openSUSE Commits
Threads by month
- ----- 2024 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
February 2013
- 1 participants
- 1989 discussions
Hello community,
here is the log from the commit of package gnome-control-center for openSUSE:12.1:Update checked in at 2013-02-25 09:55:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/gnome-control-center (Old)
and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-control-center", Maintainer is "gnome-maintainers(a)suse.de"
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _link ++++++
--- /var/tmp/diff_new_pack.Zpf6Ly/_old 2013-02-25 09:55:58.000000000 +0100
+++ /var/tmp/diff_new_pack.Zpf6Ly/_new 2013-02-25 09:55:58.000000000 +0100
@@ -1 +1 @@
-<link package='gnome-control-center.171' cicount='copy' />
+<link package='gnome-control-center.1352' cicount='copy' />
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
25 Feb '13
Hello community,
here is the log from the commit of package gnome-control-center.1352 for openSUSE:12.1:Update checked in at 2013-02-25 09:55:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/gnome-control-center.1352 (Old)
and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-control-center.1352", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-09 11:18:20.872010756 +0100
+++ /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new/gnome-control-center.changes 2013-02-25 09:55:53.000000000 +0100
@@ -0,0 +1,3146 @@
+-------------------------------------------------------------------
+Sat Feb 16 17:28:09 UTC 2013 - mike.catanzaro(a)gmail.com
+
+- Add gnome-control-center-minimal-password-dialog.patch
+ + Remove the random password generator, which cannot work in 12.1
+ since it calls apg, which we do not package (bnc#779414)
+ + Remove password "hint to nowhere" that gdm no longer displays
+ (bnc#796932)
+- Add gnome-control-center-remove-password-options.patch
+ + For 12.1, remove 'choose password at next login' and 'log in
+ without password' options as these conflict with our PAM and
+ make it impossible to log in (bnc#796932).
+- Add gnome-control-center-remove-password-options.patch
+ + Disallow setting password to be the same as it used to be, to
+ avoid a hang (bnc#779413).
+
+-------------------------------------------------------------------
+Fri Dec 23 04:29:04 UTC 2011 - glin(a)suse.com
+
+- add gnome-control-center-private-connections-by-default.patch to
+ create the private connections by default (bnc#731812)
+
+-------------------------------------------------------------------
+Tue Nov 15 09:57:30 UTC 2011 - glin(a)suse.com
+
+- Add gnome-control-center-probe-radius-server-cert.patch to probe
+ the RADIUS server certificate (bnc#574266)
+
+-------------------------------------------------------------------
+Thu Oct 20 08:25:40 UTC 2011 - vuntz(a)opensuse.org
+
+- Add gnome-control-center-hide-region-system-tab.patch: hide
+ system tab in region panel until we really use the same files as
+ systemd for setting the system-wide locale configuration. See
+ bnc#703833 for more details.
+- Really drop
+ gnome-control-center-network-allocate-nm-connection.patch.
+
+-------------------------------------------------------------------
+Mon Oct 17 18:10:24 CEST 2011 - dimstar(a)opensuse.org
+
+- Update to version 3.2.1:
+ + Common:
+ - Always collect locales from the directory (bgo#660725)
+ + Color:
+ - After removing a profile select the device so the UI is
+ correct (bgo#661658)
+ + Date & time:
+ - Fix showing actual clock format on panel open
+ + Info:
+ - Use new GtkAppChooserButton API (bgo#658693)
+ - Use x-content/unix-software as mime for the Software combobox
+ + Network:
+ - Allocate nm-connection for nma-wireless-dialog (bgo#648174)
+ - Show wireless dialog even if there is no active AP
+ (bgo#661526)
+ + Printers:
+ - Check state of CUPS after start (bgo#659721)
+ - Fix build on systems without LC_PAPER (bgo#660692)
+ - Don't hide address entry
+ - Disable remove button if no printer is selected (bgo#659724)
+ - Hide spinner after search (bgo#659753)
+ - Make +/- buttons insensitive when can not connect to CUPS
+ + Region:
+ - Hide system tab if no localed
+ - Simplify getting the current Locale
+ - Implement copying layouts (bgo#659300)
+ - Fix build on systems without LC_MEASUREMENT (bgo#660787)
+ - Only show locales for languages that have translations
+ + Screen:
+ - Never set gnome-session's idle-delay to 1
+ + Shell:
+ - Use gtk_widget_show instead of _show_all in
+ gnome_control_center_show
+ - Show the label for the category sections
+ - Make sure we gtk_widget_show the search view
+ - Make Ctrl+Q work outside the overview
+ - Give focus to the search entry when showing the overview page
+ - Don't crash when loading the icon fails (bgo#660513)
+ + Updated translations.
+- Drop gnome-control-center-setup-wpa-eap-no-active-ap.patch: fixed
+ upstream.
+- Drop gnome-control-center-network-allocate-nm-connection.patch:
+ fixed upstream.
+
+-------------------------------------------------------------------
+Wed Oct 12 08:49:59 UTC 2011 - glin(a)suse.com
+
+- Add gnome-control-center-setup-wpa-eap-no-active-ap.patch: show
+ the wireless setup dialog regardless of whether there is an
+ active AP or not (bgo#661526).
+
+-------------------------------------------------------------------
+Tue Oct 11 18:09:05 UTC 2011 - vuntz(a)opensuse.org
+
+- Add gnome-control-center-allow-yast-in-shell.patch: allow the
+ launch of the YaST shell from the gnome-control-center shell. We
+ need a special case as the gnome-control-center shell only
+ supports internal panels, but we want an exception for the YaST
+ shell.
+- Add gnome-control-center-shell-no-crash.patch: fix crash on
+ search when a .desktop file has no comment.
+- Split /etc/xdg/menus/gnomecc.menu in a branding-upstream
+ subpackage, so that we can have a branding-openSUSE package that
+ will add YaST to the control center shell.
+- Add a Requires on gnome-control-center-branding to the main
+ subpackage, to make sure we always have a menu definition for the
+ shell.
+
+-------------------------------------------------------------------
+Thu Oct 6 04:27:50 UTC 2011 - glin(a)suse.com
+
+- Add gnome-control-center-network-allocate-nm-connection.patch:
+ allocate nm-connection for nma-wireless-dialog so that the user
+ can configure the wireless conection settings (bgo#648174).
+
+-------------------------------------------------------------------
+Mon Oct 3 07:36:56 UTC 2011 - vuntz(a)opensuse.org
+
+- Remove usage of %mime_database_{post,postun} macros as there is
+ no MIME definition installed.
+- Do not pass --disable-update-mimedb to configure since it's not
+ useful anymore.
+
+-------------------------------------------------------------------
+Mon Sep 26 19:41:43 UTC 2011 - vuntz(a)opensuse.org
+
+- Update to version 3.2.0:
+ + System info:
+ - Don't crash when systemd isn't used (bgo#659367)
+ - Don't warn if PackageKit isn't around
+ - Continue on filesystem query info (bgo#654563)
+ + Wacom:
+ - Show "stand-by" page when Wacom not available (bgo#657424)
+ + Updated translations.
+
+-------------------------------------------------------------------
+Tue Sep 20 08:32:23 UTC 2011 - vuntz(a)opensuse.org
+
+- Update to version 3.1.92:
+ + Color:
+ - Fix help links for gnome-help 3.1*
+ - Don't assert if the user double clicks the delete profile
+ button
+ - Fix spawning of gcm-viewer
+ - Do not allow the user to choose profiles owned by other users
+ - Do not allow the user to set default a profile they cannot
+ access
+ - Disable 'View details' button if gcm-viewer is not installed
+ - Escape profile titles that have markup in the titles
+ (bgo#659127)
+ - Pack the left and right button groups into two GtkBox
+ containers (bgo#659273)
+ + Common:
+ - Add a way for panels to receive additional arguments
+ (bgo#657093)
+ - Bump GTK+ deps
+ - Tell the actual required version for NM
+ + Display:
+ - Remove duplicate/unused translations
+ + Info:
+ - Don't warn when the hostname is empty
+ - Do fallback correctly when reading hostnames
+ - Split the hostname setting
+ + Keyboard:
+ - Link directly to the layouts page
+ + Network:
+ - Show wireless dialogs when asked (bgo#657093)
+ - Fix memleak when argv changes
+ - A segfault was introduced when assigning to args (bgo#658670)
+ - Bind HTTP host entry to the 'host' setting in GSettings
+ + Printers:
+ - Match lower-case properly
+ + Region:
+ - Add ability to switch pages
+ - Fix display of layouts on the system tab
+ - Only offer to copy settings if they are different
+ + Screen:
+ - Don't fill up the space
+ - Fix resulting top-padding (bgo#657606)
+ - Remove indent on "Turn off..." label
+ + Shell:
+ - Replace window sizing code (bgo#658068)
+ + Sound:
+ - Put the level bar at 0 when muting (bgo#644537)
+ - Allow switching tabs from the command-line
+ + Universal access:
+ - Fix sensitivity of keyboard a11y (bgo#649452)
+ - Add context for text sizes (bgo#645729)
+ - Set contrast combo on startup (bgo#658990)
+ + User accounts:
+ - Hide old message when enrolling
+ + Wacom:
+ - Add a left-handed switch (bgo#657810)
+ - Improve alignment of lines and widgets (bgo#657425)
+ - Make string as translatable
+ + Updated translations.
++++ 2949 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.gnome-control-center.1352.new/gnome-control-center.changes
New:
----
gnome-control-center-3.2.1.tar.bz2
gnome-control-center-allow-yast-in-shell.patch
gnome-control-center-hide-region-system-tab.patch
gnome-control-center-minimal-password-dialog.patch
gnome-control-center-password-must-change.patch
gnome-control-center-private-connections-by-default.patch
gnome-control-center-probe-radius-server-cert.patch
gnome-control-center-remove-password-options.patch
gnome-control-center-shell-no-crash.patch
gnome-control-center-system-proxy-configuration.patch
gnome-control-center.changes
gnome-control-center.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnome-control-center.spec ++++++
#
# spec file for package gnome-control-center
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: gnome-control-center
BuildRequires: cups-devel
BuildRequires: desktop-file-utils
BuildRequires: fdupes
BuildRequires: gnome-common
BuildRequires: gnome-doc-utils-devel
BuildRequires: intltool
BuildRequires: translation-update-upstream
BuildRequires: update-desktop-files
BuildRequires: pkgconfig(cheese-gtk)
BuildRequires: pkgconfig(colord)
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(dbus-glib-1)
BuildRequires: pkgconfig(gconf-2.0)
BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(gnome-desktop-3.0)
BuildRequires: pkgconfig(gnome-settings-daemon) >= 2.91.94
BuildRequires: pkgconfig(goa-1.0)
BuildRequires: pkgconfig(goa-backend-1.0)
BuildRequires: pkgconfig(gsettings-desktop-schemas)
BuildRequires: pkgconfig(gstreamer-0.10)
BuildRequires: pkgconfig(gtk+-3.0) >= 3.1.19
BuildRequires: pkgconfig(iso-codes)
BuildRequires: pkgconfig(libcanberra-gtk3)
BuildRequires: pkgconfig(libgnome-menu-3.0)
BuildRequires: pkgconfig(libgnomekbd)
BuildRequires: pkgconfig(libgnomekbdui)
BuildRequires: pkgconfig(libgtop-2.0)
BuildRequires: pkgconfig(libnm-glib) >= 0.8.992
BuildRequires: pkgconfig(libnm-gtk) >= 0.8.992
BuildRequires: pkgconfig(libnotify) >= 0.7.3
BuildRequires: pkgconfig(libpulse)
BuildRequires: pkgconfig(libpulse-mainloop-glib)
BuildRequires: pkgconfig(libsocialweb-client)
BuildRequires: pkgconfig(libxklavier)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(polkit-gobject-1) >= 0.97
BuildRequires: pkgconfig(upower-glib)
BuildRequires: pkgconfig(xcursor)
BuildRequires: pkgconfig(xft)
BuildRequires: pkgconfig(xi)
Obsoletes: acme
Obsoletes: fontilus
Obsoletes: themus
Provides: acme
Provides: fontilus
Provides: themus
Version: 3.2.1
Release: 0
# FIXME: in 12.2 and later, check if we still need patch2 (gnome-control-center-hide-region-system-tab.patch) (see bnc#703833)
Summary: The GNOME Control Center
License: GPL-2.0+
Group: System/GUI/GNOME
Source: http://download.gnome.org/sources/gnome-control-center/3.2/%{name}-%{versio…
# PATCH-FEATURE-OPENSUSE gnome-control-center-allow-yast-in-shell.patch vuntz(a)opensuse.org -- Allow the launch of the yast shell from the g-c-c shell; it's quite ugly, but on the other hand, we don't want to change the behavior of the shell except for yast...
