diff options
author | Robbie Harwood <rharwood@redhat.com> | 2017-09-25 13:54:57 -0400 |
---|---|---|
committer | Robbie Harwood <rharwood@redhat.com> | 2017-09-25 19:24:33 +0000 |
commit | f1e535bb81d5a9dd23468973a599b5daaaa9b679 (patch) | |
tree | 8c690749ca90c86028188ac530ae060adea3e055 | |
parent | 11b90e9e6e42aeb2568fb67e68eb3e398dd4fbcb (diff) | |
download | krb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.tar.gz krb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.tar.xz krb5-f1e535bb81d5a9dd23468973a599b5daaaa9b679.zip |
New upstream release - krb5-1.15.2
Adjust patches as appropriate
51 files changed, 91 insertions, 681 deletions
@@ -151,3 +151,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.15.1-pdfs.tar /krb5-1.15.1.tar.gz /krb5-1.15.1.tar.gz.asc +/krb5-1.15.2-pdfs.tar +/krb5-1.15.2.tar.gz +/krb5-1.15.2.tar.gz.asc diff --git a/Add-KDC-policy-pluggable-interface.patch b/Add-KDC-policy-pluggable-interface.patch index e43bc0d..a5e029e 100644 --- a/Add-KDC-policy-pluggable-interface.patch +++ b/Add-KDC-policy-pluggable-interface.patch @@ -1,4 +1,4 @@ -From 648fa08747a5f2025f47e5b0bc2589f55a65218a Mon Sep 17 00:00:00 2001 +From 78a1f155701f94a228c4f58f98846195a39991c4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 27 Jun 2017 17:15:39 -0400 Subject: [PATCH] Add KDC policy pluggable interface diff --git a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch index ab332a7..94370dc 100644 --- a/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch +++ b/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch @@ -1,4 +1,4 @@ -From 2f84634c8227d2f43daf9a6135766c6e1901851f Mon Sep 17 00:00:00 2001 +From 6ce3a9416ee73fee41d0190e3fd0fde0a097c774 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Fri, 9 Dec 2016 11:43:27 -0500 Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py diff --git a/Add-PKINIT-test-case-for-generic-client-cert.patch b/Add-PKINIT-test-case-for-generic-client-cert.patch index e6fb895..e77dd5f 100644 --- a/Add-PKINIT-test-case-for-generic-client-cert.patch +++ b/Add-PKINIT-test-case-for-generic-client-cert.patch @@ -1,4 +1,4 @@ -From 22e89e4e2d2819b7371efb848be525914b2750e8 Mon Sep 17 00:00:00 2001 +From e267849bcc3813989470c03565b22d25c71af91e Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Fri, 25 Aug 2017 12:39:14 -0400 Subject: [PATCH] Add PKINIT test case for generic client cert diff --git a/Add-certauth-pluggable-interface.patch b/Add-certauth-pluggable-interface.patch index e1f81b9..a9adc3e 100644 --- a/Add-certauth-pluggable-interface.patch +++ b/Add-certauth-pluggable-interface.patch @@ -1,4 +1,4 @@ -From 14455b071bab5ed93e42df84dc0b0e5f889cb98b Mon Sep 17 00:00:00 2001 +From 43418f21de72060932661242126fe611b6b17d84 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Tue, 28 Feb 2017 15:55:24 -0500 Subject: [PATCH] Add certauth pluggable interface @@ -52,10 +52,10 @@ ticket: 8561 (new) create mode 100644 src/tests/t_certauth.py diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 653aad613..c0e4349c0 100644 +index 02a935961..1d9bc9e34 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -858,6 +858,27 @@ built-in modules exist for this interface: +@@ -859,6 +859,27 @@ built-in modules exist for this interface: This module authorizes a principal to a local account if the principal name maps to the local account name. diff --git a/Add-hostname-based-ccselect-module.patch b/Add-hostname-based-ccselect-module.patch index 87a83c1..b56b8d3 100644 --- a/Add-hostname-based-ccselect-module.patch +++ b/Add-hostname-based-ccselect-module.patch @@ -1,4 +1,4 @@ -From 624060dabcc06ea40847ffd98c9b05c66e65d6ba Mon Sep 17 00:00:00 2001 +From 632575ab12fc5d6c9bdc83cb8200fb8f4f422b83 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Wed, 23 Aug 2017 17:25:17 -0400 Subject: [PATCH] Add hostname-based ccselect module @@ -21,10 +21,10 @@ ticket: 8613 (new) create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index c0e4349c0..5f1de2e50 100644 +index 1d9bc9e34..9c1ee94a4 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst -@@ -744,6 +744,10 @@ disabled with the disable tag): +@@ -745,6 +745,10 @@ disabled with the disable tag): Uses the service realm to guess an appropriate cache from the collection diff --git a/Add-k5test-expected_msg-expected_trace.patch b/Add-k5test-expected_msg-expected_trace.patch index 8caf99c..16c1012 100644 --- a/Add-k5test-expected_msg-expected_trace.patch +++ b/Add-k5test-expected_msg-expected_trace.patch @@ -1,4 +1,4 @@ -From 1f7e1ce67d885bce613030099df9a95e7671055e Mon Sep 17 00:00:00 2001 +From 9c6f61e30e11eca5c04daa3f0dce398602ef5801 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Tue, 17 Jan 2017 11:24:41 -0500 Subject: [PATCH] Add k5test expected_msg, expected_trace @@ -17,7 +17,7 @@ substrings in the trace output. 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/src/config/post.in b/src/config/post.in -index 77a9bffdf..aecac9d3b 100644 +index 7c7d86dc9..3643abad1 100644 --- a/src/config/post.in +++ b/src/config/post.in @@ -156,7 +156,7 @@ clean: clean-$(WHAT) diff --git a/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/Add-support-to-query-the-SSF-of-a-GSS-context.patch index 294f8c2..299b0a4 100644 --- a/Add-support-to-query-the-SSF-of-a-GSS-context.patch +++ b/Add-support-to-query-the-SSF-of-a-GSS-context.patch @@ -1,4 +1,4 @@ -From 2a7ea306e35a35296314484eec9eff5d8e38f02a Mon Sep 17 00:00:00 2001 +From a3408731e3d73f99028f20c3f33caa5a411b430c Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo@redhat.com> Date: Thu, 30 Mar 2017 11:27:09 -0400 Subject: [PATCH] Add support to query the SSF of a GSS context diff --git a/Add-test-case-for-PKINIT-DH-renegotiation.patch b/Add-test-case-for-PKINIT-DH-renegotiation.patch index e0ac29b..89d695d 100644 --- a/Add-test-case-for-PKINIT-DH-renegotiation.patch +++ b/Add-test-case-for-PKINIT-DH-renegotiation.patch @@ -1,4 +1,4 @@ -From 9cd133e626f114c9a11d6d731f7f97072d59e20f Mon Sep 17 00:00:00 2001 +From 5faadd66bb278bcc1c618e199444e3012eeec215 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 11 Jan 2017 10:49:30 -0500 Subject: [PATCH] Add test case for PKINIT DH renegotiation diff --git a/Add-test-cert-generation-to-make-certs.sh.patch b/Add-test-cert-generation-to-make-certs.sh.patch index d03a754..eb7df73 100644 --- a/Add-test-cert-generation-to-make-certs.sh.patch +++ b/Add-test-cert-generation-to-make-certs.sh.patch @@ -1,4 +1,4 @@ -From d81c0069df0f18574bc0beb7e45139f6d2bc3849 Mon Sep 17 00:00:00 2001 +From 5e3885e9d7c7cd2a19a291cdb1e54312ca7f7e1f Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Mon, 5 Dec 2016 12:22:45 -0500 Subject: [PATCH] Add test cert generation to make-certs.sh diff --git a/Add-test-cert-with-no-extensions.patch b/Add-test-cert-with-no-extensions.patch index 3734700..1afd9a1 100644 --- a/Add-test-cert-with-no-extensions.patch +++ b/Add-test-cert-with-no-extensions.patch @@ -1,4 +1,4 @@ -From 03402d8462c44c16f85368c803c1a3823507e0f9 Mon Sep 17 00:00:00 2001 +From 565311d74c7532f9948b7b0b803f093aaa40afed Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Fri, 25 Aug 2017 12:33:33 -0400 Subject: [PATCH] Add test cert with no extensions diff --git a/Add-the-client_name-kdcpreauth-callback.patch b/Add-the-client_name-kdcpreauth-callback.patch index e75d7de..172f5e0 100644 --- a/Add-the-client_name-kdcpreauth-callback.patch +++ b/Add-the-client_name-kdcpreauth-callback.patch @@ -1,4 +1,4 @@ -From 405a88caf62483bd077f6d98aa5f1adc9fbdff64 Mon Sep 17 00:00:00 2001 +From 42469712239d3eb0e47d9aa306567464dd1f392a Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Tue, 4 Apr 2017 16:54:56 -0400 Subject: [PATCH] Add the client_name() kdcpreauth callback diff --git a/Add-timestamp-helper-functions.patch b/Add-timestamp-helper-functions.patch index 0b36e0b..54e7f59 100644 --- a/Add-timestamp-helper-functions.patch +++ b/Add-timestamp-helper-functions.patch @@ -1,4 +1,4 @@ -From 38b7fbd7ee64a205c4dcfc345c30132e73f5b249 Mon Sep 17 00:00:00 2001 +From 9b50a75e97cbe9cc8c0a4e37158b56b58e966f25 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Sat, 22 Apr 2017 09:49:12 -0400 Subject: [PATCH] Add timestamp helper functions diff --git a/Add-timestamp-tests.patch b/Add-timestamp-tests.patch index b71ac48..ac64115 100644 --- a/Add-timestamp-tests.patch +++ b/Add-timestamp-tests.patch @@ -1,4 +1,4 @@ -From 1b351445b4b938f54025728ba786f05ee82c47d1 Mon Sep 17 00:00:00 2001 +From 3a06f6a3cfad62da6dd8878d3446003f8293c3ae Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Sat, 29 Apr 2017 17:30:36 -0400 Subject: [PATCH] Add timestamp tests diff --git a/Add-y2038-documentation.patch b/Add-y2038-documentation.patch index a87d6e4..693a1fb 100644 --- a/Add-y2038-documentation.patch +++ b/Add-y2038-documentation.patch @@ -1,4 +1,4 @@ -From ebedc35a70f184030c4aab32e782fa2a8610cf73 Mon Sep 17 00:00:00 2001 +From 69ca5ff168f24792924b3cab0a9f27ada3eb4c4b Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Thu, 4 May 2017 17:03:35 -0400 Subject: [PATCH] Add y2038 documentation diff --git a/Allow-clock-skew-in-krb5-gss_context_time.patch b/Allow-clock-skew-in-krb5-gss_context_time.patch deleted file mode 100644 index 99e9214..0000000 --- a/Allow-clock-skew-in-krb5-gss_context_time.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2944d7c0fcc8d3a87d0bb6f544b4a04c358df732 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Sat, 22 Apr 2017 16:51:23 -0400 -Subject: [PATCH] Allow clock skew in krb5 gss_context_time() - -Commit b496ce4095133536e0ace36b74130e4b9ecb5e11 (ticket #8268) adds -the clock skew to krb5 acceptor context lifetimes for -gss_accept_sec_context() and gss_inquire_context(), but not for -gss_context_time(). Add the clock skew in gss_context_time() as well. - -ticket: 8581 (new) -target_version: 1.14-next -target_version: 1.15-next -tags: pullup - -(cherry picked from commit b0a072e6431261734e7350996a363801f180e8ea) ---- - src/lib/gssapi/krb5/context_time.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c -index a18cfb05b..450593288 100644 ---- a/src/lib/gssapi/krb5/context_time.c -+++ b/src/lib/gssapi/krb5/context_time.c -@@ -51,7 +51,10 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) - return(GSS_S_FAILURE); - } - -- if ((lifetime = ctx->krb_times.endtime - now) <= 0) { -+ lifetime = ctx->krb_times.endtime - now; -+ if (!ctx->initiate) -+ lifetime += ctx->k5_context->clockskew; -+ if (lifetime <= 0) { - *time_rec = 0; - *minor_status = 0; - return(GSS_S_CONTEXT_EXPIRED); diff --git a/Build-with-Werror-implicit-int-where-supported.patch b/Build-with-Werror-implicit-int-where-supported.patch index 800967f..30e3ba8 100644 --- a/Build-with-Werror-implicit-int-where-supported.patch +++ b/Build-with-Werror-implicit-int-where-supported.patch @@ -1,4 +1,4 @@ -From b87501b9051a1befbd84165295b8ed775adafd62 Mon Sep 17 00:00:00 2001 +From 5f2ea38f7ecd60184e510558bdb551d0153432e0 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Thu, 10 Nov 2016 13:20:49 -0500 Subject: [PATCH] Build with -Werror-implicit-int where supported diff --git a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch index e78029f..e9e27df 100644 --- a/Convert-some-pkiDebug-messages-to-TRACE-macros.patch +++ b/Convert-some-pkiDebug-messages-to-TRACE-macros.patch @@ -1,4 +1,4 @@ -From 4dcab7d706331b469678f3a516cd67fffd331058 Mon Sep 17 00:00:00 2001 +From 686fa6476eb759532d566794fa8d430774d44cf7 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Wed, 29 Mar 2017 10:35:13 -0400 Subject: [PATCH] Convert some pkiDebug messages to TRACE macros diff --git a/Correct-error-handling-bug-in-prior-commit.patch b/Correct-error-handling-bug-in-prior-commit.patch index 8f66ad8..6878e8c 100644 --- a/Correct-error-handling-bug-in-prior-commit.patch +++ b/Correct-error-handling-bug-in-prior-commit.patch @@ -1,4 +1,4 @@ -From 7fa2848a550bda947a6e425babb3f529b7e28ab6 Mon Sep 17 00:00:00 2001 +From 08d995aaf48e75c174525ae0b47e12c3170b3f5f Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Thu, 23 Mar 2017 13:42:55 -0400 Subject: [PATCH] Correct error handling bug in prior commit diff --git a/Deindent-crypto_retrieve_X509_sans.patch b/Deindent-crypto_retrieve_X509_sans.patch index 240dabb..9262e7d 100644 --- a/Deindent-crypto_retrieve_X509_sans.patch +++ b/Deindent-crypto_retrieve_X509_sans.patch @@ -1,4 +1,4 @@ -From ca1ab893b3590ab887f7c0f4a41ad6b2fddf3421 Mon Sep 17 00:00:00 2001 +From d5462c96c9918ffa7d3f05de310c5aed34181941 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 4 Jan 2017 11:33:57 -0500 Subject: [PATCH] Deindent crypto_retrieve_X509_sans() diff --git a/Fix-bugs-in-kdcpolicy-commit.patch b/Fix-bugs-in-kdcpolicy-commit.patch index b4ccadb..c4c50a1 100644 --- a/Fix-bugs-in-kdcpolicy-commit.patch +++ b/Fix-bugs-in-kdcpolicy-commit.patch @@ -1,4 +1,4 @@ -From 7ab7253c617364ffe8facd870e286c5876e6c30f Mon Sep 17 00:00:00 2001 +From c8c704cdaaa15a0908024f0917344048c0df5940 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Sat, 19 Aug 2017 19:09:24 -0400 Subject: [PATCH] Fix bugs in kdcpolicy commit diff --git a/Fix-certauth-built-in-module-returns.patch b/Fix-certauth-built-in-module-returns.patch index 0c6ac83..1c927d5 100644 --- a/Fix-certauth-built-in-module-returns.patch +++ b/Fix-certauth-built-in-module-returns.patch @@ -1,4 +1,4 @@ -From d507d9a78e12418f83c6db6e22052543f3e5db37 Mon Sep 17 00:00:00 2001 +From 0d93e336e2cb8319bfd3e0fa096e5ee8ea3bbbbf Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Thu, 24 Aug 2017 11:11:46 -0400 Subject: [PATCH] Fix certauth built-in module returns diff --git a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch index 2547891..a8a53cf 100644 --- a/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch +++ b/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch @@ -1,4 +1,4 @@ -From b0351efa57654f06477ab7540e6c0624e3a64f4e Mon Sep 17 00:00:00 2001 +From e2d34698687c00504b83e1c0deb56dc6232bef42 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Mon, 24 Apr 2017 02:02:36 -0400 Subject: [PATCH] Fix in_clock_skew() and use it in AS client code diff --git a/Fix-leaks-in-gss_inquire_cred_by_oid.patch b/Fix-leaks-in-gss_inquire_cred_by_oid.patch deleted file mode 100644 index f4ede77..0000000 --- a/Fix-leaks-in-gss_inquire_cred_by_oid.patch +++ /dev/null @@ -1,35 +0,0 @@ -From e53073b6e1d36b682d8524fcfaec7bdf56b7f81e Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Sun, 12 Mar 2017 12:30:59 -0400 -Subject: [PATCH] Fix leaks in gss_inquire_cred_by_oid() - -In the mechglue gss_inquire_cred_by_oid(), remove an unnecessary -allocation of ret_set which is overwritten by the first mechanism's -result. - -ticket: 8559 (new) -target_version: 1.15-next -target_version: 1.14-next -tags: pullup - -(cherry picked from commit 0d39d46852587d36fcc5024d5766586faba9044a) ---- - src/lib/gssapi/mechglue/g_inq_cred_oid.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_inq_cred_oid.c b/src/lib/gssapi/mechglue/g_inq_cred_oid.c -index 4c23dfcbd..df51b44e9 100644 ---- a/src/lib/gssapi/mechglue/g_inq_cred_oid.c -+++ b/src/lib/gssapi/mechglue/g_inq_cred_oid.c -@@ -85,11 +85,6 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status, - - union_cred = (gss_union_cred_t) cred_handle; - -- status = gss_create_empty_buffer_set(minor_status, &ret_set); -- if (status != GSS_S_COMPLETE) { -- return status; -- } -- - status = GSS_S_UNAVAILABLE; - - for (i = 0; i < union_cred->count; i++) { diff --git a/Fix-more-time-manipulations-for-y2038.patch b/Fix-more-time-manipulations-for-y2038.patch index c202b96..a57a64c 100644 --- a/Fix-more-time-manipulations-for-y2038.patch +++ b/Fix-more-time-manipulations-for-y2038.patch @@ -1,4 +1,4 @@ -From c9fca85329f4b25509f83837239bf882841caccc Mon Sep 17 00:00:00 2001 +From 7b28a408650c58d0ea98fddab5034642af32fdaf Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 17 May 2017 14:52:09 -0400 Subject: [PATCH] Fix more time manipulations for y2038 diff --git a/Improve-PKINIT-UPN-SAN-matching.patch b/Improve-PKINIT-UPN-SAN-matching.patch index d4bcc2f..26b27f1 100644 --- a/Improve-PKINIT-UPN-SAN-matching.patch +++ b/Improve-PKINIT-UPN-SAN-matching.patch @@ -1,4 +1,4 @@ -From 84e4545db26e31ae69da8559128513157f533858 Mon Sep 17 00:00:00 2001 +From 03265620488b84238c31170356b5f41c80f0e9d9 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Mon, 5 Dec 2016 12:17:59 -0500 Subject: [PATCH] Improve PKINIT UPN SAN matching diff --git a/Make-timestamp-manipulations-y2038-safe.patch b/Make-timestamp-manipulations-y2038-safe.patch index 7c899ad..26bff26 100644 --- a/Make-timestamp-manipulations-y2038-safe.patch +++ b/Make-timestamp-manipulations-y2038-safe.patch @@ -1,4 +1,4 @@ -From 0c0fe06500401d694a4720544c7ed661275d819e Mon Sep 17 00:00:00 2001 +From ac30f4753f157dafe93df2941a216fde591fcb69 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Sat, 22 Apr 2017 12:52:17 -0400 Subject: [PATCH] Make timestamp manipulations y2038-safe @@ -766,7 +766,7 @@ index 2dc4d0c1a..bb1072fe4 100644 /* Make an AS request if we have no creds or it's time to refresh them. */ diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c -index 70f7955ae..8e5cc37fb 100644 +index 2a7467f54..1be1b5878 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now, @@ -779,7 +779,7 @@ index 70f7955ae..8e5cc37fb 100644 code = KRB5KRB_AP_ERR_TKT_EXPIRED; goto cleanup; } -@@ -575,7 +576,7 @@ kg_new_connection( +@@ -573,7 +574,7 @@ kg_new_connection( if (time_req == 0 || time_req == GSS_C_INDEFINITE) { ctx->krb_times.endtime = 0; } else { @@ -788,7 +788,7 @@ index 70f7955ae..8e5cc37fb 100644 } if ((code = kg_duplicate_name(context, cred->name, &ctx->here))) -@@ -659,7 +660,7 @@ kg_new_connection( +@@ -657,7 +658,7 @@ kg_new_connection( if (time_rec) { if ((code = krb5_timeofday(context, &now))) goto cleanup; @@ -797,7 +797,7 @@ index 70f7955ae..8e5cc37fb 100644 } /* set the other returns */ -@@ -873,7 +874,7 @@ mutual_auth( +@@ -871,7 +872,7 @@ mutual_auth( if (time_rec) { if ((code = krb5_timeofday(context, &now))) goto fail; @@ -879,7 +879,7 @@ index 408b0eb31..1680a5504 100644 time_string = ctime(&until); if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c -index 59ed0b975..656dddff5 100644 +index 3c2844d14..c4bb16dc7 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -408,13 +408,14 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) @@ -900,7 +900,7 @@ index 59ed0b975..656dddff5 100644 *maskp |= KADM5_PW_EXPIRATION; } diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index 0640b47c4..f4a9a2ad2 100644 +index 8f4da0e52..137e1fb64 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle, @@ -948,7 +948,7 @@ index 0640b47c4..f4a9a2ad2 100644 else kdb->pw_expiration = 0; } else { -@@ -2024,7 +2024,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, +@@ -2027,7 +2027,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, } if (have_pol) { if (pol.pw_max_life) @@ -958,10 +958,10 @@ index 0640b47c4..f4a9a2ad2 100644 kdb->pw_expiration = 0; } else { diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c -index 4adf0fcbb..7f33c7e68 100644 +index 690725765..07392572e 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c -@@ -1296,7 +1296,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now) +@@ -1297,7 +1297,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now) * are in the future, we will return the first node; if all are in the * past, we will return the last node. */ diff --git a/Preserve-GSS-context-on-init-accept-failure.patch b/Preserve-GSS-context-on-init-accept-failure.patch deleted file mode 100644 index 7166561..0000000 --- a/Preserve-GSS-context-on-init-accept-failure.patch +++ /dev/null @@ -1,413 +0,0 @@ -From d730a62c2d3f6f75a0fa28b7a8c952fb29dd7aa0 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Fri, 14 Jul 2017 13:02:46 -0400 -Subject: [PATCH] Preserve GSS context on init/accept failure - -After gss_init_sec_context() or gss_accept_sec_context() has created a -context, don't delete the mechglue context on failures from subsequent -calls, even if the mechanism deletes the mech-specific context (which -is allowed by RFC 2744 but not preferred). Check for union contexts -with no mechanism context in each GSS function which accepts a -gss_ctx_id_t. - -CVE-2017-11462: - -RFC 2744 permits a GSS-API implementation to delete an existing -security context on a second or subsequent call to -gss_init_sec_context() or gss_accept_sec_context() if the call results -in an error. This API behavior has been found to be dangerous, -leading to the possibility of memory errors in some callers. For -safety, GSS-API implementations should instead preserve existing -security contexts on error until the caller deletes them. - -All versions of MIT krb5 prior to this change may delete acceptor -contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through -1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts on -error. - -ticket: 8598 (new) -target_version: 1.15-next -target_version: 1.14-next -tags: pullup - -(cherry picked from commit 56f7b1bc95a2a3eeb420e069e7655fb181ade5cf) ---- - src/lib/gssapi/mechglue/g_accept_sec_context.c | 22 +++++++++++++++------- - src/lib/gssapi/mechglue/g_complete_auth_token.c | 2 ++ - src/lib/gssapi/mechglue/g_context_time.c | 2 ++ - src/lib/gssapi/mechglue/g_delete_sec_context.c | 14 ++++++++------ - src/lib/gssapi/mechglue/g_exp_sec_context.c | 2 ++ - src/lib/gssapi/mechglue/g_init_sec_context.c | 19 +++++++++++-------- - src/lib/gssapi/mechglue/g_inq_context.c | 2 ++ - src/lib/gssapi/mechglue/g_prf.c | 2 ++ - src/lib/gssapi/mechglue/g_process_context.c | 2 ++ - src/lib/gssapi/mechglue/g_seal.c | 4 ++++ - src/lib/gssapi/mechglue/g_sign.c | 2 ++ - src/lib/gssapi/mechglue/g_unseal.c | 2 ++ - src/lib/gssapi/mechglue/g_unwrap_aead.c | 2 ++ - src/lib/gssapi/mechglue/g_unwrap_iov.c | 4 ++++ - src/lib/gssapi/mechglue/g_verify.c | 2 ++ - src/lib/gssapi/mechglue/g_wrap_aead.c | 2 ++ - src/lib/gssapi/mechglue/g_wrap_iov.c | 8 ++++++++ - 17 files changed, 72 insertions(+), 21 deletions(-) - -diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c -index ddaf87412..f28e2b14a 100644 ---- a/src/lib/gssapi/mechglue/g_accept_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c -@@ -216,6 +216,8 @@ gss_cred_id_t * d_cred; - } else { - union_ctx_id = (gss_union_ctx_id_t)*context_handle; - selected_mech = union_ctx_id->mech_type; -+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - } - - /* Now create a new context if we didn't get one. */ -@@ -234,9 +236,6 @@ gss_cred_id_t * d_cred; - free(union_ctx_id); - return (status); - } -- -- /* set the new context handle to caller's data */ -- *context_handle = (gss_ctx_id_t)union_ctx_id; - } - - /* -@@ -277,8 +276,10 @@ gss_cred_id_t * d_cred; - d_cred ? &tmp_d_cred : NULL); - - /* If there's more work to do, keep going... */ -- if (status == GSS_S_CONTINUE_NEEDED) -+ if (status == GSS_S_CONTINUE_NEEDED) { -+ *context_handle = (gss_ctx_id_t)union_ctx_id; - return GSS_S_CONTINUE_NEEDED; -+ } - - /* if the call failed, return with failure */ - if (status != GSS_S_COMPLETE) { -@@ -364,14 +365,22 @@ gss_cred_id_t * d_cred; - *mech_type = gssint_get_public_oid(actual_mech); - if (ret_flags != NULL) - *ret_flags = temp_ret_flags; -- return (status); -+ *context_handle = (gss_ctx_id_t)union_ctx_id; -+ return GSS_S_COMPLETE; - } else { - - status = GSS_S_BAD_MECH; - } - - error_out: -- if (union_ctx_id) { -+ /* -+ * RFC 2744 5.1 requires that we not create a context on a failed first -+ * call to accept, and recommends that on a failed subsequent call we -+ * make the caller responsible for calling gss_delete_sec_context. -+ * Even if the mech deleted its context, keep the union context around -+ * for the caller to delete. -+ */ -+ if (union_ctx_id && *context_handle == GSS_C_NO_CONTEXT) { - if (union_ctx_id->mech_type) { - if (union_ctx_id->mech_type->elements) - free(union_ctx_id->mech_type->elements); -@@ -384,7 +393,6 @@ error_out: - GSS_C_NO_BUFFER); - } - free(union_ctx_id); -- *context_handle = GSS_C_NO_CONTEXT; - } - - if (src_name) -diff --git a/src/lib/gssapi/mechglue/g_complete_auth_token.c b/src/lib/gssapi/mechglue/g_complete_auth_token.c -index 918155130..4bcb47e84 100644 ---- a/src/lib/gssapi/mechglue/g_complete_auth_token.c -+++ b/src/lib/gssapi/mechglue/g_complete_auth_token.c -@@ -52,6 +52,8 @@ gss_complete_auth_token (OM_uint32 *minor_status, - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech != NULL) { -diff --git a/src/lib/gssapi/mechglue/g_context_time.c b/src/lib/gssapi/mechglue/g_context_time.c -index 2ff8d0996..c947e7646 100644 ---- a/src/lib/gssapi/mechglue/g_context_time.c -+++ b/src/lib/gssapi/mechglue/g_context_time.c -@@ -58,6 +58,8 @@ OM_uint32 * time_rec; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -diff --git a/src/lib/gssapi/mechglue/g_delete_sec_context.c b/src/lib/gssapi/mechglue/g_delete_sec_context.c -index 4bf0dec5c..574ff0294 100644 ---- a/src/lib/gssapi/mechglue/g_delete_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_delete_sec_context.c -@@ -87,12 +87,14 @@ gss_buffer_t output_token; - if (GSSINT_CHK_LOOP(ctx)) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -- status = gssint_delete_internal_sec_context(minor_status, -- ctx->mech_type, -- &ctx->internal_ctx_id, -- output_token); -- if (status) -- return status; -+ if (ctx->internal_ctx_id != GSS_C_NO_CONTEXT) { -+ status = gssint_delete_internal_sec_context(minor_status, -+ ctx->mech_type, -+ &ctx->internal_ctx_id, -+ output_token); -+ if (status) -+ return status; -+ } - - /* now free up the space for the