#
# spec file for package krb5
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define build_mini 0
%define srcRoot krb5-1.13.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.13.2
Release: 171.1
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libverto-devel
%if ! 0%{?build_mini}
BuildRequires: doxygen
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python-Cheetah
BuildRequires: python-Sphinx
BuildRequires: python-libxml2
BuildRequires: python-lxml
%if 0%{?suse_version} >= 1210
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%else
PreReq: %insserv_prereq
%endif
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
%else # -mini
Conflicts: krb5
Conflicts: krb5-client
Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
%endif
# both tar.gz and .tar.gz.asc extracted from the http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
Source: krb5-%{version}.tar.gz
Source42: krb5-%version.tar.gz.asc
Source43: krb5.keyring
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Patch14: krb5-kvno-230379.patch
Patch100: 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
Patch101: 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
Patch102: 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
Patch103: 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
%if ! %{build_mini}
%package client
Conflicts: krb5-mini
Summary: MIT Kerberos5 implementation - client programs
Group: Productivity/Networking/Security
%description client
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
%package server
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
Requires: libverto-libev1
Requires: logrotate
Requires: perl-Date-Calc
%{?systemd_requires}
PreReq: %insserv_prereq %fillup_prereq
%description server
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
%package plugin-kdb-ldap
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
%description plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
%package plugin-preauth-pkinit
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package plugin-preauth-otp
Summary: MIT Kerberos5 Implementation--OTP preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-otp
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a OTP plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
%description doc
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
%endif #! build_mini
%package devel
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: keyutils-devel
Requires: libcom_err-devel
Requires: libverto-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
%endif
%if %{build_mini}
Provides: krb5-devel = %{version}
Conflicts: krb5-devel
%else
Conflicts: krb5-mini-devel
%endif
#
%description devel
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
#%patch12 -p1
%patch13 -p0
%patch14 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%build
# needs to be re-generated
rm -f src/lib/krb5/krb/deltat.c
cd src
./util/reconf
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
CC="%{__cc}" \
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--localedir=%{_datadir}/locale \
--enable-shared \
--disable-static \
--enable-dns-for-realm \
--disable-rpath \
%if ! %{build_mini}
--with-ldap \
--with-pam \
--enable-pkinit \
--with-pkinit-crypto-impl=openssl \
%else
--disable-pkinit \
--without-pam \
%endif
--without-system-verto \
--with-system-et \
--with-system-ss \
--build=i486-pc-linux-gnu \
--host=i486-pc-linux-gnu
%{__make} %{?_smp_mflags}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
cp -a html_subst ../../html
cd ..
%endif
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
cd src
make DESTDIR=%{buildroot} install
cd ..
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
# and binaries too
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
# install systemd files
%if 0%{?suse_version} >= 1210
mkdir -p %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
%else
# install init scripts
mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_var}/adm/fillup-templates/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
# create rc* links
mkdir -p %{buildroot}/usr/bin/
mkdir -p %{buildroot}/usr/sbin/
%if 0%{?suse_version} >= 1210
%if 0%{?suse_version} > 1220
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckadmind
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckrb5kdc
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckpropd
%else
ln -s /sbin/service %{buildroot}%{_sbindir}/rckadmind
ln -s /sbin/service %{buildroot}%{_sbindir}/rckrb5kdc
ln -s /sbin/service %{buildroot}%{_sbindir}/rcpropd
%endif
%else
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd
%endif
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
%if ! %{build_mini}
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
%endif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
%if %{build_mini}
# manually remove otp plugin for krb5-mini since configure
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
%endif
%find_lang mit-krb5
#####################################################
# krb5(-mini) pre/post/postun
#####################################################
%if %{build_mini}
%preun
%if 0%{?suse_version} >= 1210
%service_del_preun krb5kdc.service kadmind.service kpropd.service
%else
%stop_on_removal krb5kdc kadmind kpropd
%endif
%postun
/sbin/ldconfig
%if 0%{?suse_version} >= 1210
%service_del_postun krb5kdc.service kadmind.service kpropd.service
%else
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
%endif
%post
/sbin/ldconfig
%if 0%{?suse_version} >= 1210
%service_add_post krb5kdc.service kadmind.service kpropd.service
%endif
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
%pre
%if 0%{?suse_version} >= 1210
%service_add_pre krb5kdc.service kadmind.service kpropd.service