Patch0: gnome-control-center-allow-yast-in-shell.patch
# PATCH-FIX-UPSTREAM gnome-control-center-shell-no-crash.patch vuntz(a)opensuse.org -- Do not crash on search when a .desktop has no Comment
Patch1: gnome-control-center-shell-no-crash.patch
# PATCH-HACK-OPENSUSE gnome-control-center-hide-region-system-tab.patch vuntz(a)opensuse.org -- Hide system tab in region panel until we really use the right files for system settings (see bnc#703833)
Patch2: gnome-control-center-hide-region-system-tab.patch
# PATCH-NEEDS-REBASE gnome-control-center-system-proxy-configuration.patch -- this needs to be reimplemented to be more distro-generic before submitting upstream - docs at http://en.opensuse.org/GNOME/Proxy_configuration (was PATCH-FEATURE-OPENSUSE)
Patch14: gnome-control-center-system-proxy-configuration.patch
# PATCH-FIX-UPSTREAM gnome-control-center-probe-radius-server-cert.patch bnc#574266 glin(a)suse.com -- Probe the RADIUS server certificate
Patch15: gnome-control-center-probe-radius-server-cert.patch
# PATCH-FIX-OPENSUSE gnome-control-center-private-connections-by-default.patch bnc#731812 glin(a)suse.com -- Create the private connections by default
Patch16: gnome-control-center-private-connections-by-default.patch
# PATCH-FIX-OPENSUSE bnc#779413 bgo#691265 mike.catanzaro(a)gmail.com -- Don't allow nonsensical password change that will cause a hang, trying to get this upstream
Patch17: gnome-control-center-password-must-change.patch
# PATCH-FIX-OPENSUSE bnc#779414 bnc#796932 mike.catanzaro(a)gmail.com -- Hide random password and password hint options
Patch18: gnome-control-center-minimal-password-dialog.patch
# PATCH-HACK-OPENSUSE bnc#779408 mike.catanzaro(a)gmail.com -- These conflict with our current PAM policy
Patch19: gnome-control-center-remove-password-options.patch
Url: http://www.gnome.org
Requires: %{name}-branding = %{version}
# needed for printers panel
Requires: cups-pk-helper
# needed for /usr/bin/glxinfo, used by System info panel
Requires: freeglut
Requires: gnome-menus
Requires: gnome-settings-daemon
# needed for universal access panel
Requires: gnome-themes-accessibility
Requires: gnome-version
Requires: iso-codes
Requires: nautilus
Recommends: %{name}-lang
Recommends: %{name}-user-faces
Recommends: apg
# the printers panel can use the dbus service
Recommends: system-config-printer-dbus-service
Provides: control-center2 = 2.22.1
Obsoletes: control-center2 < 2.22.1
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%glib2_gsettings_schema_requires
%description
The control center is GNOME's main interface for configuration of
various aspects of your desktop.
%package branding-upstream
Summary: The GNOME Control Center -- Upstream Definition of Shell Content
Group: System/GUI/GNOME
Requires: %{name} = %{version}
Provides: %{name}-branding = %{version}
Conflicts: otherproviders(%{name}-branding)
Supplements: packageand(%{name}:branding-upstream)
BuildArch: noarch
#BRAND: This package contains the definitions of the content appearing
#BRAND: in the shell (/etc/xdg/menus/gnomecc.menu).
%description branding-upstream
The control center is GNOME's main interface for configuration of
various aspects of your desktop.
This package provides the upstream definition of what appears in the
control center.
%package user-faces
Summary: Login Managers user avatars
Group: System/GUI/GNOME
%description user-faces
This package provides user avatars to be used by display managers
%package -n libgnome-control-center1
Summary: Shared library used by GNOME control center
Group: System/GUI/GNOME
%description -n libgnome-control-center1
Shared library used by GNOME control center
%package devel
Summary: Header files for the GNOME Control Center
Group: Development/Libraries/GNOME
Requires: %{name} = %{version}
Requires: libgnome-control-center1 = %{version}
Provides: control-center2-devel = 2.22.1
Obsoletes: control-center2-devel < 2.22.1
%description devel
The control center is GNOME's main interface for configuration of
various aspects of your desktop.
%lang_package
%prep
%setup -q
translation-update-upstream
%patch0 -p1
%patch1 -p1
%patch2 -p1
#NEEDS-REBASE
#%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%if 0%{?BUILD_FROM_VCS}
[ -x ./autogen.sh ] && NOCONFIGURE=1 ./autogen.sh
%endif
%build
%configure --with-pic\
--with-libsocialweb\
--disable-static\
--disable-scrollkeeper\
--disable-maintainer-mode
make %{?jobs:-j%jobs} V=1
%install
%makeinstall
%if 0%{?suse_version} <= 1120
%{__rm} %{buildroot}%{_datadir}/locale/en@shaw/LC_MESSAGES/*
%endif
find %{buildroot} -type f -name "*.la" -delete -print
%find_lang %{name}-2.0 %{?no_lang_C}
%find_lang %{name}-2.0-timezones %{name}-2.0.lang
# help files
%find_lang control-center %{?no_lang_C} %{name}-2.0.lang
%suse_update_desktop_file gnome-control-center
%suse_update_desktop_file gnome-sound-applet
# capplets
%suse_update_desktop_file gnome-background-panel X-SuSE-ControlCenter-LookAndFeel
%suse_update_desktop_file gnome-color-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-datetime-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-display-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-info-panel X-SuSE-ControlCenter-Personal
%suse_update_desktop_file gnome-keyboard-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-media-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-mouse-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-network-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-online-accounts-panel X-SuSE-ControlCenter-Personal
%suse_update_desktop_file gnome-power-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-printers-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-region-panel X-SuSE-ControlCenter-Personal
%suse_update_desktop_file gnome-screen-panel X-SuSE-ControlCenter-LookAndFeel
%suse_update_desktop_file gnome-sound-panel X-SuSE-ControlCenter-Hardware
%suse_update_desktop_file gnome-universal-access-panel X-SuSE-ControlCenter-Personal
%suse_update_desktop_file gnome-user-accounts-panel X-SuSE-ControlCenter-Personal
%suse_update_desktop_file gnome-wacom-panel X-SuSE-ControlCenter-Hardware
%fdupes $RPM_BUILD_ROOT
%clean
rm -rf $RPM_BUILD_ROOT
%post
%glib2_gsettings_schema_post
%desktop_database_post
%icon_theme_cache_post
%postun
%glib2_gsettings_schema_postun
%desktop_database_postun
%icon_theme_cache_postun
%post -n libgnome-control-center1 -p /sbin/ldconfig
%postun -n libgnome-control-center1 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc AUTHORS COPYING ChangeLog NEWS README TODO
%dir %{_datadir}/gnome/
%dir %{_datadir}/gnome/help/
%dir %{_datadir}/gnome/help/control-center/
%doc %{_datadir}/gnome/help/control-center/C/
%dir %{_datadir}/omf/
%dir %{_datadir}/omf/control-center/
%doc %{_datadir}/omf/control-center/control-center-C.omf
%{_bindir}/*
%{_sysconfdir}/xdg/autostart/*.desktop
%{_libdir}/control-center-1/
%{_datadir}/applications/*.desktop
%{_datadir}/desktop-directories/*.directory
%{_datadir}/gnome-control-center/
%{_datadir}/icons/hicolor/*/*/*.png
%{_datadir}/icons/hicolor/*/*/*.svg
%dir %{_datadir}/sounds/gnome
%dir %{_datadir}/sounds/gnome/default
%dir %{_datadir}/sounds/gnome/default/alerts
%{_datadir}/sounds/gnome/default/alerts/*.ogg
%files branding-upstream
%defattr (-, root, root)
%{_sysconfdir}/xdg/menus/gnomecc.menu
%files lang -f %{name}-2.0.lang
%files user-faces
%defattr (-, root, root)
%{_datadir}/pixmaps/faces/
%files -n libgnome-control-center1
%defattr (-, root, root)
%{_libdir}/libgnome-control-center.so.1*
%files devel
%defattr (-, root, root)
%{_datadir}/pkgconfig/gnome-keybindings.pc
%{_libdir}/*.so
%changelog
++++++ gnome-control-center-allow-yast-in-shell.patch ++++++
Index: gnome-control-center-3.2.0/shell/gnome-control-center.c
===================================================================
--- gnome-control-center-3.2.0.orig/shell/gnome-control-center.c
+++ gnome-control-center-3.2.0/shell/gnome-control-center.c
@@ -110,6 +110,39 @@ get_icon_name_from_g_icon (GIcon *gicon)
}
static void
+suse_activate_desktop (GnomeControlCenter *shell,
+ const gchar *id,
+ const gchar *desktop_file)
+{
+ GDesktopAppInfo *appinfo;
+ GdkAppLaunchContext *context;
+ GdkScreen *screen;
+ GdkDisplay *display;
+ GError *error;
+
+ appinfo = g_desktop_app_info_new_from_filename (desktop_file);
+
+ screen = gtk_widget_get_screen (shell->priv->window);
+ display = gdk_screen_get_display (screen);
+ context = gdk_display_get_app_launch_context (display);
+ gdk_app_launch_context_set_screen (context, screen);
+ gdk_app_launch_context_set_timestamp (context, gtk_get_current_event_time ());
+
+ error = NULL;
+ g_app_info_launch_uris (G_APP_INFO (appinfo), NULL,
+ (GAppLaunchContext *) context,
+ &error);
+
+ if (error) {
+ g_printerr ("Could not launch '%s': %s\n", id, error->message);
+ g_clear_error (&error);
+ }
+
+ g_object_unref (context);
+ g_object_unref (appinfo);
+}
+
+static void
activate_panel (GnomeControlCenter *shell,
const gchar *id,
const gchar **argv,
@@ -127,6 +160,12 @@ activate_panel (GnomeControlCenter *shel
if (!desktop_file)
return;
+ if (g_strcmp0 (id, "YaST.desktop") == 0)
+ {
+ suse_activate_desktop (shell, id, desktop_file);
+ return;
+ }
+
if (id)
{
++++++ gnome-control-center-hide-region-system-tab.patch ++++++
Index: gnome-control-center-3.2.1/panels/region/gnome-region-panel-system.c
===================================================================
--- gnome-control-center-3.2.1.orig/panels/region/gnome-region-panel-system.c
+++ gnome-control-center-3.2.1/panels/region/gnome-region-panel-system.c
@@ -415,7 +415,8 @@ setup_system (GtkBuilder *dialog)
GDBusConnection *bus;
GtkWidget *button;
- localed_permission = polkit_permission_new_sync ("org.freedesktop.locale1.set-locale", NULL, NULL, NULL);
+ //localed_permission = polkit_permission_new_sync ("org.freedesktop.locale1.set-locale", NULL, NULL, NULL);
+ localed_permission = NULL;
if (localed_permission == NULL) {
GtkWidget *tab_widget, *notebook;
int num;
++++++ gnome-control-center-minimal-password-dialog.patch ++++++
++++ 860 lines (skipped)
++++++ gnome-control-center-password-must-change.patch ++++++
>From 14f04443bb8f0ddb3bc080d275114743f15be06f Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mike.catanzaro(a)gmail.com>
Date: Sun, 6 Jan 2013 21:47:48 -0600
Subject: [PATCH] Don't allow setting password to old password
It hangs if you do this. bnc#779413
---
panels/user-accounts/um-password-dialog.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/panels/user-accounts/um-password-dialog.c b/panels/user-accounts/um-password-dialog.c
index c825749..ef0a8ce 100644
--- a/panels/user-accounts/um-password-dialog.c
+++ b/panels/user-accounts/um-password-dialog.c
@@ -265,6 +265,11 @@ update_sensitivity (UmPasswordDialog *um)
tooltip = _("The current password is not correct");
}
}
+ else if (strcmp (password, old_password) == 0) {
+ /* not localized */
+ can_change = FALSE;
+ tooltip = NULL;
+ }
else {
can_change = TRUE;
tooltip = NULL;
--
1.7.10.4
++++++ gnome-control-center-private-connections-by-default.patch ++++++
diff --git a/panels/network/cc-network-panel.c b/panels/network/cc-network-panel.c
index ca31b0d..424ae38 100644
--- a/panels/network/cc-network-panel.c
+++ b/panels/network/cc-network-panel.c
@@ -2687,8 +2687,10 @@ wireless_ap_changed_cb (GtkComboBox *combo_box, CcNetworkPanel *panel)
NetObject *object;
NMConnection *connection;
NMConnection *connection_activate = NULL;
+ NMConnection *partial;
NMDevice *device;
NMSettingWireless *setting_wireless;
+ NMSettingConnection *setting_con;
if (panel->priv->updating_device)
goto out;
@@ -2757,8 +2759,12 @@ wireless_ap_changed_cb (GtkComboBox *combo_box, CcNetworkPanel *panel)
/* create one, as it's missing */
g_debug ("no existing connection found for %s, creating",
ssid_target);
+ partial = nm_connection_new ();
+ setting_con = nm_setting_connection_new ();
+ nm_connection_add_setting (partial, NM_SETTING (setting_con));
+ nm_setting_connection_add_permission (setting_con, "user", g_get_user_name(), NULL);
nm_client_add_and_activate_connection (panel->priv->client,
- NULL,
+ partial,
device, object_path,
connection_add_activate_cb, panel);
out:
@@ -3010,6 +3016,7 @@ start_shared_connection (CcNetworkPanel *panel)
"id", "Hotspot",
"autoconnect", FALSE,
NULL);
+ nm_setting_connection_add_permission (sc, "user", g_get_user_name(), NULL);
nm_connection_add_setting (c, (NMSetting *)sc);
sw = (NMSettingWireless *)nm_setting_wireless_new ();
diff --git a/panels/network/network-dialogs.c b/panels/network/network-dialogs.c
index efe1704..f8419e5 100644
--- a/panels/network/network-dialogs.c
+++ b/panels/network/network-dialogs.c
@@ -293,6 +293,7 @@ cc_network_panel_connect_to_8021x_network (CcNetworkPanel *panel,
uuid = nm_utils_uuid_generate ();
g_object_set (s_con, NM_SETTING_CONNECTION_UUID, uuid, NULL);
g_free (uuid);
+ nm_setting_connection_add_permission (s_con, "user", g_get_user_name(), NULL);
nm_connection_add_setting (connection, NM_SETTING (s_con));
s_wifi = (NMSettingWireless *) nm_setting_wireless_new ();
@@ -393,6 +394,10 @@ cdma_mobile_wizard_done (NMAMobileWizard *wizard,
NULL);
g_free (uuid);
g_free (id);
+ nm_setting_connection_add_permission ((NMSettingConnection *)setting,
+ "user",
+ g_get_user_name(),
+ NULL);
nm_connection_add_setting (connection, setting);
}
@@ -456,6 +461,10 @@ gsm_mobile_wizard_done (NMAMobileWizard *wizard,
NULL);
g_free (uuid);
g_free (id);
+ nm_setting_connection_add_permission ((NMSettingConnection *)setting,
+ "user",
+ g_get_user_name(),
+ NULL);
nm_connection_add_setting (connection, setting);
}
++++++ gnome-control-center-probe-radius-server-cert.patch ++++++
diff --git a/panels/network/network-dialogs.c b/panels/network/network-dialogs.c
index 0e5aae1..43fc119 100644
--- a/panels/network/network-dialogs.c
+++ b/panels/network/network-dialogs.c
@@ -153,6 +153,11 @@ wireless_dialog_response_cb (GtkDialog *foo,
g_assert (connection);
g_assert (device);
+ if (nma_wireless_dialog_need_cert_probe (dialog)) {
+ nma_wireless_dialog_probe_cert (dialog);
+ return;
+ }
+
/* Find a similar connection and use that instead */
all = nm_remote_settings_list_connections (closure->settings);
for (iter = all; iter; iter = g_slist_next (iter)) {
++++++ gnome-control-center-remove-password-options.patch ++++++
>From ac24c1f64364a8f955319c83767092a96d57a8ec Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mike.catanzaro(a)gmail.com>
Date: Sat, 16 Feb 2013 11:23:34 -0600
Subject: [PATCH] Remove password options
These options conflict with our PAM policy and selecting them will
cause a user to accidentally make the account unusable. We need to
remove them for now.
