auto-import krb5-1.2.4-11 from krb5-1.2.4-11.src.rpmkrb5-1_2_4-11RHL-7_3-split

4 files changed, 76 insertions, 2 deletions

diff --git a/.cvsignore b/.cvsignore
index d1d3343..0c0dfa0 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1,2 @@
+2003-004-krb4_patchkit.tar.gz
 krb5-1.2.4.tar.gz
diff --git a/krb5-1.2.7-reject-bad-transited.patch b/krb5-1.2.7-reject-bad-transited.patch
new file mode 100644
index 0000000..b4c26b0
--- /dev/null
+++ b/krb5-1.2.7-reject-bad-transited.patch
@@ -0,0 +1,18 @@
+--- krb5-1.2.7/src/config-files/kdc.conf.M	2003-02-04 13:04:21.000000000 -0500
++++ krb5-1.2.7/src/config-files/kdc.conf.M	2003-02-04 13:04:11.000000000 -0500
+@@ -138,6 +138,15 @@
+ strings specifies the default key/salt combinations of principals for this
+ realm.
+ 
++.IP reject_bad_transit
++This
++.B boolean string
++specifies whether or not the KDC should reject cross-realm TGS requests if the
++request's list of transited realms names realms which would not be included
++in the transit path if the path were to be computed using the KDC's krb5.conf
++file, or if the client requests that the KDC not perform such a check.  The
++default is for this option to be enabled.
++
+ .SH FILES 
+ /usr/local/lib/krb5kdc/kdc.conf
+ 
diff --git a/krb5.spec b/krb5.spec
index 33ff9f8..3da098a 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -4,7 +4,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.2.4
-Release: 4
+Release: 11
 Source0: krb5-%{version}.tar.gz
 Source1: kpropd.init
 Source2: krb524d.init
@@ -24,6 +24,8 @@ Source15: kshell.xinetd
 Source16: krb5-telnet.xinetd
 Source17: gssftp.xinetd
 Source19: statglue.c
+Source20: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz
+Source21: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.sig
 Patch0: krb5-1.1-db.patch
 Patch1: krb5-1.1.1-tiocgltc.patch
 Patch2: krb5-1.1.1-libpty.patch
@@ -52,6 +54,14 @@ Patch25: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.tx
 Patch26: gssftp-patch
 Patch27: krb5-1.2.6-dnsparse.patch
 Patch28: krb5-1.2.7-errno.patch
+Patch29: krb5-SA-2003-001-1.patch
+Patch30: krb5-SA-2003-001-4.patch
+Patch32: krb5-1.2.7-reject-bad-transited.patch
+Patch33: krb5-crawford.patch
+Patch34: krb5-1.2.4-princ_size.patch
+Patch35: krb5-1.2.7-underrun.patch
+Patch36: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt
+Patch37: krb5-1.2.2-krb524-double-free.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -113,6 +123,38 @@ network uses Kerberos, this package should be installed on every
 workstation.
 
 %changelog
+* Fri Mar 21 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-11
+- fix double-free of enc_part2 in krb524d
+- update to latest patch kit for MITKRB5-SA-2003-004
+
+* Wed Mar 19 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-10
+- add patch included in MITKRB5-SA-2003-003 (CAN-2003-0028)
+
+* Mon Mar 17 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-9
+- add patches from patchkit from MITKRB5-SA-2003-004 (CAN-2003-0138 and
+  CAN-2003-0139)
+
+* Thu Mar  6 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-8
+- fix buffer underrun in unparsing certain principals (CAN-2003-0082)
+
+* Wed Feb 26 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-7
+- add patch to fix server-side crashes when principals have no
+  components (CAN-2003-0072)
+
+* Mon Feb 24 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-6
+- add patch from Matt Crawford for encoding transited realms properly
+
+* Wed Feb  5 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-5
+- sync compiler flags for configure and make with other versions
+
+* Tue Feb  4 2003 Nalin Dahyabhai <nalin@redhat.com>
+- add patch to document the reject-bad-transited option in kdc.conf
+
+* Thu Jan 30 2003 Nalin Dahyabhai <nalin@redhat.com>
+- add candidate backport for MITKRB5-SA-2003-001 parts 1,4
+- add candidate backports for CAN-2002-0036, CAN-2002-059
+  (CAN-2002-058 was fixed in 1.2.3, CAN-2002-060 was fixed in 1.1.1-7 or so)
+
 * Thu Jan 23 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-4
 - add patch from Mark Cox for exploitable bugs in ftp client
 - add patch to avoid buffer read overruns when configuring via DNS
@@ -469,7 +511,7 @@ workstation.
 - added --force to makeinfo commands to skip errors during build
 
 %prep
-%setup -q
+%setup -q -a 20
 %patch0  -p0 -b .db
 %patch1  -p0 -b .tciogltc
 %patch2  -p0 -b .libpty
@@ -504,6 +546,18 @@ popd
 %patch26 -p1 -b .gssftp-patch
 %patch27 -p1 -b .dnsparse
 %patch28 -p1 -b .errno
+%patch29 -p1 -b .krb5-SA-2003-001-1
+%patch30 -p1 -b .krb5-SA-2003-001-4
+%patch32 -p1 -b .reject-bad-transited
+%patch33 -p1 -b .crawford
+%patch34 -p1 -b .princ_size
+%patch35 -p1 -b .underrun
+patch -sp0 -b -z .2003-004-krb4 < 2003-004-krb4_patchkit/patch.1.2.0
+pushd src/lib/rpc
+%patch36 -p0 -b .2003-003
+popd
+%patch37 -p1 -b .double-free
+
 %if %{statglue}
 cp $RPM_SOURCE_DIR/statglue.c src/util/profile/statglue.c
 %endif
diff --git a/sources b/sources
index eb2a426..d511114 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
+88d770f2de2c1bd842b511f47002a807  2003-004-krb4_patchkit.tar.gz
 663add9b5942be74a86fa860a3fa4167  krb5-1.2.4.tar.gz