diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-10-23 19:40:45 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-10-23 19:40:45 +0000 |
| commit | 276a481e8840d6512d40a8b6218baf739dc51972 (patch) | |
| tree | 3fa8ca941de0611e7b3b1217abfee102de1fbb97 | |
| parent | a0f391756d6ae9674449ae7433b9dd1cc2c464ad (diff) | |
| download | krb5-276a481e8840d6512d40a8b6218baf739dc51972.tar.gz krb5-276a481e8840d6512d40a8b6218baf739dc51972.tar.xz krb5-276a481e8840d6512d40a8b6218baf739dc51972.zip | |
- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 andkrb5-1_6_3-1_fc9
CVE-2007-4000 (the new pkinit module is built conditionally and goes
into the -pkinit-openssl package, at least for now, to make a buildreq
loop with openssl avoidable)
| -rw-r--r-- | .cvsignore | 3 | ||||
| -rw-r--r-- | krb5-kpasswd_tcp.patch | 4 | ||||
| -rw-r--r-- | krb5-trunk-server_delegation.patch | 45 | ||||
| -rw-r--r-- | krb5.spec | 48 | ||||
| -rw-r--r-- | sources | 6 |
5 files changed, 49 insertions, 57 deletions
@@ -22,3 +22,6 @@ krb5-1.6.1-pdf.tar.gz krb5-1.6.2.tar.gz krb5-1.6.2.tar.gz.asc krb5-1.6.2-pdf.tar.gz +krb5-1.6.3.tar.gz +krb5-1.6.3.tar.gz.asc +krb5-1.6.3-pdf.tar.gz diff --git a/krb5-kpasswd_tcp.patch b/krb5-kpasswd_tcp.patch index 5889463..2068475 100644 --- a/krb5-kpasswd_tcp.patch +++ b/krb5-kpasswd_tcp.patch @@ -102,10 +102,12 @@ diff -up src/lib/krb5/os/changepw.c src/lib/krb5/os/changepw.c addrlen = sizeof(remote_addr); callback_info.context = (void*) &callback_ctx; -@@ -247,15 +287,8 @@ krb5_change_set_password(krb5_context co +@@ -247,17 +287,10 @@ krb5_change_set_password(krb5_context co NULL, ss2sa(&remote_addr), &addrlen, + NULL, + NULL, - NULL - ))) { - diff --git a/krb5-trunk-server_delegation.patch b/krb5-trunk-server_delegation.patch deleted file mode 100644 index 5c5c8a9..0000000 --- a/krb5-trunk-server_delegation.patch +++ /dev/null @@ -1,45 +0,0 @@ -If the application calling gss_accept_sec_context() doesn't pass a value -for ret_flags, we'd never be able to check if credentials had been delegated. - -The passed-in ret_flags value is a pointer to a bitfield, so the comparision -as-written was not likely to work as expected. - -Index: src/lib/gssapi/mechglue/g_accept_sec_context.c -=================================================================== ---- src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 20038) -+++ src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy) -@@ -112,6 +112,7 @@ - - { - OM_uint32 status, temp_status, temp_minor_status; -+ OM_uint32 temp_ret_flags = 0; - gss_union_ctx_id_t union_ctx_id; - gss_union_cred_t union_cred; - gss_cred_id_t input_cred_handle = GSS_C_NO_CREDENTIAL; -@@ -202,7 +203,7 @@ - &internal_name, - mech_type, - output_token, -- ret_flags, -+ &temp_ret_flags, - time_rec, - d_cred ? &tmp_d_cred : NULL); - -@@ -248,7 +249,7 @@ - } - - /* Ensure we're returning correct creds format */ -- if ((ret_flags && GSS_C_DELEG_FLAG) && -+ if ((temp_ret_flags & GSS_C_DELEG_FLAG) && - tmp_d_cred != GSS_C_NO_CREDENTIAL) { - gss_union_cred_t d_u_cred = NULL; - -@@ -335,6 +336,8 @@ - if (src_name == NULL && tmp_src_name != NULL) - (void) gss_release_name(&temp_minor_status, - &tmp_src_name); -+ if (ret_flags != NULL) -+ *ret_flags = temp_ret_flags; - return (status); - } else { - @@ -1,4 +1,5 @@ %define WITH_LDAP 1 +%define WITH_OPENSSL 1 %define krb5prefix %{_prefix}/kerberos @@ -13,8 +14,8 @@ Summary: The Kerberos network authentication system. Name: krb5 -Version: 