---
panels/user-accounts/data/password-dialog.ui | 8 --------
1 file changed, 8 deletions(-)
diff --git a/panels/user-accounts/data/password-dialog.ui b/panels/user-accounts/data/password-dialog.ui
index 660c499..db3a6a6 100644
--- a/panels/user-accounts/data/password-dialog.ui
+++ b/panels/user-accounts/data/password-dialog.ui
@@ -14,14 +14,6 @@
<col id="1">0</col>
</row>
<row>
- <col id="0" translatable="yes">Choose password at next login</col>
- <col id="1">1</col>
- </row>
- <row>
- <col id="0" translatable="yes">Log in without a password</col>
- <col id="1">2</col>
- </row>
- <row>
<col id="0" translatable="yes">Disable this account</col>
<col id="1">3</col>
</row>
--
1.7.10.4
++++++ gnome-control-center-shell-no-crash.patch ++++++
commit 59fe530504a4359f66d9a112050970a52fe46281
Author: Vincent Untz <vuntz(a)gnome.org>
Date: Tue Oct 11 22:51:42 2011 +0200
shell: Avoid crash when searching if a .desktop has no comment
The code doing the search assumes the description column is set, which
might not be the case.
https://bugzilla.gnome.org/show_bug.cgi?id=661494
diff --git a/shell/shell-search-renderer.c b/shell/shell-search-renderer.c
index 0667bc0..6032af8 100644
--- a/shell/shell-search-renderer.c
+++ b/shell/shell-search-renderer.c
@@ -154,12 +154,15 @@ shell_search_renderer_set_layout (ShellSearchRenderer *cell, GtkWidget *widget)
needle = g_utf8_casefold (priv->search_string, -1);
else
needle = NULL;
- haystack = g_utf8_casefold (full_string, -1);
+ if (full_string != NULL)
+ haystack = g_utf8_casefold (full_string, -1);
+ else
+ haystack = NULL;
/* clear any previous attributes */
pango_layout_set_attributes (priv->layout, NULL);
- if (priv->search_string && priv->title
+ if (priv->search_string && priv->search_target && priv->title
&& (strstr (haystack, needle)))
{
gchar *start;
++++++ gnome-control-center-system-proxy-configuration.patch ++++++
>From 067cc33aba6eeaffd4efe1d8a8e838aa1a89476a Mon Sep 17 00:00:00 2001
From: Federico Mena Quintero <federico(a)novell.com>
Date: Mon, 25 May 2009 14:38:52 -0500
Subject: [PATCH] Integrate openSUSE's network proxy configuration with GNOME's.
This is documented in http://en.opensuse.org/GNOME/Proxy_configuration
We basically add a "use system settings" proxy mode. When it is active,
gnome-settings-daemon will read /etc/sysconfig/proxy and mirror its values
into GNOME's GConf space.
Signed-off-by: Federico Mena Quintero <federico(a)novell.com>
---
capplets/network/gnome-network-properties.c | 164 +++++++++++++++++------
capplets/network/gnome-network-properties.glade | 24 +++-
2 files changed, 143 insertions(+), 45 deletions(-)
diff --git a/capplets/network/gnome-network-properties.c b/capplets/network/gnome-network-properties.c
index f6ea0e6..0ea9945 100644
--- a/capplets/network/gnome-network-properties.c
+++ b/capplets/network/gnome-network-properties.c
@@ -32,19 +32,11 @@
#include "capplet-util.h"
#include "gconf-property-editor.h"
-enum ProxyMode
-{
- PROXYMODE_NONE,
- PROXYMODE_MANUAL,
- PROXYMODE_AUTO
-};
-
-static GEnumValue proxytype_values[] = {
- { PROXYMODE_NONE, "PROXYMODE_NONE", "none"},
- { PROXYMODE_MANUAL, "PROXYMODE_MANUAL", "manual"},
- { PROXYMODE_AUTO, "PROXYMODE_AUTO", "auto"},
- { 0, NULL, NULL }
-};
+/* Novell extension */
+#define KEY_USE_SYSTEM_SETTINGS "/system/proxy/use_system_settings" /* string */
+#define VAL_USE_SYSTEM_SETTINGS_ONLY_IF_NOT_SET "only_if_mode_not_set"
+#define VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES "system_values"
+#define VAL_USE_SYSTEM_SETTINGS_USER_VALUES "user_values"
enum {
COL_NAME,
@@ -1019,36 +1011,58 @@ extract_proxy_host (GConfPropertyEditor *peditor, const GConfValue *orig)
}
static void
+set_sensitivity_based_on_active_radiobutton (GladeXML *dialog, GtkWidget *active_radio)
+{
+ gboolean manual_box_sensitive, auto_box_sensitive;
+
+ g_assert (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (active_radio)));
+
+ manual_box_sensitive = auto_box_sensitive = FALSE;
+
+ if (active_radio == WID ("manual_radiobutton"))
+ manual_box_sensitive = TRUE;
+ else if (active_radio == WID ("auto_radiobutton"))
+ auto_box_sensitive = TRUE;
+
+ gtk_widget_set_sensitive (WID ("manual_box"), manual_box_sensitive);
+ gtk_widget_set_sensitive (WID ("same_proxy_checkbutton"), manual_box_sensitive);
+ gtk_widget_set_sensitive (WID ("auto_box"), auto_box_sensitive);
+}
+
+static void
proxy_mode_radiobutton_clicked_cb (GtkWidget *widget,
GladeXML *dialog)
{
- GSList *mode_group;
- int mode;
- GConfClient *client;
+ GConfClient *client;
- if (!gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget)))
- return;
-
- mode_group = g_slist_copy (gtk_radio_button_get_group
- (GTK_RADIO_BUTTON (WID ("none_radiobutton"))));
- mode_group = g_slist_reverse (mode_group);
- mode = g_slist_index (mode_group, widget);
- g_slist_free (mode_group);
-
- gtk_widget_set_sensitive (WID ("manual_box"),
- mode == PROXYMODE_MANUAL);
- gtk_widget_set_sensitive (WID ("same_proxy_checkbutton"),
- mode == PROXYMODE_MANUAL);
- gtk_widget_set_sensitive (WID ("auto_box"),
- mode == PROXYMODE_AUTO);
+ if (!gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget)))
+ return;
+
client = gconf_client_get_default ();
- gconf_client_set_bool (client, USE_PROXY_KEY,
- mode == PROXYMODE_AUTO || mode == PROXYMODE_MANUAL, NULL);
- g_object_unref (client);
+
+ if (widget == WID ("system_radiobutton")) {
+ gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES, NULL);
+ } else if (widget == WID ("none_radiobutton")) {
+ gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL);
+ gconf_client_set_string (client, PROXY_MODE_KEY, "none", NULL);
+ gconf_client_set_bool (client, USE_PROXY_KEY, FALSE, NULL);
+ } else if (widget == WID ("manual_radiobutton")) {
+ gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL);
+ gconf_client_set_string (client, PROXY_MODE_KEY, "manual", NULL);
+ gconf_client_set_bool (client, USE_PROXY_KEY, TRUE, NULL);
+ } else if (widget == WID ("auto_radiobutton")) {
+ gconf_client_set_string (client, KEY_USE_SYSTEM_SETTINGS, VAL_USE_SYSTEM_SETTINGS_USER_VALUES, NULL);
+ gconf_client_set_string (client, PROXY_MODE_KEY, "auto", NULL);
+ gconf_client_set_bool (client, USE_PROXY_KEY, TRUE, NULL);
+ }
+
+ set_sensitivity_based_on_active_radiobutton (dialog, widget);
+
+ g_object_unref (client);
}
static void
-connect_sensitivity_signals (GladeXML *dialog, GSList *mode_group)
+connect_mode_radiobuttons (GladeXML *dialog, GSList *mode_group)
{
for (; mode_group != NULL; mode_group = mode_group->next)
{
@@ -1058,20 +1072,85 @@ connect_sensitivity_signals (GladeXML *dialog, GSList *mode_group)
}
}
+static GtkWidget *
+get_radio_for_mode (GladeXML *dialog, const char *mode_str)
+{
+ if (!mode_str)
+ return WID ("none_radiobutton");
+ else if (strcmp (mode_str, "none") == 0)
+ return WID ("none_radiobutton");
+ else if (strcmp (mode_str, "manual") == 0)
+ return WID ("manual_radiobutton");
+ else if (strcmp (mode_str, "auto") == 0)
+ return WID ("auto_radiobutton");
+ else
+ return WID ("none_radiobutton");
+}
+
+static void
+mode_set_initial_value (GladeXML *dialog, GConfClient *client)
+{
+ char *use_system_settings;
+ GConfValue *mode_value;
+ gboolean use_system_if_mode_not_set;
+ gboolean use_mode;
+ GtkWidget *radiobutton;
+
+ radiobutton = NULL;
+
+ use_system_settings = gconf_client_get_string (client, KEY_USE_SYSTEM_SETTINGS, NULL);
+ mode_value = gconf_client_get_without_default (client, PROXY_MODE_KEY, NULL);
+
+ use_system_if_mode_not_set = FALSE;
+ use_mode = FALSE;
+
+ if (!use_system_settings)
+ use_system_if_mode_not_set = TRUE;
+ else {
+ if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_ONLY_IF_NOT_SET) == 0)
+ use_system_if_mode_not_set = TRUE;
+ else if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_SYSTEM_VALUES) == 0)
+ radiobutton = WID ("system_radiobutton");
+ else if (strcmp (use_system_settings, VAL_USE_SYSTEM_SETTINGS_USER_VALUES) == 0)
+ use_mode = TRUE;
+
+ g_free (use_system_settings);
+ }
+
+ if (use_system_if_mode_not_set) {
+ if (mode_value)
+ use_mode = TRUE;
+ else
+ radiobutton = WID ("system_radiobutton");
+ }
+
+ if (use_mode) {
+ if (!mode_value || mode_value->type != GCONF_VALUE_STRING)
+ radiobutton = WID ("none_radiobutton");
+ else
+ radiobutton = get_radio_for_mode (dialog, gconf_value_get_string (mode_value));
+ }
+
+ if (radiobutton) {
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (radiobutton), TRUE);
+ set_sensitivity_based_on_active_radiobutton (dialog, radiobutton);
+ }
+
+ if (mode_value)
+ gconf_value_free (mode_value);
+}
+
static void
setup_dialog (GladeXML *dialog)
{
GConfPropertyEditor *peditor;
GSList *mode_group;
- GType mode_type = 0;
GConfClient *client;
gint port_value;
GtkWidget *location_box;
GtkCellRenderer *location_renderer;
GtkListStore *store;
- mode_type = g_enum_register_static ("NetworkPreferencesProxyType",
- proxytype_values);
/* There's a bug in peditors that cause them to not initialize the entry
* correctly. */
@@ -1100,17 +1179,16 @@ setup_dialog (GladeXML *dialog)
"style", COL_STYLE, NULL);
/* Hackety hack */
+ gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("system_radiobutton"))->child), TRUE);
gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("none_radiobutton"))->child), TRUE);
gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("manual_radiobutton"))->child), TRUE);
gtk_label_set_use_markup (GTK_LABEL (GTK_BIN (WID ("auto_radiobutton"))->child), TRUE);
/* Mode */
- mode_group = gtk_radio_button_get_group (GTK_RADIO_BUTTON (WID ("none_radiobutton")));
- connect_sensitivity_signals (dialog, mode_group);