%endif
%else
%post -p /sbin/ldconfig
%postun
/sbin/ldconfig
#####################################################
# krb5-server preun/postun/pre/post
#####################################################
%preun server
%if 0%{?suse_version} >= 1210
%service_del_preun krb5kdc.service kadmind.service kpropd.service
%else
%stop_on_removal krb5kdc kadmind kpropd
%endif
%postun server
%if 0%{?suse_version} >= 1210
%service_del_postun krb5kdc.service kadmind.service kpropd.service
%else
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
%endif
%post server
%if 0%{?suse_version} >= 1210
%service_add_post krb5kdc.service kadmind.service kpropd.service
%endif
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
%pre server
%if 0%{?suse_version} >= 1210
%service_add_pre krb5kdc.service kadmind.service kpropd.service
%endif
#####################################################
# krb5-plugin-kdb-ldap post/postun
#####################################################
%post plugin-kdb-ldap -p /sbin/ldconfig
%postun plugin-kdb-ldap
/sbin/ldconfig
%endif
########################################################
# files sections
########################################################
%files devel
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libkrad.so
%{_libdir}/libverto.so
%{_libdir}/pkgconfig/gssrpc.pc
%{_libdir}/pkgconfig/kadm-client.pc
%{_libdir}/pkgconfig/kadm-server.pc
%{_libdir}/pkgconfig/kdb.pc
%{_libdir}/pkgconfig/krb5-gssapi.pc
%{_libdir}/pkgconfig/krb5.pc
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
%{_libdir}/pkgconfig/mit-krb5.pc
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
%files -f mit-krb5.lang
%defattr(-,root,root)
%dir %{krb5docdir}
# add directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/bin
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_var}/adm/fillup-templates/sysconfig.*
%if 0%{?suse_version} >= 1210
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
%else
%{_sysconfdir}/init.d/*
%endif
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/libverto.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/kswitch
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/bin/kinit
/usr/bin/klist
/usr/sbin/rc*
#%{_mandir}/man1/*
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man8/*
%else
%files -f mit-krb5.lang
%defattr(-,root,root)
%dir %{krb5docdir}
# add plugin directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libkrad.so.*
%{_libdir}/libverto.so.*
%files server
%defattr(-,root,root)
%attr(0700,root,root) %dir /var/log/krb5
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%if 0%{?suse_version} >= 1210
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
%else
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
%{_sysconfdir}/init.d/kpropd
%endif
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/tls
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_var}/adm/fillup-templates/sysconfig.*
/usr/sbin/rc*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_libdir}/krb5/plugins/tls/*.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
%{_mandir}/man8/kprop.8*
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%{_mandir}/man8/sserver.8*
%files client
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/ksu
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/kswitch
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man5/k5identity.5*
%{_mandir}/man5/k5login.5*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%files plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/kldap.so
/usr/lib/mit/sbin/kdb5_ldap_util
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/kdb5_ldap_util.8*
%files plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files plugin-preauth-otp
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README
%endif #build_mini
%changelog
* Tue Nov 10 2015 hguo@suse.com
- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
to fix a memory corruption regression introduced by resolution of
CVE-2015-2698. bsc#954204
* Wed Oct 28 2015 hguo@suse.com
- Make kadmin.local man page available without having to install krb5-client. bsc#948011
- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
to fix build_principal memory bug [CVE-2015-2697] bsc#952190
- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
* Mon Jun 1 2015 hguo@suse.com
- Let server depend on libev (module of libverto). This was the
preferred implementation before the seperation of libverto from krb.
* Thu May 28 2015 dimstar@opensuse.org
- Drop libverto and libverto-libev Requires from the -server
package: those package names don't exist and the shared libs
are pulled in automatically.
* Wed May 27 2015 dimstar@opensuse.org
- Unconditionally buildrequire libverto-devel: krb5-mini also
depends on it.
* Fri May 22 2015 meissner@suse.com
- pre_checkin.sh aligned changes between krb5/krb5-mini
- added krb5.keyring
* Tue May 12 2015 michael@stroeder.com
- update to krb5 1.13.2
- DES transition
==============
The Data Encryption Standard (DES) is widely recognized as weak. The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems. Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.
Major changes in 1.13.2 (2015-05-08)
This is a bug fix release.
* Fix a minor vulnerability in krb5_read_message, which is primarily
used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
[CVE-2015-2694]
* Fix some issues with the LDAP KDC database back end.
* Fix an iteration-related memory leak in the DB2 KDC database back
end.
* Fix issues with some less-used kadm5.acl functionality.
* Improve documentation.
* Thu Apr 23 2015 hguo@suse.com
- Use externally built libverto
* Wed Feb 18 2015 michael@stroeder.com
- update to krb5 1.13.1
Major changes in 1.13.1 (2015-02-11)
This is a bug fix release.
* Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354] [CVE-2014-5353]
* Fix multiple kadmind vulnerabilities, some of which are based in the
gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
CVE-2014-9422 CVE-2014-9423]
* Tue Jan 6 2015 mlin@suse.com
- Update to krb5 1.13
* Add support for accessing KDCs via an HTTPS proxy server using the
MS-KKDCP protocol.
* Add support for hierarchical incremental propagation, where slaves
can act as intermediates between an upstream master and other downstream
slaves.
* Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
files in addition to /etc/gss/mech.
* Add support to the LDAP KDB module for binding to the LDAP server using
SASL.
* The KDC listens for TCP connections by default.
* Fix a minor key disclosure vulnerability where using the "keepold" option
to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
* Add client support for the Kerberos Cache Manager protocol. If the host
is running a Heimdal kcm daemon, caches served by the daemon can be
accessed with the KCM: cache type.
* When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
unless overridden by command-line options or krb5-config values.
* Add support for doing unlocked database dumps for the DB2 KDC back end,
which would allow the KDC and kadmind to continue accessing the database
during lengthy database dumps.
- Removed patches, useless or upstreamed
* krb5-1.9-kprop-mktemp.patch
* krb5-1.10-ksu-access.patch
* krb5-1.12-doxygen.patch
* bnc#897874-CVE-2014-5351.diff
* krb5-1.13-work-around-replay-cache-creation-race.patch
* krb5-1.10-kpasswd_tcp.patch
- Refreshed patches
* krb5-1.12-pam.patch
* krb5-1.12-selinux-label.patch
* krb5-1.7-doublelog.patch
* Thu Sep 25 2014 ddiss@suse.com
- Work around replay cache creation race; (bnc#898439).
krb5-1.13-work-around-replay-cache-creation-race.patch
* Tue Sep 23 2014 varkoly@suse.com
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- added patches:
* bnc#897874-CVE-2014-5351.diff
* Sat Aug 30 2014 andreas.stieger@gmx.de
- krb5 5.12.2:
* Work around a gcc optimizer bug that could cause DB2 KDC
database operations to spin in an infinite loop
* Fix a backward compatibility problem with the LDAP KDB schema
that could prevent krb5-1.11 and later from decoding entries
created by krb5-1.6.
* Avoid an infinite loop under some circumstances when the GSS
mechglue loads a dynamic mechanism.
* Fix krb5kdc argument parsing so "-w" and "-r" options work
togetherreliably.
- Vulnerability fixes previously fixed in package via patches:
* Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341
CVE-2014-4342]
* Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]
* Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]
- updated patches:
* krb5-1.7-doublelog.patch for context change
* krb5-1.6.3-ktutil-manpage.dif, same
- removed patches, in upstream:
* krb5-master-keyring-kdcsync.patch
* krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
* krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
* krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
* krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch
from upstream
* Fri Aug 8 2014 ckornacker@suse.com
- buffer overrun in kadmind with LDAP backend
CVE-2014-4345 (bnc#891082)
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
* Mon Jul 28 2014 ckornacker@suse.com
- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697)
krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
* Sat Jul 19 2014 p.drouand@gmail.com
- Do not depend of insserv if systemd is used
* Thu Jul 10 2014 ckornacker@suse.com
- denial of service flaws when handling RFC 1964 tokens (bnc#886016)
krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
- start krb5kdc after slapd (bnc#886102)
* Fri Jun 6 2014 ckornacker@suse.com
- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674)
similar functionality is provided by krb5-plugin-preauth-pkinit
* Tue Feb 18 2014 ckornacker@suse.com
- don't deliver SysV init files to systemd distributions
* Tue Jan 21 2014 ckornacker@suse.com
- update to version 1.12.1
* Make KDC log service principal names more consistently during
some error conditions, instead of "<unknown server>"
* Fix several bugs related to building AES-NI support on less
common configurations
* Fix several bugs related to keyring credential caches
- upstream obsoletes:
krb5-1.12-copy_context.patch
krb5-1.12-enable-NX.patch
krb5-1.12-pic-aes-ni.patch
krb5-master-no-malloc0.patch
krb5-master-ignore-empty-unnecessary-final-token.patch
krb5-master-gss_oid_leak.patch
krb5-master-keytab_close.patch
krb5-master-spnego_error_messages.patch
- Fix Get time offsets for all keyring ccaches
krb5-master-keyring-kdcsync.patch (RT#7820)
* Mon Jan 13 2014 ckornacker@suse.com
- update to version 1.12
* Add GSSAPI extensions for constructing MIC tokens using IOV lists
* Add a FAST OTP preauthentication module for the KDC which uses
RADIUS to validate OTP token values.
