| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: krb5 | Distribution: openSUSE Tumbleweed |
| Version: 1.21.2 | Vendor: openSUSE |
| Release: 1.1 | Build date: Fri Dec 22 00:14:37 2023 |
| Group: Unspecified | Build host: h02-ch2b |
| Size: 2083546 | Source RPM: krb5-1.21.2-1.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://kerberos.org/dist/ | |
| Summary: MIT Kerberos5 implementation | |
Kerberos V5 is a trusted-third-party network authentication system, which can improve network security by eliminating the insecure practice of clear text passwords.
MIT
* Wed Dec 20 2023 Dirk Müller <dmueller@suse.com>
- update to 1.21.2 (bsc#1218211, CVE-2023-39975):
* Fix double-free in KDC TGS processing [CVE-2023-39975].
* Sat Jul 15 2023 Dirk Müller <dmueller@suse.com>
- update to 1.21.1 (CVE-2023-36054):
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
* Added a credential cache type providing compatibility with
the macOS 11 native credential cache.
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key
from a GSS context.
* The KDC will no longer issue tickets with RC4 or triple-DES
session keys unless explicitly configured with the new
allow_rc4 or allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1
session keys unless the service principal has a
session_enctypes string attribute.
* Support for PAC full KDC checksums has been added to
mitigate an S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set
of supported CMS algorithms.
* Removed unused code in libkrb5, libkrb5support,
and the PKINIT module.
* Modernized the KDC code for processing TGS requests,
the code for encrypting and decrypting key data,
the PAC handling code, and the GSS library packet
parsing and composition code.
* Improved the test framework's detection of memory
errors in daemon processes when used with asan.
* Thu May 04 2023 Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
* Fri Mar 03 2023 Samuel Cabrero <scabrero@suse.de>
- Update 0007-SELinux-integration.patch for SELinux 3.5;
(bsc#1208887);
* Tue Dec 27 2022 Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d
* Tue Dec 13 2022 Samuel Cabrero <scabrero@suse.de>
- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
already fixed in release 1.20.0
* Wed Nov 16 2022 Samuel Cabrero <scabrero@suse.de>
- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
* Fix integer overflows in PAC parsing [CVE-2022-42898].
* Fix null deref in KDC when decoding invalid NDR.
* Fix memory leak in OTP kdcpreauth module.
* Fix PKCS11 module path search.
* Sun May 29 2022 Dirk Müller <dmueller@suse.com>
- update to 1.20.0:
* Added a "disable_pac" realm relation to suppress adding PAC authdata
to tickets, for realms which do not need to support S4U requests.
* Most credential cache types will use atomic replacement when a cache
is reinitialized using kinit or refreshed from the client keytab.
* kprop can now propagate databases with a dump size larger than 4GB,
if both the client and server are upgraded.
* kprop can now work over NATs that change the destination IP address,
if the client is upgraded.
* Updated the KDB interface. The sign_authdata() method is replaced
with the issue_pac() method, allowing KDB modules to add logon info
and other buffers to the PAC issued by the KDC.
* Host-based initiator names are better supported in the GSS krb5
mechanism.
* Replaced AD-SIGNEDPATH authdata with minimal PACs.
* To avoid spurious replay errors, password change requests will not
be attempted over UDP until the attempt over TCP fails.
* PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
* Updated all code using OpenSSL to be compatible with OpenSSL 3.
* Reorganized the libk5crypto build system to allow the OpenSSL
back-end to pull in material from the builtin back-end depending on
the OpenSSL version.
* Simplified the PRNG logic to always use the platform PRNG.
* Converted the remaining Tcl tests to Python.
* Sat Apr 09 2022 Dirk Müller <dmueller@suse.com>
- update to 1.19.3 (bsc#1189929, CVE-2021-37750):
* Fix a denial of service attack against the KDC [CVE-2021-37750].
* Fix KDC null deref on TGS inner body null server
* Fix conformance issue in GSSAPI tests
* Thu Jan 27 2022 David Mulder <dmulder@suse.com>
- Resolve "Credential cache directory /run/user/0/krb5cc does not
exist while opening default credentials cache" by using a kernel
keyring instead of a dir cache; (bsc#1109830);
* Thu Sep 30 2021 Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd services; (bsc#1181400);
* Mon Aug 30 2021 Samuel Cabrero <scabrero@suse.de>
- Fix KDC null pointer dereference via a FAST inner body that
lacks a server field; (CVE-2021-37750); (bsc#1189929);
- Added patches:
* 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
* Mon Aug 02 2021 Samuel Cabrero <scabrero@suse.de>
- Update to 1.19.2
* Fix a denial of service attack against the KDC encrypted challenge
code; (CVE-2021-36222);
* Fix a memory leak when gss_inquire_cred() is called without a
credential handle.