+ mode_set_initial_value (dialog, client);
+ mode_group = gtk_radio_button_get_group (GTK_RADIO_BUTTON (WID ("system_radiobutton")));
+ connect_mode_radiobuttons (dialog, mode_group);
- peditor = GCONF_PROPERTY_EDITOR (gconf_peditor_new_select_radio_with_enum (NULL,
- PROXY_MODE_KEY, mode_group, mode_type,
- TRUE, NULL));
/* Use same proxy for all protocols */
peditor = GCONF_PROPERTY_EDITOR (gconf_peditor_new_boolean (NULL,
diff --git a/capplets/network/gnome-network-properties.glade b/capplets/network/gnome-network-properties.glade
index 656acb5..1147f17 100644
--- a/capplets/network/gnome-network-properties.glade
+++ b/capplets/network/gnome-network-properties.glade
@@ -130,6 +130,25 @@
<property name="spacing">18</property>
<child>
+ <widget class="GtkRadioButton" id="system_radiobutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="label" translatable="yes"><b>Use the s_ystem's proxy settings</b></property>
+ <property name="use_underline">True</property>
+ <property name="relief">GTK_RELIEF_NORMAL</property>
+ <property name="focus_on_click">True</property>
+ <property name="active">False</property>
+ <property name="inconsistent">False</property>
+ <property name="draw_indicator">True</property>
+ </widget>
+ <packing>
+ <property name="padding">0</property>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+
+ <child>
<widget class="GtkRadioButton" id="none_radiobutton">
<property name="visible">True</property>
<property name="can_focus">True</property>
@@ -140,6 +159,7 @@
<property name="active">False</property>
<property name="inconsistent">False</property>
<property name="draw_indicator">True</property>
+ <property name="group">system_radiobutton</property>
</widget>
<packing>
<property name="padding">0</property>
@@ -171,7 +191,7 @@
<property name="active">False</property>
<property name="inconsistent">False</property>
<property name="draw_indicator">True</property>
- <property name="group">none_radiobutton</property>
+ <property name="group">system_radiobutton</property>
</widget>
<packing>
<property name="padding">0</property>
@@ -714,7 +734,7 @@
<property name="active">False</property>
<property name="inconsistent">False</property>
<property name="draw_indicator">True</property>
- <property name="group">none_radiobutton</property>
+ <property name="group">system_radiobutton</property>
</widget>
<packing>
<property name="padding">0</property>
--
1.6.0.2
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package krb5 for openSUSE:12.2:Update checked in at 2013-02-25 09:52:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/krb5 (Old)
and /work/SRC/openSUSE:12.2:Update/.krb5.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5", Maintainer is "mc(a)suse.com"
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_link
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _link ++++++
<link package='krb5.1348' cicount='copy' />
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package krb5 for openSUSE:12.1:Update checked in at 2013-02-25 09:52:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/krb5 (Old)
and /work/SRC/openSUSE:12.1:Update/.krb5.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5", Maintainer is "mc(a)suse.com"
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _link ++++++
--- /var/tmp/diff_new_pack.8JKj0M/_old 2013-02-25 09:52:37.000000000 +0100
+++ /var/tmp/diff_new_pack.8JKj0M/_new 2013-02-25 09:52:37.000000000 +0100
@@ -1 +1 @@
-<link package='krb5.730' cicount='copy' />
+<link package='krb5.1349' cicount='copy' />
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package krb5.1349 for openSUSE:12.1:Update checked in at 2013-02-25 09:52:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/krb5.1349 (Old)
and /work/SRC/openSUSE:12.1:Update/.krb5.1349.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5.1349", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-09 11:18:20.872010756 +0100
+++ /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-doc.changes 2013-02-25 09:52:34.000000000 +0100
@@ -0,0 +1,186 @@
+-------------------------------------------------------------------
+Mon Aug 22 10:21:56 CEST 2011 - mc(a)suse.de
+
+- update to version 1.9.1
+
+-------------------------------------------------------------------
+Fri Apr 9 12:45:30 CEST 2010 - mc(a)suse.de
+
+- update to version 1.8.1
+
+-------------------------------------------------------------------
+Tue Mar 23 12:38:29 CET 2010 - mc(a)suse.de
+
+- add post 1.8 fixes
+ * Document the ticket_lifetime libdefaults setting
+
+-------------------------------------------------------------------
+Thu Mar 4 11:45:22 CET 2010 - mc(a)suse.de
+
+- update to version 1.8
+
+-------------------------------------------------------------------
+Wed Jun 3 10:47:07 CEST 2009 - mc(a)suse.de
+
+- update to final version 1.7
+
+-------------------------------------------------------------------
+Wed May 13 11:34:07 CEST 2009 - mc(a)suse.de
+
+- update to version 1.7 Beta2
+
+-------------------------------------------------------------------
+Mon Feb 16 13:08:05 CET 2009 - mc(a)suse.de
+
+- update to pre 1.7 version
+ * remove outdated documentation for kadm5 API
+
+-------------------------------------------------------------------
+Fri Jul 25 12:17:10 CEST 2008 - mc(a)suse.de
+
+- add patches from SVN post 1.6.3
+ * some fixes in the man pages
+
+-------------------------------------------------------------------
+Wed Jun 18 15:34:16 CEST 2008 - mc(a)suse.de
+
+- reduce rpmlint warnings
+
+-------------------------------------------------------------------
+Tue Oct 23 10:29:23 CEST 2007 - mc(a)suse.de
+
+- update to krb5 version 1.6.3
+ * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
+ * fix CVE-2007-4000 modify_policy vulnerability
+ * Add PKINIT support
+- remove patches which are upstream now
+- enhance init scripts and xinetd profiles
+
+-------------------------------------------------------------------
+Thu Jul 12 17:02:30 CEST 2007 - mc(a)suse.de
+
+- update to version 1.6.2
+- remove krb5-1.6.1-post.dif all fixes are included in this release
+
+-------------------------------------------------------------------
+Wed Jun 13 15:29:42 CEST 2007 - sschober(a)suse.de
+
+- removed executable permission from doc file
+
+-------------------------------------------------------------------
+Mon Apr 23 11:15:59 CEST 2007 - mc(a)suse.de
+
+- update to final 1.6.1 version
+- replace te_ams with texlive in BuildRequires
+
+-------------------------------------------------------------------
+Wed Apr 18 14:47:49 CEST 2007 - mc(a)suse.de
+
+- build implementor.ps
+
+-------------------------------------------------------------------
+Mon Apr 16 14:39:40 CEST 2007 - mc(a)suse.de
+
+- update to version 1.6.1 Beta1
+- remove obsolete patches
+ (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
+
+-------------------------------------------------------------------
+Mon Feb 19 14:00:49 CET 2007 - mc(a)suse.de
+
+- add krb5-1.6-post.dif
+
+-------------------------------------------------------------------
+Mon Jan 22 12:21:20 CET 2007 - mc(a)suse.de
+
+- update to version 1.6
+ * Major changes in 1.6 include
+ * Partial client implementation to handle server name referrals.
+ * Pre-authentication plug-in framework, donated by Red Hat.
+ * LDAP KDB plug-in, donated by Novell.
+
+-------------------------------------------------------------------
+Thu Aug 24 12:53:25 CEST 2006 - mc(a)suse.de
+
+- update to version 1.5.1
+- remove obsolete patches which are now included upstream
+ * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
+ * trunk-fix-uninitialized-vars.dif
+
+-------------------------------------------------------------------
+Mon Jul 3 15:01:57 CEST 2006 - mc(a)suse.de
+
+- update to version 1.5
+ * KDB abstraction layer, donated by Novell.
+ * plug-in architecture, allowing for extension modules to be
+ loaded at run-time.
+ * multi-mechanism GSS-API implementation ("mechglue"),
+ donated by Sun Microsystems
+ * Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
+ implementation, donated by Sun Microsystems
+- remove obsolete patches and add some new
+
+-------------------------------------------------------------------
+Mon Mar 13 18:01:06 CET 2006 - mc(a)suse.de
+
+- set BuildArchitectures to noarch
+- set norootforbuild
+
+-------------------------------------------------------------------
+Wed Jan 25 21:30:24 CET 2006 - mls(a)suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Fri Nov 18 12:15:07 CET 2005 - mc(a)suse.de
+
+- update to version 1.4.3
+- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
+
+-------------------------------------------------------------------
+Wed Oct 12 16:19:08 CEST 2005 - mc(a)suse.de
+
+- build kadm5 documentation
+- build documentation also as html
+- include the text only documentation
+
+-------------------------------------------------------------------
+Tue Oct 11 17:40:26 CEST 2005 - mc(a)suse.de
+
+- update to version 1.4.2
+- remove some obsolet patches
+
+-------------------------------------------------------------------
+Mon Jun 27 13:36:04 CEST 2005 - mc(a)suse.de
+
+- update to version 1.4.1
+- remove obsolet patches
+ - krb5-1.4-VUL-0-telnet.dif
+
+-------------------------------------------------------------------
+Thu Feb 10 02:38:39 CET 2005 - ro(a)suse.de
+
+- added libpng to neededforbuild (for tetex)
+
+-------------------------------------------------------------------
+Fri Feb 4 16:50:34 CET 2005 - mc(a)suse.de
+
+- remove spx.c from tarball because of legal risk
+- add README.Source which tell the user about this
+ action.