* The AES-based encryption types will use AES-NI instructions
when possible for improved performance.
- revert dependency on libcom_err-mini-devel since it's not yet
available
- update and rebase patches
* krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch
* krb5-1.11-pam.patch -> krb5-1.12-pam.patch
* krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch
* krb5-1.8-api.patch -> krb5-1.12-api.patch
* krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch
* krb5-1.9-debuginfo.patch
* krb5-1.9-kprop-mktemp.patch
* krb5-kvno-230379.patch
- added upstream patches
- Fix krb5_copy_context
* krb5-1.12-copy_context.patch
- Mark AESNI files as not needing executable stacks
* krb5-1.12-enable-NX.patch
* krb5-1.12-pic-aes-ni.patch
- Fix memory leak in SPNEGO initiator
* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS
* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling
* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token
* krb5-master-no-malloc0.patch
- Test SPNEGO error message in t_s4u.py
* krb5-master-spnego_error_messages.patch
* Tue Dec 10 2013 nfbrown@suse.com
- Reduce build dependencies for krb5-mini by removing
doxygen and changing libcom_err-devel to
libcom_err-mini-devel
- Small fix to pre_checkin.sh so krb5-mini.spec is correct.
* Fri Nov 15 2013 ckornacker@suse.com
- update to version 1.11.4
- Fix a KDC null pointer dereference [CVE-2013-1417] that could
affect realms with an uncommon configuration.
- Fix a KDC null pointer dereference [CVE-2013-1418] that could
affect KDCs that serve multiple realms.
- Fix a number of bugs related to KDC master key rollover.
* Mon Jun 24 2013 mc@suse.com
- install and enable systemd service files also in -mini package
* Fri Jun 21 2013 crrodriguez@opensuse.org
- remove fstack-protector-all from CFLAGS, just use the
lighter/fast version already present in %%optflags
- Use LFS_CFLAGS to build in 32 bit archs.
* Sun Jun 9 2013 mc@suse.com
- update to version 1.11.3
- Fix a UDP ping-pong vulnerability in the kpasswd
(password changing) service. [CVE-2002-2443]
- Improve interoperability with some Windows native PKINIT clients.
- install translation files
- remove outdated configure options
* Tue May 28 2013 mc@suse.com
- cleanup systemd files (remove syslog.target)
* Fri May 3 2013 mc@suse.de
- let krb5-mini conflict with all main packages
* Thu May 2 2013 mc@suse.de
- add conflicts between krb5-mini and krb5-server
* Sun Apr 28 2013 mc@suse.de
- update to version 1.11.2
* Incremental propagation could erroneously act as if a slave's
database were current after the slave received a full dump
that failed to load.
* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
- upstream fix obsolete krb5-lookup_etypes-leak.patch
* Thu Apr 4 2013 mc@suse.de
- add conflicts between krb5-mini-devel and krb5-devel
* Tue Apr 2 2013 mc@suse.de
- add conflicts between krb5-mini and krb5 and krb5-client
* Wed Mar 27 2013 mc@suse.de
- enable selinux and set openssl as crypto implementation
* Fri Mar 22 2013 mc@suse.de
- fix path to executables in service files
(bnc#810926)
* Fri Mar 15 2013 mc@suse.de
- update to version 1.11.1
* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
* Refactor parts of KDC
* Documentation consolidation
* build docs in the main package
* bugfixing
- changes of patches:
* bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif:
upstream
* bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif:
upstream
* krb5-1.10-gcc47.patch: upstream
* krb5-1.10-selinux-label.patch replaced by
krb5-1.11-selinux-label.patch
* krb5-1.10-spin-loop.patch: upstream
* krb5-1.3.5-perlfix.dif: the tool was removed from upstream
* krb5-1.8-pam.patch replaced by
krb5-1.11-pam.patch
* Wed Mar 6 2013 mc@suse.de
- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
CVE-2012-1016 (bnc#807556)
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
* Mon Mar 4 2013 mc@suse.de
- fix PKINIT null pointer deref
CVE-2013-1415 (bnc#806715)
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
* Fri Jan 25 2013 mc@suse.de
- package missing file (bnc#794784)
* Tue Jan 22 2013 lchiquitto@suse.com
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
(bnc#793336)
* Tue Oct 16 2012 coolo@suse.com
- revert the -p usage in %%postun to fix SLE build
* Tue Oct 16 2012 coolo@suse.com
- buildrequire systemd by pkgconfig provide to get systemd-mini
* Sat Oct 13 2012 coolo@suse.com
- do not require systemd in krb5-mini
* Fri Oct 5 2012 mc@suse.de
- add systemd service files for kadmind, krb5kdc and kpropd
- add sysconfig templates for kadmind and krb5kdc
* Wed Jun 13 2012 coolo@suse.com
- fix %%files section for krb5-mini
