Oct 01 2015 Robbie Harwood - 1.13.2-12- Enable building with bad system /etc/krb5.conf * Wed Sep 23 2015 Robbie Harwood - 1.13.2-11- Drop dependency on pax, ksh- Remove support for fedora < 20 * Wed Sep 23 2015 Robbie Harwood - 1.13.2-10- Nix /usr/share/krb5.conf.d to reduce complexity * Wed Sep 23 2015 Robbie Harwood - 1.13.2-9- Depend on crypto-policies which provides /etc/krb5.conf.d (#1225792) * Thu Sep 10 2015 Robbie Harwood - 1.13.2-8- Remove dependency on systemd-sysv which is no longer needed for fedora > 20 This also fixes a fail-to-build issue.- Miscalaneous spec cleanup fixes * Thu Sep 10 2015 Robbie Harwood - 1.13.2-7- Support config snippets in /etc/krb5.conf.d/ and /usr/share/krb5.conf.d/ (#1225792, #1146370, #1145808) * Thu Jun 25 2015 Roland Mainz - 1.13.2-6- Use system nss_wrapper and socket_wrapper for testing. Patch by Andreas Schneider * Thu Jun 25 2015 Roland Mainz - 1.13.2-5- Remove Zanata test glue and related workarounds - Bug #1234292 (\"IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind\") - Bug #1234326 (\"krb5-server introduces new rpm dependency on ksh\") * Thu Jun 18 2015 Roland Mainz - 1.13.2-4- Fix dependicy on binfmt.service * Wed Jun 17 2015 Fedora Release Engineering - 1.13.2-3- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Tue Jun 02 2015 Roland Mainz - 1.13.2-2- Add patch to fix Redhat Bug #1227542 (\"[SELinux] AVC denials may appear when kadmind starts\"). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the \"random\" port usage. * Thu May 21 2015 Roland Mainz - 1.13.2-1- Add fix for RedHat Bug #1164304 (\"Upstream unit tests loads the installed shared libraries instead the ones from the build\") * Thu May 14 2015 Roland Mainz - 1.13.2-0- Update to krb5-1.13.2 - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2- Add script processing for upcoming Zanata l10n support- Minor spec cleanup * Mon May 04 2015 Roland Mainz - 1.13.1-4- fix for CVE-2015-2694 (#1216133) \"requires_preauth bypass in PKINIT-enabled KDC\". In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal\'s long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user\'s password. * Wed Mar 25 2015 Roland Mainz - 1.13.1-3- Add temporay workaround for RH bug #1204646 (\"krb5-config returns wrong -specs path\") which modifies krb5-config post build so that development of krb5 dependicies gets unstuck. This MUST be removed before rawhide becomes F23 ... * Thu Mar 19 2015 Roland Mainz - 1.13.1-2- fix for CVE-2014-5355 (#1193939) \"krb5: unauthenticated denial of service in recvauth_common() and others\" * Fri Feb 13 2015 Roland Mainz - 1.13.1-1- Update to krb5-1.13.1 - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1- Minor spec cleanup * Wed Feb 04 2015 Roland Mainz - 1.13-8- fix for CVE-2014-5352 (#1179856) \"gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)\"- fix for CVE-2014-9421 (#1179857) \"kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)\"- fix for CVE-2014-9422 (#1179861) \"kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)\"- fix for CVE-2014-9423 (#1179863) \"libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)\" * Wed Feb 04 2015 Roland Mainz - 1.13-7- Remove \"python-sphinx-latex\" and \"tar\" from the build requirements to fix build failures on F22 machines.- Minor spec cleanup * Mon Feb 02 2015 Nathaniel McCallum - 1.13-6- Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED (RT#8063) * Mon Jan 26 2015 Roland Mainz - 1.13-5- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, \"Do not loop on principal unknown errors\").- Added \"python-sphinx-latex\" to the build requirements to fix build failures on F22 machines. * Thu Dec 18 2014 Roland Mainz - 1.13-4- fix for CVE-2014-5354 (#1174546) \"krb5: NULL pointer dereference when using keyless entries\" * Wed Dec 17 2014 Roland Mainz - 1.13-3- fix for CVE-2014-5353 (#1174543) \"Fix LDAP misused policy name crash\" * Wed Oct 29 2014 Roland Mainz - 1.13-2- Bump 1%{?dist} to 2%{?dist} to workaround RPM sort issue which would lead yum updates to treat the last alpha as newer than the final version. * Wed Oct 29 2014 Roland Mainz - 1.13-1- Update from krb5-1.13-alpha1 to final krb5-1.13- Removed patch for CVE-2014-5351 (#1145425) \"krb5: current keys returned when randomizing the keys for a service principal\" - now part of upstream sources- Use patch for glibc |eventfd()| prototype mismatch (#1147887) only for Fedora > 20 * Tue Sep 30 2014 Roland Mainz - 1.13-0.alpha1.3- fix build failure caused by change of prototype for glibc |eventfd()| (#1147887) * Mon Sep 29 2014 Roland Mainz - 1.13-0.alpha1.3- fix for CVE-2014-5351 (#1145425) \"krb5: current keys returned when randomizing the keys for