+
+-------------------------------------------------------------------
+Fri Jan 28 13:28:18 CET 2005 - mc(a)suse.de
+
+- update to version 1.4
+
+-------------------------------------------------------------------
+Mon Jan 10 12:20:11 CET 2005 - mc(a)suse.de
+
+- update to version 1.3.6
+
+-------------------------------------------------------------------
+Tue Dec 14 15:21:02 CET 2004 - mc(a)suse.de
+
+- initial release
+
New Changes file:
--- /dev/null 2013-02-09 11:18:20.872010756 +0100
+++ /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-mini.changes 2013-02-25 09:52:34.000000000 +0100
@@ -0,0 +1,923 @@
+-------------------------------------------------------------------
+Fri Feb 15 11:47:36 CET 2013 - mc(a)suse.de
+
+- Fix cross-realm traversal TGT requests (bnc#777474)
+- Fix krb5-send-pr (bnc#794784)
+
+-------------------------------------------------------------------
+Wed Aug 1 09:54:37 CEST 2012 - mc(a)suse.de
+
+- fix potentially execute code flaws
+ CVE-2012-1015 (bnc#770172)
+
+-------------------------------------------------------------------
+Mon Jun 18 12:03:59 CEST 2012 - mc(a)suse.de
+
+- fix kadmind denial of service via null pointer dereference
+ CVE-2012-1013 (bnc#765485)
+
+-------------------------------------------------------------------
+Mon Nov 21 11:23:02 CET 2011 - mc(a)suse.de
+
+- fix KDC null pointer dereference in TGS handling
+ (MITKRB5-SA-2011-007, bnc#730393)
+ CVE-2011-1530
+
+-------------------------------------------------------------------
+Mon Nov 21 11:06:33 CET 2011 - mc(a)suse.de
+
+- fix KDC HA feature introduced with implementing KDC poll
+ (RT#6951, bnc#731648)
+
+-------------------------------------------------------------------
+Fri Nov 18 08:35:52 UTC 2011 - rhafer(a)suse.de
+
+- fix minor error messages for the IAKERB GSSAPI mechanism
+ (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
+
+-------------------------------------------------------------------
+Mon Oct 17 16:11:03 CEST 2011 - mc(a)suse.de
+
+- fix kdc remote denial of service
+ (MITKRB5-SA-2011-006, bnc#719393)
+ CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
+
+-------------------------------------------------------------------
+Tue Aug 23 13:52:03 CEST 2011 - mc(a)suse.de
+
+- use --without-pam to build krb5-mini
+
+-------------------------------------------------------------------
+Sun Aug 21 09:37:01 UTC 2011 - mc(a)novell.com
+
+- add patches from Fedora and upstream
+- fix init scripts (bnc#689006)
+
+-------------------------------------------------------------------
+Fri Aug 19 15:48:35 UTC 2011 - mc(a)novell.com
+
+- update to version 1.9.1
+ * obsolete patches:
+ MITKRB5-SA-2010-007-1.8.dif
+ krb5-1.8-MITKRB5-SA-2010-006.dif
+ krb5-1.8-MITKRB5-SA-2011-001.dif
+ krb5-1.8-MITKRB5-SA-2011-002.dif
+ krb5-1.8-MITKRB5-SA-2011-003.dif
+ krb5-1.8-MITKRB5-SA-2011-004.dif
+ krb5-1.4.3-enospc.dif
+ * replace krb5-1.6.1-compile_pie.dif
+-------------------------------------------------------------------
+Thu Apr 14 11:33:18 CEST 2011 - mc(a)suse.de
+
+- fix kadmind invalid pointer free()
+ (MITKRB5-SA-2011-004, bnc#687469)
+ CVE-2011-0285
+
+-------------------------------------------------------------------
+Tue Mar 1 12:43:22 CET 2011 - mc(a)suse.de
+
+- Fix vulnerability to a double-free condition in KDC daemon
+ (MITKRB5-SA-2011-003, bnc#671717)
+ CVE-2011-0284
+
+-------------------------------------------------------------------
+Wed Jan 19 14:42:27 CET 2011 - mc(a)suse.de
+
+- Fix kpropd denial of service
+ (MITKRB5-SA-2011-001, bnc#662665)
+ CVE-2010-4022
+- Fix KDC denial of service attacks with LDAP back end
+ (MITKRB5-SA-2011-002, bnc#663619)
+ CVE-2011-0281, CVE-2011-0282
+
+-------------------------------------------------------------------
+Wed Dec 1 11:44:15 CET 2010 - mc(a)suse.de
+
+- Fix multiple checksum handling vulnerabilities
+ (MITKRB5-SA-2010-007, bnc#650650)
+ CVE-2010-1324
+ * krb5 GSS-API applications may accept unkeyed checksums
+ * krb5 application services may accept unkeyed PAC checksums
+ * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
+ CVE-2010-1323
+ * krb5 clients may accept unkeyed SAM-2 challenge checksums
+ * krb5 may accept KRB-SAFE checksums with low-entropy derived keys
+ CVE-2010-4020
+ * krb5 may accept authdata checksums with low-entropy derived keys
+ CVE-2010-4021
+ * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
+
+-------------------------------------------------------------------
+Thu Oct 28 12:53:13 CEST 2010 - mc(a)suse.de
+
+- fix csh profile (bnc#649856)
+
+-------------------------------------------------------------------
+Fri Oct 22 11:15:43 CEST 2010 - mc(a)suse.de
+
+- update to krb5-1.8.3
+ * remove patches which are now upstrem
+ - krb5-1.7-MITKRB5-SA-2010-004.dif
+ - krb5-1.8.1-gssapi-error-table.dif
+ - krb5-MITKRB5-SA-2010-005.dif
+
+-------------------------------------------------------------------
+Fri Oct 22 10:49:11 CEST 2010 - mc(a)suse.de
+
+- change environment variable PATH directly for csh
+ (bnc#642080)
+
+-------------------------------------------------------------------
+Mon Sep 27 11:42:43 CEST 2010 - mc(a)suse.de
+
+- fix a dereference of an uninitialized pointer while processing
+ authorization data.
+ CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
+
+-------------------------------------------------------------------
+Mon Jun 21 21:31:53 UTC 2010 - lchiquitto(a)novell.com
+
+- add correct error table when initializing gss-krb5 (bnc#606584,
+ bnc#608295)
+
+-------------------------------------------------------------------
+Wed May 19 14:27:19 CEST 2010 - mc(a)suse.de
+
+- fix GSS-API library null pointer dereference
+ CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
+
+-------------------------------------------------------------------
+Wed Apr 14 11:36:32 CEST 2010 - mc(a)suse.de
+
+- fix a double free vulnerability in the KDC
+ CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
+
+-------------------------------------------------------------------
+Fri Apr 9 12:43:44 CEST 2010 - mc(a)suse.de
+
+- update to version 1.8.1
+ * include krb5-1.8-POST.dif
+ * include MITKRB5-SA-2010-002
+
+-------------------------------------------------------------------
+Tue Apr 6 14:14:56 CEST 2010 - mc(a)suse.de
+
+- update krb5-1.8-POST.dif
+
+-------------------------------------------------------------------
+Tue Mar 23 14:32:41 CET 2010 - mc(a)suse.de
+
+- fix a bug where an unauthenticated remote attacker could cause
+ a GSS-API application including the Kerberos administration
+ daemon (kadmind) to crash.
+ CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
+
+-------------------------------------------------------------------
+Tue Mar 23 12:33:26 CET 2010 - mc(a)suse.de
+
+- add post 1.8 fixes
+ * Add IPv6 support to changepw.c
+ * fix two problems in kadm5_get_principal mask handling
+ * Ignore improperly encoded signedpath AD elements
+ * handle NT_SRV_INST in service principal referrals
+ * dereference options while checking
+ KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
+ * Fix the kpasswd fallback from the ccache principal name
+ * Document the ticket_lifetime libdefaults setting
+ * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
+
+-------------------------------------------------------------------
+Thu Mar 4 10:42:29 CET 2010 - mc(a)suse.de
+
+- update to version 1.8
+ * Increase code quality
+ * Move toward improved KDB interface
+ * Investigate and remedy repeatedly-reported performance
+ bottlenecks.
+ * Reduce DNS dependence by implementing an interface that allows
++++ 726 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.krb5.1349.new/krb5-mini.changes
New Changes file:
krb5.changes: same change
New:
----
MITKRB5-SA-2012-001.dif
baselibs.conf
bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif
bug-777474-fix-cross-realm-traversal-TGT-requests.dif
krb5-1.3.5-perlfix.dif
krb5-1.6.3-gssapi_improve_errormessages.dif
krb5-1.6.3-kpasswd_tcp.patch
krb5-1.6.3-ktutil-manpage.dif
krb5-1.6.3-texi2dvi-fix.dif
krb5-1.7-doublelog.patch
krb5-1.7-nodeplibs.patch
krb5-1.8-api.patch
krb5-1.8-manpaths.txt
krb5-1.8-pam.patch
krb5-1.9-MITKRB5-SA-2011-006.dif
krb5-1.9-MITKRB5-SA-2011-007.dif
krb5-1.9-buildconf.patch
krb5-1.9-canonicalize-fallback.patch
krb5-1.9-gss_display_status-iakerb.patch
krb5-1.9-kprop-mktemp.patch
krb5-1.9-ksu-path.patch
krb5-1.9-manpaths.dif
krb5-1.9-paren.patch
krb5-1.9-selinux-label.patch
krb5-1.9.1-ai_addrconfig.patch
krb5-1.9.1-ai_addrconfig2.patch
krb5-1.9.1-sendto_poll.patch
krb5-1.9.1-sendto_poll2.patch
krb5-1.9.1-sendto_poll3.patch
krb5-1.9.1.tar.bz2
krb5-doc-rpmlintrc
krb5-doc.changes
krb5-doc.spec
krb5-klist_s.patch
krb5-mini.changes
krb5-mini.spec
krb5-pkinit-cms2.patch
krb5-rpmlintrc
krb5-trunk-chpw-err.patch
krb5-trunk-gss_delete_sec.patch
krb5-trunk-kadmin-oldproto.patch
krb5.changes
krb5.spec
pre_checkin.sh
vendor-files.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-doc.spec ++++++
#
# spec file for package krb5-doc
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: latex2html
BuildRequires: texlive
Version: 1.9.1
Release: 0
%define srcRoot krb5-1.9.1
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other
Url: http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans(a)mit.edu>
Ken Raeburn <raeburn(a)mit.edu>
Tom Yu <tlyu(a)mit.edu>
%prep
%setup -n %{srcRoot}
%patch0
%patch1
%build
%install
cd doc
mkdir -p html
make
make implementor.ps
make -C api
make -C implement
#make -C kadm5
#cd api
#latex2html -dir ../html/library -mkdir library.tex
#latex2html -dir ../html/libdes -mkdir libdes.tex
#cd ../implement
#latex2html -dir ../html/implement -mkdir implement.tex
#cd ..
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
chmod 644 doc/man2ps
chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#rm -f doc/html/*/WARNINGS
#rm -f doc/html/*/images.aux
#rm -f doc/html/*/labels.pl
#### check for duplicate files and replace them with a link
#cd doc/html/library
#if cmp --quiet library.html index.html ; then
# rm -f index.html
# ln -s library.html index.html
#fi
#cd ../libdes
#if cmp --quiet libdes.html index.html ; then
# rm -f index.html
# ln -s libdes.html index.html
#fi
#cd ../implement
#if cmp --quiet implement.html index.html ; then
# rm -f index.html
# ln -s implement.html index.html
#fi
#cd ../..