* Mon May 03 2021 Rodrigo Lourenço <rzl@rzl.ooo>
- Build with full Cyrus SASL support
* Negotiating SASL credentials with an EXTERNAL bind mechanism requires
interaction. Kerberos provides its own interaction function that skips
all interaction, thus preventing the mechanism from working.
* Thu Apr 22 2021 Samuel Cabrero <scabrero@suse.de>
- Use /run instead of /var/run for daemon PID files; (bsc#1185163);
* Wed Apr 07 2021 Dirk Müller <dmueller@suse.com>
- do not own %sbindir, it comes from filesystem package
* Fri Feb 19 2021 Samuel Cabrero <scabrero@suse.de>
- Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether
certificates can be loaded for each value.
* Fri Feb 05 2021 Samuel Cabrero <scabrero@suse.de>
- Update to 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution
* Added client and KDC support for Microsoft's Resource-Based Constrained
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
used in the reply. This encryption type will be deprecated and removed
in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
* Thu Nov 19 2020 Samuel Cabrero <scabrero@suse.de>
- Update to 1.18.3
* Fix a denial of service vulnerability when decoding Kerberos
protocol messages; (CVE-2020-28196); (bsc#1178512);
* Fix a locking issue with the LMDB KDB module which could cause
KDC and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
and unloaded while libkrb5support remains loaded.
* Tue Jul 07 2020 Andreas Schwab <schwab@suse.de>
- Don't fail if %{_lto_cflags} is empty
* Fri Jun 12 2020 Dominique Leuenberger <dimstar@opensuse.org>
- Do not mangle libexecdir, bindir, sbindir and datadir: there is
no reasonable justification to step out of the defaults.
+ No longer install csh/sh profiles into /etc/profiles.d: as we
not install to default paths, there is no need to further
inject paths into $PATH; also, now sbin binaries are only in
path for admin users.
* Fri May 29 2020 Samuel Cabrero <scabrero@suse.de>
- Update to 1.18.2
* Fix a SPNEGO regression where an acceptor using the default credential
would improperly filter mechanisms, causing a negotiation failure.
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt
principal's first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to link
against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential might
not be reported.
* Thu May 28 2020 Samuel Cabrero <scabrero@suse.de>
- Update logrotate script, call systemd to reload the services
instead of init-scripts. (boo#1169357)
* Tue May 26 2020 Christophe Giboudeaux <christophe@krop.fr>
- Don't add the lto flags to the public link options. (boo#1172038)
* Mon May 04 2020 Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.18.1
* Fix a crash when qualifying short hostnames when the system has
no primary DNS domain.
* Fix a regression when an application imports "service@" as a GSS
host-based name for its acceptor credential handle.
* Fix KDC enforcement of auth indicators when they are modified by
the KDB module.
* Fix removal of require_auth string attributes when the LDAP KDB
module is used.
* Fix a compile error when building with musl libc on Linux.
* Fix a compile error when building with gcc 4.x.
* Change the KDC constrained delegation precedence order for consistency
with Windows KDCs.
- Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Wed Apr 29 2020 Dominique Leuenberger <dimstar@opensuse.org>
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
notation: libexecdir is likely changing away from /usr/lib to
/usr/libexec.
* Wed Mar 25 2020 Samuel Cabrero <scabrero@suse.de>
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
* 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Tue Feb 25 2020 Tomáš Chvátal <tchvatal@suse.com>
- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies
* Mon Feb 17 2020 Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2"
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for "dns_canonicalize_hostname=fallback", causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
/etc/krb5.conf /etc/krb5.conf.d /usr/lib64/krb5 /usr/lib64/krb5/plugins /usr/lib64/krb5/plugins/kdb /usr/lib64/krb5/plugins/libkrb5 /usr/lib64/krb5/plugins/preauth /usr/lib64/krb5/plugins/tls /usr/lib64/krb5/plugins/tls/k5tls.so /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/libgssrpc.so.4 /usr/lib64/libgssrpc.so.4.2 /usr/lib64/libk5crypto.so.3 /usr/lib64/libk5crypto.so.3.1 /usr/lib64/libkadm5clnt_mit.so.12 /usr/lib64/libkadm5clnt_mit.so.12.0 /usr/lib64/libkadm5srv_mit.so.12 /usr/lib64/libkadm5srv_mit.so.12.0 /usr/lib64/libkdb5.so.10 /usr/lib64/libkdb5.so.10.0 /usr/lib64/libkrad.so.0 /usr/lib64/libkrad.so.0.0 /usr/lib64/libkrb5.so.3 /usr/lib64/libkrb5.so.3.3 /usr/lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so.0.1 /usr/share/doc/packages/krb5 /usr/share/doc/packages/krb5/README /usr/share/locale/de/LC_MESSAGES/mit-krb5.mo /usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo /usr/share/locale/ka/LC_MESSAGES/mit-krb5.mo /var/log/krb5
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Apr 4 01:30:33 2024