union context structure */ - free(ctx->mech_type->elements); -diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c -index b63745299..1d7990b1c 100644 ---- a/src/lib/gssapi/mechglue/g_exp_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c -@@ -95,6 +95,8 @@ gss_buffer_t interprocess_token; - */ - - ctx = (gss_union_ctx_id_t) *context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - if (!mech) - return GSS_S_BAD_MECH; -diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c -index 9f154b893..e2df1ce26 100644 ---- a/src/lib/gssapi/mechglue/g_init_sec_context.c -+++ b/src/lib/gssapi/mechglue/g_init_sec_context.c -@@ -192,8 +192,13 @@ OM_uint32 * time_rec; - - /* copy the supplied context handle */ - union_ctx_id->internal_ctx_id = GSS_C_NO_CONTEXT; -- } else -+ } else { - union_ctx_id = (gss_union_ctx_id_t)*context_handle; -+ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) { -+ status = GSS_S_NO_CONTEXT; -+ goto end; -+ } -+ } - - /* - * get the appropriate cred handle from the union cred struct. -@@ -224,15 +229,13 @@ OM_uint32 * time_rec; - - if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) { - /* -- * The spec says the preferred method is to delete all context info on -- * the first call to init, and on all subsequent calls make the caller -- * responsible for calling gss_delete_sec_context. However, if the -- * mechanism decided to delete the internal context, we should also -- * delete the union context. -+ * RFC 2744 5.19 requires that we not create a context on a failed -+ * first call to init, and recommends that on a failed subsequent call -+ * we make the caller responsible for calling gss_delete_sec_context. -+ * Even if the mech deleted its context, keep the union context around -+ * for the caller to delete. - */ - map_error(minor_status, mech); -- if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) -- *context_handle = GSS_C_NO_CONTEXT; - if (*context_handle == GSS_C_NO_CONTEXT) { - free(union_ctx_id->mech_type->elements); - free(union_ctx_id->mech_type); -diff --git a/src/lib/gssapi/mechglue/g_inq_context.c b/src/lib/gssapi/mechglue/g_inq_context.c -index 6f1c71eed..6c0d98dd3 100644 ---- a/src/lib/gssapi/mechglue/g_inq_context.c -+++ b/src/lib/gssapi/mechglue/g_inq_context.c -@@ -104,6 +104,8 @@ gss_inquire_context( - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (!mech || !mech->gss_inquire_context || !mech->gss_display_name || -diff --git a/src/lib/gssapi/mechglue/g_prf.c b/src/lib/gssapi/mechglue/g_prf.c -index fcca3e44c..9e168adfe 100644 ---- a/src/lib/gssapi/mechglue/g_prf.c -+++ b/src/lib/gssapi/mechglue/g_prf.c -@@ -59,6 +59,8 @@ gss_pseudo_random (OM_uint32 *minor_status, - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech != NULL) { -diff --git a/src/lib/gssapi/mechglue/g_process_context.c b/src/lib/gssapi/mechglue/g_process_context.c -index bc260aeb1..3968b5d9c 100644 ---- a/src/lib/gssapi/mechglue/g_process_context.c -+++ b/src/lib/gssapi/mechglue/g_process_context.c -@@ -61,6 +61,8 @@ gss_buffer_t token_buffer; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -diff --git a/src/lib/gssapi/mechglue/g_seal.c b/src/lib/gssapi/mechglue/g_seal.c -index f17241c90..3db1ee095 100644 ---- a/src/lib/gssapi/mechglue/g_seal.c -+++ b/src/lib/gssapi/mechglue/g_seal.c -@@ -92,6 +92,8 @@ gss_wrap( OM_uint32 *minor_status, - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -@@ -226,6 +228,8 @@ gss_wrap_size_limit(OM_uint32 *minor_status, - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (!mech) -diff --git a/src/lib/gssapi/mechglue/g_sign.c b/src/lib/gssapi/mechglue/g_sign.c -index 86d641aa2..03fbd8c01 100644 ---- a/src/lib/gssapi/mechglue/g_sign.c -+++ b/src/lib/gssapi/mechglue/g_sign.c -@@ -94,6 +94,8 @@ gss_buffer_t msg_token; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -diff --git a/src/lib/gssapi/mechglue/g_unseal.c b/src/lib/gssapi/mechglue/g_unseal.c -index 3e8053c6e..c208635b6 100644 ---- a/src/lib/gssapi/mechglue/g_unseal.c -+++ b/src/lib/gssapi/mechglue/g_unseal.c -@@ -76,6 +76,8 @@ gss_qop_t * qop_state; - * call it. - */ - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -diff --git a/src/lib/gssapi/mechglue/g_unwrap_aead.c b/src/lib/gssapi/mechglue/g_unwrap_aead.c -index e78bff2d3..0682bd899 100644 ---- a/src/lib/gssapi/mechglue/g_unwrap_aead.c -+++ b/src/lib/gssapi/mechglue/g_unwrap_aead.c -@@ -186,6 +186,8 @@ gss_qop_t *qop_state; - * call it. - */ - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (!mech) -diff --git a/src/lib/gssapi/mechglue/g_unwrap_iov.c b/src/lib/gssapi/mechglue/g_unwrap_iov.c -index c0dd314b1..599be2c7b 100644 ---- a/src/lib/gssapi/mechglue/g_unwrap_iov.c -+++ b/src/lib/gssapi/mechglue/g_unwrap_iov.c -@@ -89,6 +89,8 @@ int iov_count; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -@@ -128,6 +130,8 @@ gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - - /* Select the approprate underlying mechanism routine and call it. */ - ctx = (gss_union_ctx_id_t)context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; - mech = gssint_get_mechanism(ctx->mech_type); - if (mech == NULL) - return GSS_S_BAD_MECH; -diff --git a/src/lib/gssapi/mechglue/g_verify.c b/src/lib/gssapi/mechglue/g_verify.c -index 1578ae111..8996fce8d 100644 ---- a/src/lib/gssapi/mechglue/g_verify.c -+++ b/src/lib/gssapi/mechglue/g_verify.c -@@ -65,6 +65,8 @@ gss_qop_t * qop_state; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -diff --git a/src/lib/gssapi/mechglue/g_wrap_aead.c b/src/lib/gssapi/mechglue/g_wrap_aead.c -index 96cdf3ce6..7fe3b7b35 100644 ---- a/src/lib/gssapi/mechglue/g_wrap_aead.c -+++ b/src/lib/gssapi/mechglue/g_wrap_aead.c -@@ -256,6 +256,8 @@ gss_buffer_t output_message_buffer; - * call it. - */ - ctx = (gss_union_ctx_id_t)context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - if (!mech) - return (GSS_S_BAD_MECH); -diff --git a/src/lib/gssapi/mechglue/g_wrap_iov.c b/src/lib/gssapi/mechglue/g_wrap_iov.c -index 40cd98fc9..14447c4ee 100644 ---- a/src/lib/gssapi/mechglue/g_wrap_iov.c -+++ b/src/lib/gssapi/mechglue/g_wrap_iov.c -@@ -93,6 +93,8 @@ int iov_count; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -@@ -151,6 +153,8 @@ int iov_count; - */ - - ctx = (gss_union_ctx_id_t) context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return (GSS_S_NO_CONTEXT); - mech = gssint_get_mechanism (ctx->mech_type); - - if (mech) { -@@ -190,6 +194,8 @@ gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - - /* Select the approprate underlying mechanism routine and call it. */ - ctx = (gss_union_ctx_id_t)context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; - mech = gssint_get_mechanism(ctx->mech_type); - if (mech == NULL) - return GSS_S_BAD_MECH; -@@ -218,6 +224,8 @@ gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, - - /* Select the approprate underlying mechanism routine and call it. */ - ctx = (gss_union_ctx_id_t)context_handle; -+ if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) -+ return GSS_S_NO_CONTEXT; - mech = gssint_get_mechanism(ctx->mech_type); - if (mech == NULL) - return GSS_S_BAD_MECH; diff --git a/Prevent-KDC-unset-status-assertion-failures.patch b/Prevent-KDC-unset-status-assertion-failures.patch deleted file mode 100644 index c259e3f..0000000 --- a/Prevent-KDC-unset-status-assertion-failures.patch +++ /dev/null @@ -1,109 +0,0 @@ -From af6570ad6c306fe8e2bf425810236dd8c6271885 Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Thu, 13 Jul 2017 12:14:20 -0400 -Subject: [PATCH] Prevent KDC unset status assertion failures - -Assign status values if S4U2Self padata fails to decode, if an -S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request -uses an evidence ticket which does not match the canonicalized request -server principal name. Reported by Samuel Cabrero. - -If a status value is not assigned during KDC processing, default to -"UNKNOWN_REASON" rather than failing an assertion. This change will -prevent future denial of service bugs due to similar mistakes, and -will allow us to omit assigning status values for unlikely errors such -as small memory allocation failures. - -CVE-2017-11368: - -In MIT krb5 1.7 and later, an authenticated attacker can cause an -assertion failure in krb5kdc by sending an invalid S4U2Self or -S4U2Proxy request. - - CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C - -ticket: 8599 (new) -target_version: 1.15-next -target_version: 1.14-next -tags: pullup - -(cherry picked from commit a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2) ---- - src/kdc/do_as_req.c | 4 ++-- - src/kdc/do_tgs_req.c | 3 ++- - src/kdc/kdc_util.c | 10 ++++++++-- - 3 files changed, 12 insertions(+), 5 deletions(-) - -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 712ccb794..a4bf91b1b 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -365,8 +365,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) - did_log = 1; - - egress: -- if (errcode != 0) -- assert (state->status != 0); -+ if (errcode != 0 && state->status == NULL) -+ state->status = "UNKNOWN_REASON"; - - au_state->status = state->status; - au_state->reply = &state->reply; -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 547a41441..339259fd1 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, - free(reply.enc_part.ciphertext.data); - - cleanup: -- assert(status != NULL); -+ if (status == NULL) -+ status = "UNKNOWN_REASON"; - if (reply_key) - krb5_free_keyblock(kdc_context, reply_key); - if (errcode) -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index 29f9dbbf0..30c501c67 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm, - req_data.data = (char *)pa_data->contents; - - code = decode_krb5_pa_for_user(&req_data, &for_user); -- if (code) -+ if (code) { -+ *status = "DECODE_PA_FOR_USER"; - return code; -+ } - - code = verify_for_user_checksum(kdc_context, tgs_session, for_user); - if (code) { -@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context, - req_data.data = (char *)pa_data->contents; - - code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user); -- if (code) -+ if (code) { -+ *status = "DECODE_PA_S4U_X509_USER"; - return code; -+ } - - code = verify_s4u_x509_user_checksum(context, - tgs_subkey ? tgs_subkey : -@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, - * that is validated previously in validate_tgs_request(). - */ - if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) { -+ *status = "INVALID_S4U2PROXY_OPTIONS"; - return KRB5KDC_ERR_BADOPTION; - } - -@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm, - if (!krb5_principal_compare(kdc_context, - server->princ, /* after canon */ - server_princ)) { -+ *status = "EVIDENCE_TICKET_MISMATCH"; - return KRB5KDC_ERR_SERVER_NOMATCH; - } - diff --git a/Remove-incomplete-PKINIT-OCSP-support.patch b/Remove-incomplete-PKINIT-OCSP-support.patch index 780353e..2f40965 100644 --- a/Remove-incomplete-PKINIT-OCSP-support.patch +++ b/Remove-incomplete-PKINIT-OCSP-support.patch @@ -1,4 +1,4 @@ -From 3a9d6156a57fb17285e238ec0633ea2b24db91d6 Mon Sep 17 00:00:00 2001 +From 466d09c9b2c456d663672cb6d5f661ef86e8536e Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Mon, 31 Jul 2017 16:03:41 -0400 Subject: [PATCH] Remove incomplete PKINIT OCSP support @@ -19,7 +19,7 @@ ticket: 8603 (new) 5 files changed, 11 insertions(+), 20 deletions(-) diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst -index 13077ecf4..a4b2a5432 100644 +index 4e54f7e1d..d00e7926c 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -765,9 +765,6 @@ For information about the syntax of some of these options, see @@ -33,7 +33,7 @@ index 13077ecf4..a4b2a5432 100644 Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man -index 10b333c38..166e68f9a 100644 +index d207ebd7f..c47da0117 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if diff --git a/Use-GSSAPI-fallback-skiptest.patch b/Use-GSSAPI-fallback-skiptest.patch index 9071433..118df5a 100644 --- a/Use-GSSAPI-fallback-skiptest.patch +++ b/Use-GSSAPI-fallback-skiptest.patch @@ -1,4 +1,4 @@ -From ad17859c5d428be38bb51b6202e1ce256790beb5 Mon Sep 17 00:00:00 2001 +From 6d0b40b26e7fea1cd394618c1ab6d5e366bbc069 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Wed, 1 Mar 2017 17:46:22 -0500 Subject: [PATCH] Use GSSAPI fallback skiptest diff --git a/Use-expected_msg-in-test-scripts.patch b/Use-expected_msg-in-test-scripts.patch index 245e2b7..d4dc83e 100644 --- a/Use-expected_msg-in-test-scripts.patch +++ b/Use-expected_msg-in-test-scripts.patch @@ -1,4 +1,4 @@ -From 9b2d26cf4cfebdce46430a7ab891e3a7faad5f47 Mon Sep 17 00:00:00 2001 +From 24ac588502b1731a7fd2629804f8d9ed1668297e Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 18 Jan 2017 11:22:58 -0500 Subject: [PATCH] Use expected_msg in test scripts diff --git a/Use-expected_trace-in-test-scripts.patch