* Thu Jun 7 2012 mc@suse.de
- fix gcc47 issues
* Wed Jun 6 2012 mc@suse.de
- update to version 1.10.2
obsolte patches:
* krb5-1.7-nodeplibs.patch
* krb5-1.9.1-ai_addrconfig.patch
* krb5-1.9.1-ai_addrconfig2.patch
* krb5-1.9.1-sendto_poll.patch
* krb5-1.9-canonicalize-fallback.patch
* krb5-1.9-paren.patch
* krb5-klist_s.patch
* krb5-pkinit-cms2.patch
* krb5-trunk-chpw-err.patch
* krb5-trunk-gss_delete_sec.patch
* krb5-trunk-kadmin-oldproto.patch
* krb5-1.9-MITKRB5-SA-2011-006.dif
* krb5-1.9-gss_display_status-iakerb.patch
* krb5-1.9.1-sendto_poll2.patch
* krb5-1.9.1-sendto_poll3.patch
* krb5-1.9-MITKRB5-SA-2011-007.dif
- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
Controllers.
- Update a workaround for a glibc bug that would cause DNS PTR queries
to occur even when rdns = false.
- Fix a kadmind denial of service issue (null pointer dereference),
which could only be triggered by an administrator with the "create"
privilege. [CVE-2012-1013]
- Fix access controls for KDB string attributes [CVE-2012-1012]
- Make the ASN.1 encoding of key version numbers interoperate with
Windows Read-Only Domain Controllers
- Avoid generating spurious password expiry warnings in cases where
the KDC sends an account expiry time without a password expiry time
- Make PKINIT work with FAST in the client library.
- Add the DIR credential cache type, which can hold a collection of
credential caches.
- Enhance kinit, klist, and kdestroy to support credential cache
collections if the cache type supports it.
- Add the kswitch command, which changes the selected default cache
within a collection.
- Add heuristic support for choosing client credentials based on
the service realm.
- Add support for $HOME/.k5identity, which allows credential
choice based on configured rules.
* Sun Feb 26 2012 stefan.bruens@rwth-aachen.de
- add autoconf macro to devel subpackage
* Tue Jan 31 2012 meissner@suse.de
- fix license in krb5-mini
* Tue Dec 20 2011 coolo@suse.com
- add autoconf as buildrequire to avoid implicit dependency
* Tue Dec 20 2011 coolo@suse.com
- remove call to suse_update_config, very old work around
* Mon Nov 21 2011 mc@suse.de
- fix KDC null pointer dereference in TGS handling
(MITKRB5-SA-2011-007, bnc#730393)
CVE-2011-1530
* Mon Nov 21 2011 mc@suse.de
- fix KDC HA feature introduced with implementing KDC poll
(RT#6951, bnc#731648)
* Fri Nov 18 2011 rhafer@suse.de
- fix minor error messages for the IAKERB GSSAPI mechanism
(see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
* Mon Oct 17 2011 mc@suse.de
- fix kdc remote denial of service
(MITKRB5-SA-2011-006, bnc#719393)
CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
* Tue Aug 23 2011 mc@suse.de
- use --without-pam to build krb5-mini
* Sun Aug 21 2011 mc@novell.com
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)
* Fri Aug 19 2011 mc@novell.com
- update to version 1.9.1
* obsolete patches:
MITKRB5-SA-2010-007-1.8.dif
krb5-1.8-MITKRB5-SA-2010-006.dif
krb5-1.8-MITKRB5-SA-2011-001.dif
krb5-1.8-MITKRB5-SA-2011-002.dif
krb5-1.8-MITKRB5-SA-2011-003.dif
krb5-1.8-MITKRB5-SA-2011-004.dif
krb5-1.4.3-enospc.dif
* replace krb5-1.6.1-compile_pie.dif
* Thu Apr 14 2011 mc@suse.de
- fix kadmind invalid pointer free()
(MITKRB5-SA-2011-004, bnc#687469)
CVE-2011-0285
* Tue Mar 1 2011 mc@suse.de
- Fix vulnerability to a double-free condition in KDC daemon
(MITKRB5-SA-2011-003, bnc#671717)
CVE-2011-0284
* Wed Jan 19 2011 mc@suse.de
- Fix kpropd denial of service
(MITKRB5-SA-2011-001, bnc#662665)
CVE-2010-4022
- Fix KDC denial of service attacks with LDAP back end
(MITKRB5-SA-2011-002, bnc#663619)
CVE-2011-0281, CVE-2011-0282
* Wed Dec 1 2010 mc@suse.de
- Fix multiple checksum handling vulnerabilities
(MITKRB5-SA-2010-007, bnc#650650)
CVE-2010-1324
* krb5 GSS-API applications may accept unkeyed checksums
* krb5 application services may accept unkeyed PAC checksums
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
CVE-2010-1323
* krb5 clients may accept unkeyed SAM-2 challenge checksums
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys
CVE-2010-4020
* krb5 may accept authdata checksums with low-entropy derived keys
CVE-2010-4021
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
* Thu Oct 28 2010 mc@suse.de
- fix csh profile (bnc#649856)
* Fri Oct 22 2010 mc@suse.de
- update to krb5-1.8.3
* remove patches which are now upstrem
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif
* Fri Oct 22 2010 mc@suse.de
- change environment variable PATH directly for csh
(bnc#642080)
* Mon Sep 27 2010 mc@suse.de
- fix a dereference of an uninitialized pointer while processing
authorization data.
