SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for krb5-server-1.20.1-4.41.x86_64.rpm :

* Tue Dec 13 2022 Samuel Cabrero - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, already fixed in release 1.20.0
* Wed Nov 16 2022 Samuel Cabrero - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
* Fix integer overflows in PAC parsing [CVE-2022-42898].
* Fix null deref in KDC when decoding invalid NDR.
* Fix memory leak in OTP kdcpreauth module.
* Fix PKCS11 module path search.
* Sun May 29 2022 Dirk Müller - update to 1.20.0:
* Added a \"disable_pac\" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address, if the client is upgraded.
* Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5 mechanism.
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
* Sat Apr 09 2022 Dirk Müller - update to 1.19.3 (bsc#1189929, CVE-2021-37750):
* Fix a denial of service attack against the KDC [CVE-2021-37750].
* Fix KDC null deref on TGS inner body null server
* Fix conformance issue in GSSAPI tests
* Thu Jan 27 2022 David Mulder - Resolve \"Credential cache directory /run/user/0/krb5cc does not exist while opening default credentials cache\" by using a kernel keyring instead of a dir cache; (bsc#1109830);
* Thu Sep 30 2021 Johannes Segitz - Added hardening to systemd services; (bsc#1181400);
* Mon Aug 30 2021 Samuel Cabrero - Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929);- Added patches:
* 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
* Mon Aug 02 2021 Samuel Cabrero - Update to 1.19.2
* Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
* Fix a memory leak when gss_inquire_cred() is called without a credential handle.
* Mon May 03 2021 Rodrigo Lourenço - Build with full Cyrus SASL support
* Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working.
* Thu Apr 22 2021 Samuel Cabrero - Use /run instead of /var/run for daemon PID files; (bsc#1185163);
* Wed Apr 07 2021 Dirk Müller - do not own %sbindir, it comes from filesystem package
* Fri Feb 19 2021 Samuel Cabrero - Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value.
* Fri Feb 05 2021 Samuel Cabrero - Update to 1.19 Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB. Developer experience
* gss_acquire_cred_from() now supports the \"password\" and \"verify\" options, allowing credentials to be acquired via password and verified using a keytab key.
* When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets.
* The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution
* Added client and KDC support for Microsoft\'s Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft\'s KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal\'s kgetcred).
* Thu Nov 19 2020 Samuel Cabrero - Update to 1.18.3
* Fix a denial of service vulnerability when decoding Kerberos protocol messages; (CVE-2020-28196); (bsc#1178512);
* Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded.
* Tue Jul 07 2020 Andreas Schwab - Don\'t fail if %{_lto_cflags} is empty
* Fri Jun 12 2020 Dominique Leuenberger - Do not mangle libexecdir, bindir, sbindir and datadir: there is no reasonable justification to step out of the defaults. + No longer install csh/sh profiles into /etc/profiles.d: as we not install to default paths, there is no need to further inject paths into $PATH; also, now sbin binaries are only in path for admin users.
* Fri May 29 2020 Samuel Cabrero - Update to 1.18.2
* Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure.
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal\'s first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential might not be reported.
* Thu May 28 2020 Samuel Cabrero - Update logrotate script, call systemd to reload the services instead of init-scripts. (boo#1169357)
* Tue May 26 2020 Christophe Giboudeaux - Don\'t add the lto flags to the public link options. (boo#1172038)
* Mon May 04 2020 Samuel Cabrero - Upgrade to 1.18.1
* Fix a crash when qualifying short hostnames when the system has no primary DNS domain.
* Fix a regression when an application imports \"serviceAATT\" as a GSS host-based name for its acceptor credential handle.
* Fix KDC enforcement of auth indicators when they are modified by the KDB module.
* Fix removal of require_auth string attributes when the LDAP KDB module is used.
* Fix a compile error when building with musl libc on Linux.
* Fix a compile error when building with gcc 4.x.
* Change the KDC constrained delegation precedence order for consistency with Windows KDCs.- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Wed Apr 29 2020 Dominique Leuenberger - Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d notation: libexecdir is likely changing away from /usr/lib to /usr/libexec.
* Wed Mar 25 2020 Samuel Cabrero - Fix segfault in k5_primary_domain; (bsc#1167620);- Added patches:
* 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Tue Feb 25 2020 Tomáš Chvátal - Remove cruft to support distributions older than SLE 12- Use macros where applicable- Switch to pkgconfig style dependencies
* Mon Feb 17 2020 Samuel Cabrero - Upgrade to 1.18 Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with \".rcache2\" by default.
* setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
* Add an \"enforce_ok_as_delegate\" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
* Remove support for an old (\"draft 9\") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience:
* Add support for \"dns_canonicalize_hostname=fallback\", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system\'s first DNS search path as a suffix. Add a \"qualify_shortname\" krb5.conf relation to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
 
ICM