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog
++++++ krb5-mini.spec ++++++
++++ 620 lines (skipped)
krb5.spec: same change
++++++ MITKRB5-SA-2012-001.dif ++++++
Index: krb5-1.9.1/src/kdc/kdc_preauth.c
===================================================================
--- krb5-1.9.1.orig/src/kdc/kdc_preauth.c
+++ krb5-1.9.1/src/kdc/kdc_preauth.c
@@ -1562,7 +1562,8 @@ etype_info_helper(krb5_context context,
continue;
}
- if (request_contains_enctype(context, request, db_etype)) {
+ if (krb5_is_permitted_enctype(context, db_etype) &&
+ request_contains_enctype(context, request, db_etype)) {
retval = _make_etype_info_entry(context, client->princ,
client_key, db_etype,
&entry[i], etype_info2);
Index: krb5-1.9.1/src/kdc/kdc_util.c
===================================================================
--- krb5-1.9.1.orig/src/kdc/kdc_util.c
+++ krb5-1.9.1/src/kdc/kdc_util.c
@@ -2465,6 +2465,7 @@ kdc_handle_protected_negotiation(krb5_da
return 0;
pa.magic = KV5M_PA_DATA;
pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+ memset(&checksum, 0, sizeof(checksum));
retval = krb5_c_make_checksum(kdc_context,0, reply_key,
KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
if (retval != 0)
Index: krb5-1.9.1/src/lib/kdb/kdb_default.c
===================================================================
--- krb5-1.9.1.orig/src/lib/kdb/kdb_default.c
+++ krb5-1.9.1/src/lib/kdb/kdb_default.c
@@ -64,6 +64,9 @@ krb5_dbe_def_search_enctype(kcontext, db
krb5_boolean saw_non_permitted = FALSE;
ret = 0;
+ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+ return KRB5_KDB_NO_PERMITTED_KEY;
+
if (kvno == -1 && stype == -1 && ktype == -1)
kvno = 0;
++++++ baselibs.conf ++++++
krb5
obsoletes "heimdal-lib-<targettype>"
provides "heimdal-lib-<targettype>"
krb5-devel
++++++ bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif ++++++
commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Author: Richard Basch <basch(a)alum.mit.edu>
Date: Tue May 29 14:07:03 2012 -0400
Null pointer deref in kadmind [CVE-2012-1013]
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson(a)mit.edu: Minor style change and commit message]
ticket: 7152
target_version: 1.10.2
tags: pullup
Index: krb5-1.9.1/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- krb5-1.9.1.orig/src/lib/kadm5/srv/svr_principal.c
+++ krb5-1.9.1/src/lib/kadm5/srv/svr_principal.c
@@ -194,7 +194,7 @@ check_1_6_dummy(kadm5_principal_ent_t en
char *password = *passptr;
/* Old-style randkey operations disallowed tickets to start. */
- if (!(mask & KADM5_ATTRIBUTES) ||
+ if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
!(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
return;
++++++ bug-777474-fix-cross-realm-traversal-TGT-requests.dif ++++++
commit 5c94d680e4e9cbffa763ad69b112385492fd4ebf
Author: Greg Hudson <ghudson(a)mit.edu>
Date: Thu Sep 1 16:21:25 2011 +0000
Fix cross-realm traversal TGT requests
When requesting a cross-realm TGT, use the KDC instance of the current
TGT (the second data component), not the realm which the TGT came
from.
ticket: 6952
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25121 dc483132-0cff-0310-8789-dd5450dbe970
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
@@ -296,7 +296,7 @@ make_request_for_tgt(krb5_context contex
/* Construct the principal krbtgt/<realm>@<cur-tgt-realm>. */
krb5_free_principal(context, ctx->tgt_princ);
ctx->tgt_princ = NULL;
- code = krb5int_tgtname(context, realm, &ctx->cur_tgt->server->realm,
+ code = krb5int_tgtname(context, realm, &ctx->cur_tgt->server->data[1],
&ctx->tgt_princ);
if (code != 0)
return code;
++++++ krb5-1.3.5-perlfix.dif ++++++
--- doc/man2html
+++ doc/man2html 2004/10/18 16:20:53
@@ -1,5 +1,4 @@
-#!/usr/athena/bin/perl
-#!/usr/local/bin/perl
+#!/usr/bin/perl
##---------------------------------------------------------------------------##
## File:
## @(#) man2html 1.2 97/08/12 12:57:30 @(#)
++++++ krb5-1.6.3-gssapi_improve_errormessages.dif ++++++
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
++++++ krb5-1.6.3-kpasswd_tcp.patch ++++++
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -282,10 +282,22 @@ change_set_password(krb5_context context
NULL
))) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}
++++++ krb5-1.6.3-ktutil-manpage.dif ++++++
Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
===================================================================
--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M
@@ -63,5 +63,17 @@ Quits
Aliases:
.BR exit ,
.BR q .
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
kadmin(8), kdb5_util(8)
++++++ krb5-1.6.3-texi2dvi-fix.dif ++++++
Index: trunk/doc/Makefile
===================================================================
--- doc/Makefile
+++ doc/Makefile
@@ -1,5 +1,5 @@
SRCDIR=../src
-DVI=texi2dvi4a2ps # texi2dvi
+DVI=texi2dvi # texi2dvi
DVIPS=dvips -o "$@"
PSPDF=ps2pdf
INFO=makeinfo
++++++ krb5-1.7-doublelog.patch ++++++
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: krb5-1.9.1/src/include/Makefile.in
===================================================================
--- krb5-1.9.1.orig/src/include/Makefile.in
+++ krb5-1.9.1/src/include/Makefile.in
@@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
OSCONFSRC = $(srcdir)/osconf.hin
++++++ krb5-1.7-nodeplibs.patch ++++++
Omit extra libraries because their interfaces aren't exposed to applications
by libkrb5, unless do_deps is set to 1, which indicates that the caller
wants the whole list.
Index: krb5-1.9.1/src/krb5-config.in
===================================================================
--- krb5-1.9.1.orig/src/krb5-config.in
+++ krb5-1.9.1/src/krb5-config.in
@@ -221,7 +221,11 @@ if test -n "$do_libs"; then
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ if test 0$do_deps -eq 1 ; then
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ else
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
+ fi
fi
echo $lib_flags
++++++ krb5-1.8-api.patch ++++++
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
++++++ krb5-1.8-manpaths.txt ++++++
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M
++++++ krb5-1.8-pam.patch ++++++
++++ 757 lines (skipped)
++++++ krb5-1.9-MITKRB5-SA-2011-006.dif ++++++
diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c
index b473611..50c60b7 100644
--- a/src/plugins/kdb/db2/lockout.c
+++ b/src/plugins/kdb/db2/lockout.c
@@ -169,6 +169,9 @@ krb5_db2_lockout_audit(krb5_context context,
return 0;
}
+ if (entry == NULL)
+ return 0;
+
if (!db_ctx->disable_lockout) {
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval, &lockout_duration);
@@ -176,6 +179,15 @@ krb5_db2_lockout_audit(krb5_context context,
return code;
}
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
+
/* Only mark the authentication as successful if the entry
* required preauthentication, otherwise we have no idea. */
if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 552e39a..c2f44ab 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -105,6 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
+ st = KRB5_KDB_NOENTRY;
krb5_set_error_message (context, st, "Principal does not belong to realm");
goto cleanup;
}
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
index a218dc7..fd164dd 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c
@@ -165,6 +165,9 @@ krb5_ldap_lockout_audit(krb5_context context,
return 0;
}
+ if (entry == NULL)
+ return 0;
+
if (!ldap_context->disable_lockout) {
code = lookup_lockout_policy(context, entry, &max_fail,
&failcnt_interval,
@@ -173,9 +176,16 @@ krb5_ldap_lockout_audit(krb5_context context,
return code;
}
- entry->mask = 0;
+ /*
+ * Don't continue to modify the DB for an already locked account.
+ * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and
+ * this check is unneeded, but in rare cases, we can fail with an
+ * integrity error or preauth failure before a policy check.)
+ */
+ if (locked_check_p(context, stamp, max_fail, lockout_duration, entry))
+ return 0;
- assert (!locked_check_p(context, stamp, max_fail, lockout_duration, entry));
+ entry->mask = 0;
/* Only mark the authentication as successful if the entry
* required preauthentication, otherwise we have no idea. */
++++++ krb5-1.9-MITKRB5-SA-2011-007.dif ++++++
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
--- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')
++++++ krb5-1.9-buildconf.patch ++++++
Build binaries in this package as RELRO PIEs and install shared libraries with
the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS
where they might leak out and affect apps which just want to link with the
libraries. FIXME: needs to check and not just assume that the compiler supports
using these flags.
diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf
--- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500
+++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in
--- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
-e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
-e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+ -e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
++++++ krb5-1.9-canonicalize-fallback.patch ++++++
>From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c
+++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c
@@ -470,13 +470,10 @@ begin_non_referral(krb5_context context,
/***** STATE_REFERRALS *****/
-/*
- * Possibly retry a request in the fallback realm after a referral request
- * failure in the local realm. Expects ctx->reply_code to be set to the error
- * from a referral request.
- */
+/* Possibly try a non-referral request after a referral request failure.
+ * Expects ctx->reply_code to be set to the error from a referral request. */
static krb5_error_code
-try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx)
+try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
char **hrealms;
@@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context,
if (ctx->referral_count > 1)
return ctx->reply_code;
- /* Only fall back if the original request used the referral realm. */
+ /* If the request used a specified realm, make a non-referral request to
+ * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
if (!krb5_is_referral_realm(&ctx->req_server->realm))
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
if (ctx->server->length < 2) {
/* We need a type/host format principal to find a fallback realm. */
@@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context,
if (code != 0)
return code;
- /* Give up if the fallback realm isn't any different. */
+ /* If the fallback realm isn't any different, use the existing TGT. */
if (data_eq_string(ctx->server->realm, hrealms[0])) {
krb5_free_host_realm(context, hrealms);
- return ctx->reply_code;
+ return begin_non_referral(context, ctx);
}
/* Rewrite server->realm to be the fallback realm. */
@@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb
krb5_error_code code;
const krb5_data *referral_realm;
- /* Possibly retry with the fallback realm on error. */
+ /* Possibly try a non-referral fallback request on error. */
if (ctx->reply_code != 0)
- return try_fallback_realm(context, ctx);
+ return try_fallback(context, ctx);
if (krb5_principal_compare(context, ctx->reply_creds->server,
ctx->server)) {
++++++ krb5-1.9-gss_display_status-iakerb.patch ++++++
Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
===================================================================
--- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c
+++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c
@@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st
if ((mech_type != GSS_C_NULL_OID) &&
!g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ !g_OID_equal(gss_mech_krb5_old, mech_type) &&
+ !g_OID_equal(gss_mech_iakerb, mech_type)) {
*minor_status = 0;
return(GSS_S_BAD_MECH);
}
++++++ krb5-1.9-kprop-mktemp.patch ++++++
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.9.1/src/slave/kprop.c
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.c
+++ krb5-1.9.1/src/slave/kprop.c
@@ -188,9 +188,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",
++++++ krb5-1.9-ksu-path.patch ++++++
Set the default PATH to the one set by login.
diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in
--- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)
++++++ krb5-1.9-manpaths.dif ++++++
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.9.1/src/aclocal.m4
===================================================================
--- krb5-1.9.1.orig/src/aclocal.m4
+++ krb5-1.9.1/src/aclocal.m4
@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.9.1/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.9.1/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.9.1.orig/src/config-files/kdc.conf.M
+++ krb5-1.9.1/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -274,7 +274,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.9.1/src/config-files/krb5.conf.M
===================================================================
--- krb5-1.9.1.orig/src/config-files/krb5.conf.M
+++ krb5-1.9.1/src/config-files/krb5.conf.M
@@ -768,6 +768,6 @@ with another database such as Active Dir
in for this interface.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.9.1/src/configure.in
===================================================================
--- krb5-1.9.1.orig/src/configure.in
+++ krb5-1.9.1/src/configure.in
@@ -1128,6 +1128,16 @@ fi
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: krb5-1.9.1/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.9.1/src/kadmin/cli/kadmin.M
@@ -880,9 +880,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
@@ -924,7 +924,7 @@ passwords.
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: krb5-1.9.1/src/slave/kpropd.M
===================================================================
--- krb5-1.9.1.orig/src/slave/kpropd.M
+++ krb5-1.9.1/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
Index: krb5-1.9.1/src/slave/kprop.M
===================================================================
--- krb5-1.9.1.orig/src/slave/kprop.M
+++ krb5-1.9.1/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
++++++ krb5-1.9-paren.patch ++++++
Upstream commit #24477.
diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c
--- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400
+++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400
@@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn
btime = (unsigned int)(2<<(*cnt));
if (btime > MAX_BACKOFF) {
btime = MAX_BACKOFF;
- *cnt--;
+ (*cnt)--;
}
return (btime);
++++++ krb5-1.9-selinux-label.patch ++++++
++++ 919 lines (skipped)
++++++ krb5-1.9.1-ai_addrconfig.patch ++++++
>From RT#6922. When we're converting a host/service pair into a principal
name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try
to avoid libc having doing a PTR lookup because we also specify
AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c
===================================================================
--- src/lib/krb5/os/sn2princ.c.orig
+++ src/lib/krb5/os/sn2princ.c
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
++++++ krb5-1.9.1-ai_addrconfig2.patch ++++++
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
specify hints to getaddrinfo() to get the address of a server.