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
* Mon Jun 21 2010 lchiquitto@novell.com
- add correct error table when initializing gss-krb5 (bnc#606584,
bnc#608295)
* Wed May 19 2010 mc@suse.de
- fix GSS-API library null pointer dereference
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
* Wed Apr 14 2010 mc@suse.de
- fix a double free vulnerability in the KDC
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
* Fri Apr 9 2010 mc@suse.de
- update to version 1.8.1
* include krb5-1.8-POST.dif
* include MITKRB5-SA-2010-002
* Tue Apr 6 2010 mc@suse.de
- update krb5-1.8-POST.dif
* Tue Mar 23 2010 mc@suse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
* Tue Mar 23 2010 mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
* Thu Mar 4 2010 mc@suse.de
- update to version 1.8
* Increase code quality
* Move toward improved KDB interface
* Investigate and remedy repeatedly-reported performance
bottlenecks.
* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
principal referrals.
* Disable DES by default
* Account lockout for repeated login failures
* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules
* FAST enhancements
* Microsoft Services for User (S4U) compatibility
* Anonymous PKINIT
- fix KDC denial of service
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
- fix KDC denial of service in cross-realm referral processing
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
* Mon Dec 14 2009 jengelh@medozas.de
- add baselibs.conf as a source
* Fri Nov 13 2009 mc@suse.de
- enhance '$PATH' only if the directories are available
and not empty (bnc#544949)
* Sun Jul 12 2009 coolo@novell.com
- readd lost baselibs.conf
* Wed Jun 3 2009 mc@suse.de
- update to final 1.7 release
* Wed May 13 2009 mc@suse.de
- update to version 1.7 Beta2
* Incremental propagation support for the KDC database.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
* Mon Feb 16 2009 mc@suse.de
- update to pre 1.7 version
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto".
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
names.
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
GSS tokens.
* NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation.
* KDC support for principal aliases, if the back end supports them.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Master key rollover support.
* Wed Jan 14 2009 olh@suse.de
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit
* Thu Dec 11 2008 mc@suse.de
- do not query IPv6 addresses if no IPv6 address exists on this host
[bnc#449143]
* Wed Dec 10 2008 olh@suse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)
* Thu Oct 30 2008 olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
* Fri Sep 26 2008 mc@suse.de
- in case we use ldap as database backend, ldap should be
started before krb5kdc
* Mon Jul 28 2008 mc@suse.de
- add new fixes to post 1.6.3 patch
* fix mem leak in krb5_gss_accept_sec_context()
* keep minor_status
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* Reject socket fds > FD_SETSIZE
* Fri Jul 25 2008 mc@suse.de
- add patches from SVN post 1.6.3
* krb5_string_to_keysalts: Fix an infinite loop
* fix some mutex issues
* better recovery from corrupt rcache files
* some more small fixes
* Wed Jun 18 2008 mc@suse.de
- add case-insensitive.dif (FATE#300771)
- minor fixes for ktutil man page
- reduce rpmlint warnings
* Wed May 14 2008 mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
* Thu Apr 10 2008 ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
* Wed Apr 9 2008 mc@suse.de
- modify krb5-config to not output rpath and cflags in --libs
(bnc#378270)
* Fri Mar 14 2008 mc@suse.de
- fix two security bugs:
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
fix double free [bnc#361373]
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
Memory corruption while too many open file descriptors
[bnc#363151]
- change default config file. Comment out the examples.