1.6.2 -Release: 10%{?dist} +Version: 1.6.3 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -84,15 +85,12 @@ Patch56: krb5-1.6.2-doublelog.patch Patch57: krb5-1.6.2-login_chdir.patch Patch58: krb5-1.6.2-key_exp.patch Patch59: krb5-kpasswd_tcp.patch -Patch65: CVE-2007-3999-2.patch -Patch66: CVE-2007-4000.patch Patch60: krb5-1.6.1-pam.patch Patch61: krb5-trunk-manpaths.patch Patch62: krb5-any-fixup-patch.txt Patch63: krb5-1.6.1-selinux-label.patch Patch64: krb5-ok-as-delegate.patch -Patch67: krb5-trunk-server_delegation.patch Patch68: krb5-trunk-spnego_delegation.patch License: MIT, freely distributable. @@ -110,6 +108,9 @@ BuildRequires: pam-devel %if %{WITH_LDAP} BuildRequires: openldap-devel %endif +%if %{WITH_OPENSSL} +BuildRequires: openssl-devel >= 0.9.8 +%endif %description Kerberos V5 is a trusted-third-party network authentication system, @@ -209,7 +210,24 @@ servers. If your network uses Kerberos, this package should be installed on systems which are meant provide these services. %endif +%package pkinit-openssl +Summary: The PKINIT module for Kerberos 5. +Group: System Environment/Libraries +Requires: %{name}-libs = %{version}-%{release} + +%description pkinit-openssl +Kerberos is a network authentication system. The krb5-pkinit-openssl +package contains the PKINIT plugin, which uses OpenSSL to allow clients +to obtain initial credentials from a KDC using a private key and a +certificate. + %changelog +* Tue Oct 23 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-1 +- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 + and CVE-2007-4000 (the new pkinit module is built conditionally and goes + into the -pkinit-openssl package, at least for now, to make a buildreq + loop with openssl avoidable) + * Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10 - make proper use of pam_loginuid and pam_selinux in rshd and ftpd @@ -1239,15 +1257,12 @@ popd %patch51 -p0 -b .ldap_init %patch52 -p0 -b .ldap_man %patch53 -p1 -b .nodeplibs -%patch65 -p0 -b .2007-3999-2 -%patch66 -p0 -b .2007-4000 #%patch55 -p1 -b .empty #%patch56 -p1 -b .doublelog #%patch57 -p1 -b .login_chdir #%patch58 -p1 -b .key_exp #%patch59 -p0 -b .kpasswd_tcp #%patch64 -p0 -b .ok-as-delegate -#%patch67 -p0 -b .server-delegation #%patch68 -p0 -b .spnego_delegation cp src/krb524/README README.krb524 gzip doc/*.ps @@ -1310,6 +1325,14 @@ OPENLDAP_PLUGIN=yes %else OPENLDAP_PLUGIN="" %endif +# Enable or disable the PKINIT plugin. The configure script only checks for +# the version of OpenSSL being okay, so for now we have to use that to control +# whether or not it tries to build the module. +%if %{WITH_OPENSSL} +k5_cv_openssl_version_okay= +%else +k5_cv_openssl_version_okay=no ; export k5_cv_openssl_version_okay +%endif # Work out the CFLAGS and CPPFLAGS which we intend to use. CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`" CPPFLAGS="`echo $DEFINES $INCLUDES`" @@ -1750,6 +1773,15 @@ exit 0 %{_libdir}/krb5/plugins/kdb/db2.so %{krb5prefix}/share +%if %{WITH_OPENSSL} +%files pkinit-openssl +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so +%endif + %files devel %defattr(-,root,root) @@ -1,3 +1,3 @@ -41d8c0cdb6c3e59171234b0464ec3c47 krb5-1.6.2.tar.gz -8a5c577ea2907ecebdc03b7ccbf4d534 krb5-1.6.2.tar.gz.asc -c6c5380e4bfdb787f3b196b66cd96bed krb5-1.6.2-pdf.tar.gz +f32a9647deed175dd6bcc5e22d907541 krb5-1.6.3.tar.gz +992f23ef516c1e3d406896ac835e4b68 krb5-1.6.3.tar.gz.asc +5153f5c7773228bf3e295750e885dd04 krb5-1.6.3-pdf.tar.gz |