a service principal\" * Mon Sep 08 2014 Nalin Dahyabhai - 1.13-0.alpha1.3- fix the problem where the %license file has been a dangling symlink * Tue Aug 26 2014 Nalin Dahyabhai - 1.13-0.alpha1.2- kpropd hasn\'t bothered with -S since 1.11; stop trying to use that flag in the systemd unit file * Fri Aug 22 2014 Nalin Dahyabhai - 1.13-0.alpha1.1- update to 1.13 alpha1 - drop upstreamed and backported patches * Wed Aug 20 2014 Nalin Dahyabhai - 1.12.2-3- pull in upstream fix for an incorrect check on the value returned by a strdup() call (#1132062) * Sun Aug 17 2014 Fedora Release Engineering - 1.12.2-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Fri Aug 15 2014 Nalin Dahyabhai - 1.12.2-1- update to 1.12.2 - drop patch for RT#7820, fixed in 1.12.2 - drop patch for #231147, fixed as RT#3277 in 1.12.2 - drop patch for RT#7818, fixed in 1.12.2 - drop patch for RT#7836, fixed in 1.12.2 - drop patch for RT#7858, fixed in 1.12.2 - drop patch for RT#7924, fixed in 1.12.2 - drop patch for RT#7926, fixed in 1.12.2 - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 - drop patch for CVE-2014-4343, included in 1.12.2 - drop patch for CVE-2014-4344, included in 1.12.2 - drop patch for CVE-2014-4345, included in 1.12.2- replace older proposed changes for ksu with backports of the changes after review and merging upstream (#1015559, #1026099, #1118347) * Thu Aug 07 2014 Nalin Dahyabhai - 1.12.1-14- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) * Mon Jul 21 2014 Nalin Dahyabhai - 1.12.1-13- gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344) * Wed Jul 16 2014 Nalin Dahyabhai - 1.12.1-12- gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1117963) * Sat Jul 12 2014 Tom Callaway - 1.12.1-11- fix license handling * Mon Jul 07 2014 Nalin Dahyabhai - 1.12.1-10- pull in fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1116181) * Tue Jun 24 2014 Nalin Dahyabhai - 1.12.1-9- pull in changes from upstream which add processing of the contents of /etc/gss/mech.d/ *.conf when loading GSS modules (#1102839) * Thu Jun 12 2014 Nalin Dahyabhai - 1.12.1-8- pull in fix for building against tcl 8.6 (#1107061) * Sun Jun 08 2014 Fedora Release Engineering - 1.12.1-7- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Tue Mar 04 2014 Nathaniel McCallum - 1.12.1-6- Backport fix for change password requests when using FAST (RT#7868) * Mon Feb 17 2014 Nalin Dahyabhai - 1.12.1-5- spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator doesn\'t get confused (#1066000, RT#7858) * Fri Feb 07 2014 Nalin Dahyabhai - 1.12.1-4- pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we\'re expecting in 1.13 (RT#7859, more of #1040056 as #1063905)- add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time- own /var/run/krb5kdc * Fri Jan 31 2014 Nalin Dahyabhai - 1.12.1-3- refresh nss_wrapper and add socket_wrapper to the %check environment * Fri Jan 31 2014 Nalin Dahyabhai - add currently-proposed changes to teach ksu about credential cache collections and the default_ccache_name setting (#1015559,#1026099) * Tue Jan 21 2014 Nalin Dahyabhai - 1.12.1-2- pull in multiple changes to allow replay caches to be added to a GSS credential store as \"rcache\"-type credentials (RT#7818/#7819/#7836, * Fri Jan 17 2014 Nalin Dahyabhai - 1.12.1-1- update to 1.12.1 - drop patch for RT#7794, included now - drop patch for RT#7797, included now - drop patch for RT#7803, included now - drop patch for RT#7805, included now - drop patch for RT#7807, included now - drop patch for RT#7045, included now - drop patches for RT#7813 and RT#7815, included now - add patch to always retrieve the KDC time offsets from keyring caches, so that we don\'t mistakenly interpret creds as expired before their time when our clock is ahead of the KDC\'s (RT#7820, #1030607) * Mon Jan 13 2014 Nalin Dahyabhai - 1.12-11- update the PIC patch for iaesx86.s to not use ELF relocations to the version that landed upstream (RT#7815, #1045699) * Thu Jan 09 2014 Nalin Dahyabhai - pass -Wl,--warn-shared-textrel to the compiler when we\'re creating shared libraries * Thu Jan 09 2014 Nalin Dahyabhai - 1.12-10- amend the PIC patch for iaesx86.s to also save/restore ebx in the functions where we modify it, because the ELF spec says we need to * Mon Jan 06 2014 Nalin Dahyabhai - 1.12-9- grab a more-commented version of the most recent patch from upstream master- make a guess at making the 32-bit AES-NI implementation sufficiently position-independent to not require execmod permissions for libk5crypto (more of #1045699) * Thu Jan 02 2014 Nalin Dahyabhai - 1.12-8- add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they\'re used (#1045699, and so many others) | |