* Fri Dec 14 2007 mc@suse.de
- fix several security bugs:
* CVE-2007-5894 apparent uninit length
* CVE-2007-5902 integer overflow
* CVE-2007-5971 free of non-heap pointer and double-free
* CVE-2007-5972 double fclose()
[#346745, #346748, #346746, #346749, #346747]
* Tue Dec 4 2007 mc@suse.de
- improve GSSAPI error messages
* Tue Nov 6 2007 mc@suse.de
- add coreutils to PreReq
* Tue Oct 23 2007 mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Fri Sep 14 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
* Tue Sep 11 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
* Thu Sep 6 2007 mc@suse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]
* Wed Sep 5 2007 mc@suse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]
* Tue Aug 7 2007 mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
* Thu Jul 12 2007 mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
* Thu Jul 5 2007 mc@suse.de
- change requires to libcom_err-devel
* Mon Jul 2 2007 mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
* Thu Jun 14 2007 mc@suse.de
- fix unstripped-binary-or-object rpmlint warning
* Mon Jun 11 2007 sschober@suse.de
- fixing rpmlint warnings and errors:
* merged logrotate scripts kadmin and krb5kdc into a single file
krb5-server.
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
* added surpression filter for
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"
(see [#147912]).
* set default runlevel of init scripts in chkconfig line to 3 and
5
* Wed May 9 2007 mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file
* Thu May 3 2007 mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
* Mon Apr 23 2007 mc@suse.de
- update to final 1.6.1 version
* Wed Apr 18 2007 mc@suse.de
- add plugin directories to main package
* Mon Apr 16 2007 mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
* Wed Apr 11 2007 mc@suse.de
- update krb5-1.6-post.dif
* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]
* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]
* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
[#247765]
* Thu Mar 29 2007 mc@suse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches
* Mon Mar 5 2007 mc@suse.de
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
* Thu Feb 22 2007 mc@suse.de
- add firewall definition to krb5-server, FATE #300687
* Mon Feb 19 2007 mc@suse.de
- update krb5-1.6-post.dif
- move some applications into the right package
* Fri Feb 9 2007 mc@suse.de
- update krb5-1.6-post.dif
* Mon Jan 29 2007 mc@suse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
* Tue Jan 23 2007 mc@suse.de
- fix "local variable used before set" in ftp.c
[#237684]
* Mon Jan 22 2007 mc@suse.de
- krb5-devel should require keyutils-devel
* Mon Jan 22 2007 mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
- remove obsolete patches
* Wed Jan 10 2007 mc@suse.de
- fix for
kadmind (via RPC library) calls uninitialized function pointer
(CVE-2006-6143)(Bug #225990)
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif
- fix for
kadmind (via GSS-API mechglue) frees uninitialized pointers
(CVE-2006-6144)(Bug #225992)
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif
* Tue Jan 2 2007 mc@suse.de
- Fix Requires in krb5-devel
[Bug #231008]
* Mon Nov 6 2006 mc@suse.de
- fix "local variable used before set" [#217692]
- fix strncat warning
* Fri Oct 27 2006 mc@suse.de
- add a default kadm5.dict file
- require $network on daemon start
* Wed Sep 13 2006 mc@suse.de
- fix function call with too few arguments [#203837]
* Thu Aug 24 2006 mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
* Fri Aug 11 2006 mc@suse.de
- krb5 setuid return check fixes
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
[#182351]
* Mon Aug 7 2006 mc@suse.de
- remove update-messages
* Mon Jul 24 2006 mc@suse.de
- add check for krb5_prop in services to kpropd init script.
[#192446]
* Mon Jul 3 2006 mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
* Fri May 26 2006 ro@suse.de
- libcom is not in e2fsck-devel but in its own package now, change
Requires accordingly.