Index: src/plugins/locate/python/py-locate.c
===================================================================
--- src/plugins/locate/python/py-locate.c.orig
+++ src/plugins/locate/python/py-locate.c
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
return -1;
}
aihints.ai_socktype = thissocktype;
+ aihints.ai_flags = AI_ADDRCONFIG;
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
if (x != 0)
continue;
Index: src/appl/sample/sclient/sclient.c
===================================================================
--- src/appl/sample/sclient/sclient.c.orig
+++ src/appl/sample/sclient/sclient.c
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
+ aihints.ai_flags = AI_ADDRCONFIG;
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
if (aierr) {
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
Index: src/kadmin/dbutil/kadm5_create.c
===================================================================
--- src/kadmin/dbutil/kadm5_create.c.orig
+++ src/kadmin/dbutil/kadm5_create.c
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
- ai_hints.ai_flags = AI_CANONNAME;
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
Index: src/lib/kadm5/alt_prof.c
===================================================================
--- src/lib/kadm5/alt_prof.c.orig
+++ src/lib/kadm5/alt_prof.c
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
}
memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
if (err != 0) {
ret = KADM5_CANT_RESOLVE;
Index: src/lib/kadm5/clnt/client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c.orig
+++ src/lib/kadm5/clnt/client_init.c
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
memset(&hint, 0, sizeof(hint));
hint.ai_socktype = SOCK_STREAM;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
if (err != 0)
Index: src/lib/krb5/os/hostaddr.c
===================================================================
--- src/lib/krb5/os/hostaddr.c.orig
+++ src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: src/lib/krb5/os/hst_realm.c
===================================================================
--- src/lib/krb5/os/hst_realm.c.orig
+++ src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_ADDRCONFIG;
error = getaddrinfo(host, port, &hints, &answers);
if (error != 0) {
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
Index: src/lib/krb5/os/locate_kdc.c
===================================================================
--- src/lib/krb5/os/locate_kdc.c.orig
+++ src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
++++++ krb5-1.9.1-sendto_poll.patch ++++++
++++ 624 lines (skipped)
++++++ krb5-1.9.1-sendto_poll2.patch ++++++
RT#6951
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
+ cm_remove_fd(selstate, conn->fd);
+ closesocket(conn->fd);
+ conn->fd = INVALID_SOCKET;
conn->state = FAILED;
conn->err = err;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- cm_remove_fd(selstate, conn->fd);
- dprint("abandoning connection %d: %m\n", conn->fd, err);
- /* Fix up max fd for next select call. */
}
/* Check socket for error. */
++++++ krb5-1.9.1-sendto_poll3.patch ++++++
If we exit the transmit loop cleanly, don't overestimate the size of the
connections array. This bug appears to have been removed upstream when
this function was rewritten in trunk, and the select()-based implementation
is still what's in 1.9, so this patch has nowhere to go.
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
call with the last one from the above loop, if the loop
actually calls select. */
sel_state->end_time.tv_sec += delay_this_pass;
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ i = host+1;
+ if (i > n_conns)
+ i = n_conns;
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
sel_state+1, msg_handler, msg_handler_data);
if (e)
break;
++++++ krb5-doc-rpmlintrc ++++++
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
++++++ krb5-klist_s.patch ++++++
Don't trip over referral entries. RT#6915
Index: krb5-1.9.1/src/clients/klist/klist.c
===================================================================
--- krb5-1.9.1.orig/src/clients/klist/klist.c
+++ krb5-1.9.1/src/clients/klist/klist.c
@@ -28,7 +28,7 @@
* List out the contents of your credential cache or keytab.
*/
-#include "autoconf.h"
+#include "k5-int.h"
#include <krb5.h>
#include <com_err.h>
#include <stdlib.h>
@@ -390,10 +390,9 @@ void do_ccache(name)
continue;
if (status_only) {
if (exit_status && creds.server->length == 2 &&
- strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
- strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
- strcmp((char *)creds.server->data[1].data,
- princ->realm.data) == 0 &&
+ data_eq(creds.server->realm, princ->realm) &&
+ data_eq_string(creds.server->data[0], "krbtgt") &&
+ data_eq(creds.server->data[1], princ->realm) &&
creds.times.endtime > now)
exit_status = 0;
} else {
++++++ krb5-pkinit-cms2.patch ++++++
When verifying signed-data, use the OpenSSL CMS APIs if we're building with a
version of OpenSSL which supplies them (1.0.0 or later). Revised proposal for
RT#6851.
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index bb8f036..6aedec4 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -41,6 +41,34 @@
#include "pkinit_crypto_openssl.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#include <openssl/cms.h>
+#define pkinit_CMS_free1_crls(_sk_x509crl) sk_X509_CRL_free((_sk_x509crl))
+#define pkinit_CMS_free1_certs(_sk_x509) sk_X509_free((_sk_x509))
+#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp) CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
+#else
+#define pkinit_CMS_free1_crls(_stack_of_x509crls) /* don't free these CRLs */
+#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* don't free these certs */
+#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
+#define CMS_NOATTR PKCS7_NOATTR
+#define CMS_ContentInfo PKCS7
+#define CMS_SignerInfo PKCS7_SIGNER_INFO
+#define d2i_CMS_ContentInfo d2i_PKCS7
+#define CMS_get0_type(_p7) ((_p7)->type)
+#define CMS_get0_content(_p7) (&((_p7)->d.other->value.octet_string))
+#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
+#define CMS_get0_SignerInfos PKCS7_get_signer_info
+#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
+#undef sk_CMS_SignerInfo_value
+#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
+#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
+#define CMS_verify PKCS7_verify
+#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
+#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
+#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
+#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp) (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
+#endif
+
static struct pkcs11_errstrings {
short code;
char *text;
@@ -1127,21 +1155,25 @@ cms_signeddata_verify(krb5_context context,
int *is_signed)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
- PKCS7 *p7 = NULL;
+ CMS_ContentInfo *cms = NULL;
BIO *out = NULL;
- int flags = PKCS7_NOVERIFY;
+ int flags = CMS_NO_SIGNER_CERT_VERIFY;
unsigned int i = 0;
unsigned int vflags = 0, size = 0;
const unsigned char *p = signed_data;
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
- PKCS7_SIGNER_INFO *si = NULL;
+ STACK_OF(CMS_SignerInfo) *si_sk = NULL;
+ CMS_SignerInfo *si = NULL;
X509 *x = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX cert_ctx;
+ STACK_OF(X509) *signerCerts = NULL;
STACK_OF(X509) *intermediateCAs = NULL;
+ STACK_OF(X509_CRL) *signerRevoked = NULL;
STACK_OF(X509_CRL) *revoked = NULL;
STACK_OF(X509) *verified_chain = NULL;
ASN1_OBJECT *oid = NULL;
+ const ASN1_OBJECT *type = NULL, *etype = NULL;
+ ASN1_OCTET_STRING **octets;
krb5_external_principal_identifier **krb5_verified_chain = NULL;
krb5_data *authz = NULL;
char buf[DN_BUF_LEN];
@@ -1157,8 +1189,8 @@ cms_signeddata_verify(krb5_context context,
if (oid == NULL)
goto cleanup;
- /* decode received PKCS7 message */
- if ((p7 = d2i_PKCS7(NULL, &p, (int)signed_data_len)) == NULL) {
+ /* decode received CMS message */
+ if ((cms = d2i_CMS_ContentInfo(NULL, &p, (int)signed_data_len)) == NULL) {
unsigned long err = ERR_peek_error();
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
@@ -1168,37 +1200,39 @@ cms_signeddata_verify(krb5_context context,
}
/* Handle the case in pkinit anonymous where we get unsigned data. */
- if (is_signed && !OBJ_cmp(p7->type, oid)) {
+ type = CMS_get0_type(cms);
+ if (is_signed && !OBJ_cmp(type, oid)) {
unsigned char *d;
*is_signed = 0;
- if (p7->d.other->type != V_ASN1_OCTET_STRING) {
+ octets = CMS_get0_content(cms);
+ if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"Invalid pkinit packet: octet string "
"expected");
goto cleanup;
}
- *data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
+ *data_len = ASN1_STRING_length(*octets);
d = malloc(*data_len);
if (d == NULL) {
retval = ENOMEM;
goto cleanup;
}
- memcpy(d, ASN1_STRING_data(p7->d.other->value.octet_string),
+ memcpy(d, ASN1_STRING_data(*octets),
*data_len);
*data = d;
goto out;
} else {
- /* Verify that the received message is PKCS7 SignedData message. */
- if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
- pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
- OBJ_obj2nid(p7->type));
+ /* Verify that the received message is CMS SignedData message. */
+ if (OBJ_obj2nid(type) != NID_pkcs7_signed) {
+ pkiDebug("Expected id-signedData CMS msg (received type = %d)\n",
+ OBJ_obj2nid(type));
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
}
}
- /* setup to verify X509 certificate used to sign PKCS7 message */
+ /* setup to verify X509 certificate used to sign CMS message */
if (!(store = X509_STORE_new()))
goto cleanup;
@@ -1210,37 +1244,41 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the PKCS7 message */
- if ((si_sk = PKCS7_get_signer_info(p7)) == NULL)
+ /* get the signer's information from the CMS message */
+ CMS_set1_signers_certs(cms, NULL, 0);
+ if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
goto cleanup;
- if ((si = sk_PKCS7_SIGNER_INFO_value(si_sk, 0)) == NULL)
+ if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
goto cleanup;
- if ((x = PKCS7_cert_from_signer_info(p7, si)) == NULL)
+ pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
+ if (x == NULL)
goto cleanup;
/* create available CRL information (get local CRLs and include CRLs
- * received in the PKCS7 message
+ * received in the CMS message
*/
+ signerRevoked = CMS_get1_crls(cms);
if (idctx->revoked == NULL)
- revoked = p7->d.sign->crl;
- else if (p7->d.sign->crl == NULL)
+ revoked = signerRevoked;
+ else if (signerRevoked == NULL)
revoked = idctx->revoked;
else {
size = sk_X509_CRL_num(idctx->revoked);
revoked = sk_X509_CRL_new_null();
for (i = 0; i < size; i++)
sk_X509_CRL_push(revoked, sk_X509_CRL_value(idctx->revoked, i));
- size = sk_X509_CRL_num(p7->d.sign->crl);
+ size = sk_X509_CRL_num(signerRevoked);
for (i = 0; i < size; i++)
- sk_X509_CRL_push(revoked, sk_X509_CRL_value(p7->d.sign->crl, i));
+ sk_X509_CRL_push(revoked, sk_X509_CRL_value(signerRevoked, i));
}
/* create available intermediate CAs chains (get local intermediateCAs and
- * include the CA chain received in the PKCS7 message
+ * include the CA chain received in the CMS message
*/
+ signerCerts = CMS_get1_certs(cms);
if (idctx->intermediateCAs == NULL)
- intermediateCAs = p7->d.sign->cert;
- else if (p7->d.sign->cert == NULL)
+ intermediateCAs = signerCerts;
+ else if (signerCerts == NULL)
intermediateCAs = idctx->intermediateCAs;
else {
size = sk_X509_num(idctx->intermediateCAs);
@@ -1249,9 +1287,9 @@ cms_signeddata_verify(krb5_context context,
sk_X509_push(intermediateCAs,
sk_X509_value(idctx->intermediateCAs, i));
}
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
for (i = 0; i < size; i++) {
- sk_X509_push(intermediateCAs, sk_X509_value(p7->d.sign->cert, i));
+ sk_X509_push(intermediateCAs, sk_X509_value(signerCerts, i));
}
}
@@ -1329,10 +1367,10 @@ cms_signeddata_verify(krb5_context context,
krb5_set_error_message(context, retval, "%s\n",
X509_verify_cert_error_string(j));
#ifdef DEBUG_CERTCHAIN
- size = sk_X509_num(p7->d.sign->cert);
+ size = sk_X509_num(signerCerts);
pkiDebug("received cert chain of size %d\n", size);
for (j = 0; j < size; j++) {
- X509 *tmp_cert = sk_X509_value(p7->d.sign->cert, j);
+ X509 *tmp_cert = sk_X509_value(signerCerts, j);
X509_NAME_oneline(X509_get_subject_name(tmp_cert), buf, sizeof(buf));
pkiDebug("cert #%d: %s\n", j, buf);
}
@@ -1348,11 +1386,12 @@ cms_signeddata_verify(krb5_context context,
out = BIO_new(BIO_s_mem());
if (cms_msg_type == CMS_SIGN_DRAFT9)
- flags |= PKCS7_NOATTR;
- if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) {
+ flags |= CMS_NOATTR;
+ etype = CMS_get0_eContentType(cms);
+ if (CMS_verify(cms, NULL, store, NULL, out, flags)) {
int valid_oid = 0;
- if (!OBJ_cmp(p7->d.sign->contents->type, oid))
+ if (!OBJ_cmp(etype, oid))
valid_oid = 1;
else if (cms_msg_type == CMS_SIGN_DRAFT9) {
/*
@@ -1364,18 +1403,18 @@ cms_signeddata_verify(krb5_context context,
client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT);
server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER);
rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER);
- if (!OBJ_cmp(p7->d.sign->contents->type, client_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, server_oid) ||
- !OBJ_cmp(p7->d.sign->contents->type, rsa_oid))
+ if (!OBJ_cmp(etype, client_oid) ||
+ !OBJ_cmp(etype, server_oid) ||
+ !OBJ_cmp(etype, rsa_oid))
valid_oid = 1;
}
if (valid_oid)
- pkiDebug("PKCS7 Verification successful\n");
+ pkiDebug("CMS Verification successful\n");
else {
pkiDebug("wrong oid in eContentType\n");
- print_buffer(p7->d.sign->contents->type->data,
- (unsigned int)p7->d.sign->contents->type->length);
+ print_buffer(etype->data,
+ (unsigned int)etype->length);
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
@@ -1391,13 +1430,13 @@ cms_signeddata_verify(krb5_context context,
default:
retval = KRB5KDC_ERR_INVALID_SIG;
}
- pkiDebug("PKCS7 Verification failure\n");
+ pkiDebug("CMS Verification failure\n");
krb5_set_error_message(context, retval, "%s\n",
ERR_error_string(err, NULL));
goto cleanup;
}
- /* transfer the data from PKCS7 message into return buffer */
+ /* transfer the data from CMS message into return buffer */
for (size = 0;;) {
int remain;
retval = ENOMEM;
@@ -1452,12 +1491,16 @@ cleanup:
BIO_free(out);
if (store != NULL)
X509_STORE_free(store);
- if (p7 != NULL) {
- if (idctx->intermediateCAs != NULL && p7->d.sign->cert)
+ if (cms != NULL) {
+ if (signerCerts != NULL)
+ pkinit_CMS_free1_certs(signerCerts);
+ if (idctx->intermediateCAs != NULL && signerCerts)
sk_X509_free(intermediateCAs);
- if (idctx->revoked != NULL && p7->d.sign->crl)
+ if (signerRevoked != NULL)
+ pkinit_CMS_free1_crls(signerRevoked);
+ if (idctx->revoked != NULL && signerRevoked)
sk_X509_CRL_free(revoked);
- PKCS7_free(p7);
+ CMS_ContentInfo_free(cms);
}
if (verified_chain != NULL)
sk_X509_pop_free(verified_chain, X509_free);
++++++ krb5-rpmlintrc ++++++
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")
++++++ krb5-trunk-chpw-err.patch ++++++
Don't suppress the error code from an error message when the error message
contains e-data. RT#6893
Index: src/lib/krb5/krb/chpw.c
===================================================================
--- src/lib/krb5/krb/chpw.c (revision 24838)
+++ src/lib/krb5/krb/chpw.c (working copy)
@@ -111,15 +111,11 @@
if ((ret = krb5_rd_error(context, packet, &krberror)))
return(ret);
- if (krberror->e_data.data == NULL)
- ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
- else
- ret = KRB5KRB_AP_ERR_MODIFIED;
+ ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
krb5_free_error(context, krberror);
return(ret);
- } else {
- return(KRB5KRB_AP_ERR_MODIFIED);
}
+ return(KRB5KRB_AP_ERR_MODIFIED);
}
++++++ krb5-trunk-gss_delete_sec.patch ++++++
Author: ghudson
Date: Mon May 9 17:28:07 2011 +0000
ticket: 6908
subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
target_version: 1.9.2
tags: pullup
Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
union context to krb5_gss_delete_sec_context(), causing a crash as the
krb5 routine attempts to interpret a union context structure as a krb5
GSS context. Call the mechglue gss_delete_sec_context instead.