b/Use-expected_trace-in-test-scripts.patch index 39807c8..74516ea 100644 --- a/Use-expected_trace-in-test-scripts.patch +++ b/Use-expected_trace-in-test-scripts.patch @@ -1,4 +1,4 @@ -From 52eeabfdeb9a91c6e4c7124b38fa6915df37f8bf Mon Sep 17 00:00:00 2001 +From 35a00879008457d21ccc6e623835976a21f5000b Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Tue, 17 Jan 2017 11:25:22 -0500 Subject: [PATCH] Use expected_trace in test scripts diff --git a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch index 21fcb7f..bc0591a 100644 --- a/Use-fallback-realm-for-GSSAPI-ccache-selection.patch +++ b/Use-fallback-realm-for-GSSAPI-ccache-selection.patch @@ -1,4 +1,4 @@ -From 4963152dc973e8ff74f257f64b0960a7716b480c Mon Sep 17 00:00:00 2001 +From feee4c633a7db348ef99f1f0c99a5c2e6cb70f92 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Fri, 10 Feb 2017 12:53:42 -0500 Subject: [PATCH] Use fallback realm for GSSAPI ccache selection diff --git a/Use-krb5_timestamp-where-appropriate.patch b/Use-krb5_timestamp-where-appropriate.patch index 616ed67..c5b4c25 100644 --- a/Use-krb5_timestamp-where-appropriate.patch +++ b/Use-krb5_timestamp-where-appropriate.patch @@ -1,4 +1,4 @@ -From f0f0a503f58ed4f6ccf924751b356a70f515dd4b Mon Sep 17 00:00:00 2001 +From 0ae9141d53a8d9fe048542f89d17760990bd5bc4 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 17 May 2017 15:14:15 -0400 Subject: [PATCH] Use krb5_timestamp where appropriate @@ -81,7 +81,7 @@ index 16a35d2be..4ecc23481 100644 retval = krb5_crypto_us_timeofday(&now, &now_usec); diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c -index 656dddff5..c2cf69169 100644 +index c4bb16dc7..679fc7c41 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -375,7 +375,7 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) @@ -107,7 +107,7 @@ index 612553ba3..f4b8aef2b 100644 krb5_tl_data tl_data; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c -index f4a9a2ad2..0d4f0a632 100644 +index 137e1fb64..89f34482b 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle, @@ -146,7 +146,7 @@ index f4a9a2ad2..0d4f0a632 100644 kadm5_policy_ent_rec pol; krb5_keysalt keysalt; int i, kvno, ret; -@@ -1888,7 +1888,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, +@@ -1891,7 +1891,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, { krb5_db_entry *kdb; osa_princ_ent_rec adb; diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch index eba922a..c96aeb5 100644 --- a/Use-the-canonical-client-principal-name-for-OTP.patch +++ b/Use-the-canonical-client-principal-name-for-OTP.patch @@ -1,4 +1,4 @@ -From 1d729e7bd01cd0a5e4db0ba16fc5058b21b4abb2 Mon Sep 17 00:00:00 2001 +From 7998de0b9ccd0c8813159cc3f1d49fe107e3e0ba Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Wed, 5 Apr 2017 16:48:55 -0400 Subject: [PATCH] Use the canonical client principal name for OTP diff --git a/kerberos-adm.portreserve b/kerberos-adm.portreserve deleted file mode 100644 index eb6080d..0000000 --- a/kerberos-adm.portreserve +++ /dev/null @@ -1 +0,0 @@ -kerberos-adm/tcp diff --git a/krb5-1.11-kpasswdtest.patch b/krb5-1.11-kpasswdtest.patch index 19fd77b..e68fb05 100644 --- a/krb5-1.11-kpasswdtest.patch +++ b/krb5-1.11-kpasswdtest.patch @@ -1,4 +1,4 @@ -From b932cd580f6c78bcec06620770444b480cb7899c Mon Sep 17 00:00:00 2001 +From fb8f32ebdf3293d8a6bdb9478fe1f902a399ba7a Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:52:01 -0400 Subject: [PATCH] krb5-1.11-kpasswdtest.patch diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch index c886713..ad93b8a 100644 --- a/krb5-1.11-run_user_0.patch +++ b/krb5-1.11-run_user_0.patch @@ -1,4 +1,4 @@ -From 85c019fe805d801ad3b65cad61fd9b2f1eef8d7f Mon Sep 17 00:00:00 2001 +From 9c45f66fbc6afb472589dbeb5166f46ad266d319 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:49:57 -0400 Subject: [PATCH] krb5-1.11-run_user_0.patch diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch index 22575e8..c5bc2e5 100644 --- a/krb5-1.12-api.patch +++ b/krb5-1.12-api.patch @@ -1,4 +1,4 @@ -From 3bd2daf49b882deeaadd846d138c06d72de589fe Mon Sep 17 00:00:00 2001 +From 107a2b8728f1b76feb16df9201919444482e3981 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:47:00 -0400 Subject: [PATCH] krb5-1.12-api.patch diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch index 53b057b..7f92b1d 100644 --- a/krb5-1.12-ksu-path.patch +++ b/krb5-1.12-ksu-path.patch @@ -1,4 +1,4 @@ -From b3b35bbf939f05b9caece64f93c012c2f241f1c7 Mon Sep 17 00:00:00 2001 +From 93b86d94b871aed49b14d7fc1a2a9f23c16cbe0f Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:32:09 -0400 Subject: [PATCH] krb5-1.12-ksu-path.patch diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch index fc63d7c..a941082 100644 --- a/krb5-1.12-ktany.patch +++ b/krb5-1.12-ktany.patch @@ -1,4 +1,4 @@ -From 259f691fac41a06c238aea1d812b0f3889f06877 Mon Sep 17 00:00:00 2001 +From efee9f8598ba84f2be0983fc1d07a9a72d0ff1b7 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:33:53 -0400 Subject: [PATCH] krb5-1.12-ktany.patch diff --git a/krb5-1.12.1-pam.patch b/krb5-1.12.1-pam.patch index f00c797..5372fb4 100644 --- a/krb5-1.12.1-pam.patch +++ b/krb5-1.12.1-pam.patch @@ -1,4 +1,4 @@ -From 461ae27581ad3b132b9b2d8c07777102fba015f3 Mon Sep 17 00:00:00 2001 +From e0924e10dd431a898c9c95faa04b51edbe59c5ef Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH] krb5-1.12.1-pam.patch diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch index eb384f0..9b0178c 100644 --- a/krb5-1.13-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -1,4 +1,4 @@ -From d183995c587fc0f32a76011858703308d751e17c Mon Sep 17 00:00:00 2001 +From f2df0b75dfbc9796bf8e1477f4661dfb7cdcf8d4 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:47:44 -0400 Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch diff --git a/krb5-1.15-beta1-buildconf.patch b/krb5-1.15-beta1-buildconf.patch index ca6723d..276c254 100644 --- a/krb5-1.15-beta1-buildconf.patch +++ b/krb5-1.15-beta1-buildconf.patch @@ -1,4 +1,4 @@ -From 35e09ba633eb14cc207b59de7ce60324ea86554f Mon Sep 17 00:00:00 2001 +From ae5bb11c0f06fdf92f51d237e94c1d410c59aa04 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:45:26 -0400 Subject: [PATCH] krb5-1.15-beta1-buildconf.patch diff --git a/krb5-1.15.1-selinux-label.patch b/krb5-1.15.1-selinux-label.patch index d0bf8f3..2590f8e 100644 --- a/krb5-1.15.1-selinux-label.patch +++ b/krb5-1.15.1-selinux-label.patch @@ -1,4 +1,4 @@ -From a3280e7ec607b9eb7b79cf75cd323fbbdd125b02 Mon Sep 17 00:00:00 2001 +From aaf74b66a51cbda90ba40f73eb8def9b192ab262 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:30:53 -0400 Subject: [PATCH] krb5-1.15.1-selinux-label.patch diff --git a/krb5-1.3.1-dns.patch b/krb5-1.3.1-dns.patch index c3a1d07..766226f 100644 --- a/krb5-1.3.1-dns.patch +++ b/krb5-1.3.1-dns.patch @@ -1,4 +1,4 @@ -From 2ecbf6ba30520f908188521eb903876bc64905ae Mon Sep 17 00:00:00 2001 +From 1b95f8a488d1e70bf7698c8b49412306a1b8aba0 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:46:21 -0400 Subject: [PATCH] krb5-1.3.1-dns.patch diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch index 2d70bd5..d3d0080 100644 --- a/krb5-1.9-debuginfo.patch +++ b/krb5-1.9-debuginfo.patch @@ -1,4 +1,4 @@ -From 06349d595ba0baa72a9d5aabeedee5926419d6bc Mon Sep 17 00:00:00 2001 +From e1d7fcf9713fe322ad5740045650dac86427e6ae Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharwood@redhat.com> Date: Tue, 23 Aug 2016 16:49:25 -0400 Subject: [PATCH] krb5-1.9-debuginfo.patch @@ -14,38 +14,38 @@ # Should be in form 5.0, 6.1, etc. %global kdbversion 6.1 +%global majmin 1.15 + Summary: The Kerberos network authentication system Name: krb5 -Version: 1.15.1 -# for prerelease, should be e.g., 0.3.beta2%{?dist} -Release: 28%{?dist} -# - Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar -# - The sources below are stored in a lookaside cache. Upload with -# $ fedpkg upload krb5-1.13.2.tar.gz krb5-1.13.2.tar.gz.asc # (and don't -# remove, otherwise you can't go back or branch from a previous point) -Source0: krb5-%{version}%{prerelease}.tar.gz -Source1: krb5-%{version}%{prerelease}.tar.gz.asc +Version: %{majmin}.2 +# for prerelease, should be e.g., 0.3.beta2% { ?dist } (without spaces) +Release: 1%{?dist} + +# lookaside-cached sources; two downloads and a build artifact +Source0: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz +# rharwood has trust path to signing key and verifies on check-in +Source1: https://web.mit.edu/kerberos/dist/krb5/%{majmin}/krb5-%{version}%{prerelease}.tar.gz.asc +# This source is generated during the build because it is documentation. +# To override this behavior (e.g., new upstream version), do: +# tar cfT krb5-1.15.2-pdfs.tar /dev/null +# or the like. This logic persists due to how slow the stranger Fedora +# architecture builders are. 5 minutes on my laptop, 45 on koji easy. Source3: krb5-%{version}%{prerelease}-pdfs.tar + +# Numbering is a relic of old init systems etc. It's easiest to just leave. Source2: kprop.service Source4: kadmin.service Source5: krb5kdc.service Source6: krb5.conf -#Source7: _kpropd -#Source8: _kadmind Source10: kdc.conf Source11: kadm5.acl Source19: krb5kdc.sysconfig Source20: kadmin.sysconfig Source21: kprop.sysconfig Source29: ksu.pamd -Source31: kerberos-adm.portreserve -Source32: krb5_prop.portreserve Source33: krb5kdc.logrotate Source34: kadmind.logrotate -#Source36: kpropd.init -#Source37: kadmind.init -#Source38: krb5kdc.init Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. @@ -77,11 +77,8 @@ Patch48: Use-the-canonical-client-principal-name-for-OTP.patch Patch49: Add-certauth-pluggable-interface.patch Patch50: Correct-error-handling-bug-in-prior-commit.patch Patch51: Add-k5test-expected_msg-expected_trace.patch -Patch52: Fix-leaks-in-gss_inquire_cred_by_oid.patch Patch53: Add-support-to-query-the-SSF-of-a-GSS-context.patch -Patch54: Prevent-KDC-unset-status-assertion-failures.patch Patch55: Remove-incomplete-PKINIT-OCSP-support.patch -Patch56: Allow-clock-skew-in-krb5-gss_context_time.patch Patch57: Fix-in_clock_skew-and-use-it-in-AS-client-code.patch Patch58: Add-timestamp-helper-functions.patch Patch59: Make-timestamp-manipulations-y2038-safe.patch @@ -96,7 +93,6 @@ Patch67: Fix-certauth-built-in-module-returns.patch Patch68: Add-test-cert-with-no-extensions.patch Patch69: Add-PKINIT-test-case-for-generic-client-cert.patch Patch70: Add-hostname-based-ccselect-module.patch -Patch71: Preserve-GSS-context-on-init-accept-failure.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -105,7 +101,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, bison, cmake, flex, gawk, gettext, pkgconfig, sed BuildRequires: libcom_err-devel, libedit-devel, libss-devel BuildRequires: gzip, ncurses-devel -BuildRequires: python2-sphinx, texlive-pdftex +BuildRequires: python2-sphinx, texlive-pdftex, latexmk # For autosetup BuildRequires: git @@ -124,7 +120,9 @@ BuildRequires: tex(ifthen.sty) BuildRequires: tex(inputenc.sty) BuildRequires: tex(longtable.sty) BuildRequires: tex(multirow.sty) +BuildRequires: tex(needspace.sty) BuildRequires: tex(report.cls) +BuildRequires: tex(tabulary.sty) BuildRequires: tex(threeparttable.sty) BuildRequires: tex(times.sty) BuildRequires: tex(titlesec.sty) @@ -748,6 +746,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Mon Sep 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.2-1 +- New upstream release - krb5-1.15.2 +- Adjust patches as appropriate + * Wed Sep 06 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-28 - Save other programs from worrying about CVE-2017-11462 - Resolves: #1488873 diff --git a/krb5_prop.portreserve b/krb5_prop.portreserve deleted file mode 100644 index 54eeff2..0000000 --- a/krb5_prop.portreserve +++ /dev/null @@ -1 +0,0 @@ -krb5_prop/tcp @@ -1,3 +1,3 @@ -SHA512 (krb5-1.15.1-pdfs.tar) = f014d5da5e4cc74a19d51df658f52c6ae2f6f64663b29342e81f81ddb6e734a44c452b3f0d02f90c43baeb0618438f8b264d4f68424b0d98300a9dbe59a28552 -SHA512 (krb5-1.15.1.tar.gz) = 068b4c012722d8c232049d2a617f7ee28ceeaba6be94a78439e69e37b66cfdc49085641e42cfb03b2fbb72d21517b537e437061ec4dd2bf864f31e55e05fe918 -SHA512 (krb5-1.15.1.tar.gz.asc) = 48d2b1382970d4117340fbfd82a88ecd9342aaddad3e06a26db2b5e4766654e2e4cda03a3af6803e463e6ddcfbfbb32323379d9ccc70561c3f296b406bfee905 +SHA512 (krb5-1.15.2-pdfs.tar) = 5875efde7ed88dcccd6f624a5252c5c70844fe94015ce4acfdf7f6ccabf52c86965c5a661b161c73e37b46e51aa5e9ea19602ab32e8b50682ecb0a450f0553b6 +SHA512 (krb5-1.15.2.tar.gz) = e5814bb66384b13637c37918df694c6b9933c29c2d952da0ed0dcd2e623b269060b4c16b6c02162039dadebdab99ff1085e37e7621ae4748dafb036424e612c2 +SHA512 (krb5-1.15.2.tar.gz.asc) = 37cee442de29229fa821539c3f1724eb4d37fa9ce5eee644869a7311c8fe10218dac36da3a5297d45168d8fb1ad64dbd614f10d3384d54e4070e56e7fe8a1e63 |