* Mon Mar 27 2006 mc@suse.de
- add all daemons to %%stop_on_removal and %%restart_on_update
- add reload to kpropd init script
- add force-reload to all init scripts
* Mon Mar 13 2006 mc@suse.de
- add libgssapi_krb5.so link to main package [#147912]
* Fri Feb 3 2006 mc@suse.de
- fix logging section for kadmind in convert script
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Fri Jan 13 2006 mc@suse.de
- change the logging defaults
* Wed Jan 11 2006 mc@suse.de
- add tools and README for heimdal => MIT update
* Mon Jan 9 2006 mc@suse.de
- fix build problems, define _GNU_SOURCE
(krb5-1.4.3-set_gnu_source.dif )
* Tue Jan 3 2006 mc@suse.de
- added "make %%{?jobs:-j%%jobs}"
* Fri Nov 18 2005 mc@suse.de
- update to version 1.4.3
* some memmory leaks fixed
* fix for "AS_REP padata has wrong enctype"
* fix for "AS_REP padata missing PA-ETYPE-INFO"
* ... and more
* Wed Nov 2 2005 dmueller@suse.de
- don't build as root
* Tue Oct 11 2005 mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
* Mon Aug 8 2005 mc@suse.de
- build with --disable-static
* Thu Aug 4 2005 ro@suse.de
- remove devel-static subpackage
* Thu Jun 30 2005 mc@suse.de
- better patch for princ_comp problem
* Mon Jun 27 2005 mc@suse.de
- update to version 1.4.1
- remove obsolet patches
- krb5-1.4-gcc4.dif
- krb5-1.4-reduce-namespace-polution.dif
- krb5-1.4-VUL-0-telnet.dif
* Thu Jun 23 2005 mc@suse.de
- fixed krb5 KDC heap corruption by random free
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]
- fixed krb5 double free()
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
- fix krb5 NULL pointer reference while comparing principals
[#91600]
* Fri Jun 17 2005 mc@suse.de
- fix uninitialized variables
- compile with -fPIE/ link with -pie
* Wed Apr 20 2005 mc@suse.de
- fixed wrong xinetd files [#77149]
* Fri Apr 8 2005 mt@suse.de
- removed krb5-1.4-fix-error_tables.dif patch obsoleted
by libcom_err locking patches
* Thu Apr 7 2005 mc@suse.de
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
* Wed Mar 30 2005 mc@suse.de
- enhance $PATH via /etc/profile.d/ [#74018]
- remove the "links to important programs"
* Fri Mar 18 2005 mc@suse.de
- fixed not running converter script [#72854]
* Thu Mar 17 2005 mc@suse.de
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
Overflow
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
Overflow
[#73618]
* Wed Mar 16 2005 mc@suse.de
- fixed wrong PreReqs [#73020]
* Tue Mar 15 2005 mc@suse.de
- add a simple krb5.conf converter [#72854]
* Mon Mar 14 2005 mc@suse.de
- fixed: rckrb5kdc restart gives wrong status with non-running service
[#72446]
* Thu Mar 10 2005 mc@suse.de
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
* Fri Feb 25 2005 mc@suse.de
- fix double free [#66534]
krb5-1.4-fix-error_tables.dif
* Fri Feb 11 2005 mc@suse.de
- change mode for shared libraries to 755
* Fri Feb 4 2005 mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
action.
- add a check for spx.c in the spec-file
- use rich-text for update-messages [#50250]
* Tue Feb 1 2005 mc@suse.de
- add krb5-1.4-reduce-namespace-polution.dif
reduce namespace polution in gssapi.h [#50356]
* Fri Jan 28 2005 mc@suse.de
- update to version 1.4
- Add implementation of the RPCSEC_GSS authentication flavor to the
RPC library.
- Thread safety for krb5 libraries.
- Merged Athena telnetd changes for creating a new option for
requiring encryption.
- The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
- Yarrow code now uses AES.
- Merged Athena changes to allow ftpd to require encrypted passwords.
- Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
- remove obsolet patches
* Mon Jan 17 2005 mc@suse.de
- add proofreaded update-messages
* Fri Jan 14 2005 mc@suse.de
- remove Conflicts: and add Provides:
- add some insserv stuff
* Thu Jan 13 2005 mc@suse.de
- move vendor files to vendor-files.tar.bz2
- add obsoletes: heimdal
- add %%pre and %%post sections to detect update
from heimdal and backup invalid configuration files
- add update-messages for heimdal update
* Mon Jan 10 2005 mc@suse.de
- update to version 1.3.6
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
* Tue Dec 14 2004 mc@suse.de
- build doc subpackage in an own specfile
- removed unnecessary neededforbuild requirements
* Wed Nov 24 2004 coolo@suse.de
- fix build with gcc 4
* Mon Nov 15 2004 mc@suse.de
- added Conflicts with heimdal*
- rename some manpages to avoid conflicts
* Thu Nov 4 2004 mc@suse.de
- new init scripts
- fix logrotate scripts
- add some 64Bit fixes
- add default krb5.conf, kdc.conf and kadm5.acl
* Wed Nov 3 2004 mc@suse.de
- add e2fsprogs to NFB
- use system-et and system-ss
- fix includes of com_err.h
* Thu Oct 28 2004 mc@suse.de
- Initital checkin