SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for krb5-server-1.21.2-2.2.x86_64.rpm :

* Wed Dec 20 2023 Dirk Müller - update to 1.21.2 (bsc#1218211, CVE-2023-39975):
* Fix double-free in KDC TGS processing [CVE-2023-39975].
* Sat Jul 15 2023 Dirk Müller - update to 1.21.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054].
* Added a credential cache type providing compatibility with the macOS 11 native credential cache.
* libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key from a GSS context.
* The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute.
* Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set of supported CMS algorithms.
* Removed unused code in libkrb5, libkrb5support, and the PKINIT module.
* Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code.
* Improved the test framework\'s detection of memory errors in daemon processes when used with asan.
* Thu May 04 2023 Frederic Crozat - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS.
* Fri Mar 03 2023 Samuel Cabrero - Update 0007-SELinux-integration.patch for SELinux 3.5; (bsc#1208887);
* Tue Dec 27 2022 Stefan Schubert - Migration of PAM settings to /usr/lib/pam.d
* Tue Dec 13 2022 Samuel Cabrero - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, already fixed in release 1.20.0
* Wed Nov 16 2022 Samuel Cabrero - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
* Fix integer overflows in PAC parsing [CVE-2022-42898].
* Fix null deref in KDC when decoding invalid NDR.
* Fix memory leak in OTP kdcpreauth module.
* Fix PKCS11 module path search.
* Sun May 29 2022 Dirk Müller - update to 1.20.0:
* Added a \"disable_pac\" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address, if the client is upgraded.
* Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5 mechanism.
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
* Sat Apr 09 2022 Dirk Müller - update to 1.19.3 (bsc#1189929, CVE-2021-37750):
* Fix a denial of service attack against the KDC [CVE-2021-37750].
* Fix KDC null deref on TGS inner body null server
* Fix conformance issue in GSSAPI tests
* Thu Jan 27 2022 David Mulder - Resolve \"Credential cache directory /run/user/0/krb5cc does not exist while opening default credentials cache\" by using a kernel keyring instead of a dir cache; (bsc#1109830);
* Thu Sep 30 2021 Johannes Segitz - Added hardening to systemd services; (bsc#1181400);
* Mon Aug 30 2021 Samuel Cabrero - Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929);- Added patches:
* 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
* Mon Aug 02 2021 Samuel Cabrero - Update to 1.19.2
* Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
* Fix a memory leak when gss_inquire_cred() is called without a credential handle.
* Mon May 03 2021 Rodrigo Lourenço - Build with full Cyrus SASL support
* Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working.
* Thu Apr 22 2021 Samuel Cabrero - Use /run instead of /var/run for daemon PID files; (bsc#1185163);
* Wed Apr 07 2021 Dirk Müller - do not own %sbindir, it comes from filesystem package
* Fri Feb 19 2021 Samuel Cabrero - Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value.
* Fri Feb 05 2021 Samuel Cabrero - Update to 1.19 Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB. Developer experience
* gss_acquire_cred_from() now supports the \"password\" and \"verify\" options, allowing credentials to be acquired via password and verified using a keytab key.
* When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets.
* The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution
* Added client and KDC support for Microsoft\'s Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft\'s KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal\'s kgetcred).
 
ICM