svn://anonsvn.mit.edu:/krb5/trunk@24917
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
/* Clean up the context state (it is an error for
* someone to attempt to use this context again)
*/
- (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
+ (void)gss_delete_sec_context(minor_status, context_handle, NULL);
*context_handle = GSS_C_NO_CONTEXT;
generic_gss_release_buffer_set(&minor, &data_set);
++++++ krb5-trunk-kadmin-oldproto.patch ++++++
------------------------------------------------------------------------
r24967 | ghudson | 2011-06-13 14:54:33 -0400 (Mon, 13 Jun 2011) | 11 lines
ticket: 6920
subject: Fix old-style GSSRPC authentication
target_version: 1.9.2
tags: pullup
r24147 (ticket #6746) made libgssrpc ignorant of the remote address of
the kadmin socket, even when it's IPv4. This made old-style GSSAPI
authentication fail because it uses the wrong channel bindings. Fix
this problem by making clnttcp_create() get the remote address from
the socket using getpeername() if the caller doesn't provide it and
it's an IPv4 address.
------------------------------------------------------------------------
Index: src/lib/rpc/clnt_tcp.c
===================================================================
--- src/lib/rpc/clnt_tcp.c (revision 24966)
+++ src/lib/rpc/clnt_tcp.c (revision 24967)
@@ -187,9 +187,16 @@
ct->ct_sock = *sockp;
ct->ct_wait.tv_usec = 0;
ct->ct_waitset = FALSE;
- if (raddr == NULL)
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
- else
+ if (raddr == NULL) {
+ /* Get the remote address from the socket, if it's IPv4. */
+ struct sockaddr_in sin;
+ socklen_t len = sizeof(sin);
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
+ ct->ct_addr = sin;
+ else
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
+ } else
ct->ct_addr = *raddr;
/*
++++++ pre_checkin.sh ++++++
#!/bin/sh
sed -e 's/Name:.*/Name: krb5-mini/g;' \
-e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec
cp krb5.changes krb5-mini.changes
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package patchinfo.1366 for openSUSE:12.2:Update checked in at 2013-02-25 09:11:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/patchinfo.1366 (Old)
and /work/SRC/openSUSE:12.2:Update/.patchinfo.1366.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.1366", Maintainer is ""
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_patchinfo
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo>
<packager>computersalat</packager>
<category>recommended</category>
<rating>moderate</rating>
<summary>WindowMaker: fixed SUSE menu in WindowMaker</summary>
<description>This update fixes the following issue for WindowMaker:
- bnc#780348:
- WMRootMenu: (SuSE, OPEN_MENU, "| xdg_menu --format WindowMaker --charset UTF-8")
- More (un)maximize tweaks ("jumping window")</description>
<issue tracker="bnc" id="780348">SUSE menu in WindowMaker does not open</issue>
</patchinfo>
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package WindowMaker for openSUSE:12.2:Update checked in at 2013-02-25 09:11:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/WindowMaker (Old)
and /work/SRC/openSUSE:12.2:Update/.WindowMaker.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "WindowMaker", Maintainer is "MHrusecky(a)suse.com"
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_link
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _link ++++++
<link package='WindowMaker.1366' cicount='copy' />
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package patchinfo.1371 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/patchinfo.1371 (Old)
and /work/SRC/openSUSE:12.3:Update/.patchinfo.1371.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.1371", Maintainer is ""
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_patchinfo
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo>
<issue id="804730" tracker="bnc">VUL-1: CVE-2013-0308: git: missing SSL host verification in git-imap-send</issue>
<issue id="CVE-2013-0308" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>tiwai</packager>
<description>
git was updated to version 1.8.1.4:
* "git imap-send" talking over imaps:// did make sure it received a
valid certificate from the other end, but did not check if the
certificate matched the host it thought it was talking to.
This fixes CVE-2013-0308, bnc#804730
- updated to version 1.8.1.3:
* minor fixes and documentation updates.
more details, please see here:
https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.3.txt
- updated to version 1.8.1.2:
* An element on GIT_CEILING_DIRECTORIES list that does not name the
real path to a directory (i.e. a symbolic link) could have caused
the GIT_DIR discovery logic to escape the ceiling.
* Command line completion for "tcsh" emitted an unwanted space
after completing a single directory name.
* Command line completion leaked an unnecessary error message while
looking for possible matches with paths in <tree-ish>.
* "git archive" did not record uncompressed size in the header when
streaming a zip archive, which confused some implementations of unzip.
* When users spelled "cc:" in lowercase in the fake "header" in the
trailer part, "git send-email" failed to pick up the addresses from
there. As e-mail headers field names are case insensitive, this
script should follow suit and treat "cc:" and "Cc:" the same way.
Also contains various documentation fixes.
</description>
<summary>git: update to 1.8.1.4</summary>
</patchinfo>
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package git.1371 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/git.1371 (Old)
and /work/SRC/openSUSE:12.3:Update/.git.1371.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git.1371", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-09 11:18:20.872010756 +0100
+++ /work/SRC/openSUSE:12.3:Update/.git.1371.new/git.changes 2013-02-24 20:51:25.000000000 +0100
@@ -0,0 +1,1877 @@
+-------------------------------------------------------------------
+Wed Feb 20 17:26:15 CET 2013 - tiwai(a)suse.de
+
+- updated to version 1.8.1.4:
+ * "git imap-send" talking over imaps:// did make sure it received a
+ valid certificate from the other end, but did not check if the
+ certificate matched the host it thought it was talking to.
+
+ This fixes CVE-2013-0308, bnc#804730
+
+-------------------------------------------------------------------
+Sat Feb 16 02:19:25 UTC 2013 - douglarek(a)outlook.com
+
+- updated to version 1.8.1.3:
+
+ * minor fixes and documentation updates.
+
+ more details, please see here:
+ https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.3.txt
+
+-------------------------------------------------------------------
+Wed Jan 30 01:57:15 UTC 2013 - douglarek(a)outlook.com
+
+- updated to version 1.8.1.2:
+
+ * An element on GIT_CEILING_DIRECTORIES list that does not name the
+ real path to a directory (i.e. a symbolic link) could have caused
+ the GIT_DIR discovery logic to escape the ceiling.
+
+ * Command line completion for "tcsh" emitted an unwanted space
+ after completing a single directory name.
+
+ * Command line completion leaked an unnecessary error message while
+ looking for possible matches with paths in <tree-ish>.
+
+ * "git archive" did not record uncompressed size in the header when
+ streaming a zip archive, which confused some implementations of unzip.
+
+ * When users spelled "cc:" in lowercase in the fake "header" in the
+ trailer part, "git send-email" failed to pick up the addresses from
+ there. As e-mail headers field names are case insensitive, this
+ script should follow suit and treat "cc:" and "Cc:" the same way.
+
+ Also contains various documentation fixes.
+
+-------------------------------------------------------------------
+Thu Jan 17 02:08:43 UTC 2013 - douglarek(a)outlook.com
+
+- updated to version 1.8.1.1:
+
+ * minor fixes and documentation updates.
+
+ more details, please see here:
+ https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.1.txt
+
+-------------------------------------------------------------------
+Tue Jan 1 15:18:58 UTC 2013 - douglarek(a)outlook.com
+
+- updated to version 1.8.1:
+
+ * a bit of features.
+ * other minor fixes and documentation updates since v1.8.0.
+
+ more details, please see here:
+ https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.txt.
+
+-------------------------------------------------------------------
+Fri Dec 14 00:46:08 UTC 2012 - douglarek(a)outlook.com
+
+- updated to version 1.8.0.2:
+
+ * Various codepaths have workaround for a common misconfiguration to
+ spell "UTF-8" as "utf8", but it was not used uniformly. Most
+ notably, mailinfo (which is used by "git am") lacked this support.
+
+ * We failed to mention a file without any content change but whose
+ permission bit was modified, or (worse yet) a new file without any
+ content in the "git diff --stat" output.
+
+ * When "--stat-count" hides a diffstat for binary contents, the total
+ number of added and removed lines at the bottom was computed
+ incorrectly.
+
+ * When "--stat-count" hides a diffstat for unmerged paths, the total
+ number of affected files at the bottom of the "diff --stat" output
+ was computed incorrectly.
+
+ * "diff --shortstat" miscounted the total number of affected files
+ when there were unmerged paths.
+
+ * "git p4" used to try expanding malformed "$keyword$" that spans
+ across multiple lines.
+
+ * "git update-ref -d --deref SYM" to delete a ref through a symbolic
+ ref that points to it did not remove it correctly.
+
+ * Syntax highlighting in "gitweb" was not quite working.
+
+ Also contains other minor fixes and documentation updates.
+
+-------------------------------------------------------------------
+Tue Nov 27 02:54:50 UTC 2012 - douglarek(a)outlook.com
+
+- updated to version 1.8.0.1:
+
+ * a bit of features.
+
+ * other minor fixes and documentation updates since v1.8.0.
+
+ more details, please see here:
+ https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.0.1.txt.
+
+-------------------------------------------------------------------
+Mon Oct 22 12:21:08 UTC 2012 - douglarek(a)outlook.com
+
+- updated to version 1.8.0:
+
+ * a lot of features.
+
+ * minor documentation updates and code clean-ups.
+
+ * all the fixes since v1.7.12.
+
+ more details, please see here:
+ https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.0.txt.
+
+-------------------------------------------------------------------
+Thu Oct 18 14:50:30 UTC 2012 - douglarek(a)outlook.com
+
+- updated to version 1.7.12.4:
+
+ * "git fetch" over the dumb-http revision walker could segfault when
+ curl's multi interface was used.
+
+ * It was possible to give specific paths for "asciidoc" and other
+ tools in the documentation toolchain, but not for "xmlto".
+
+ * "gitweb" did not give the correct committer timezone in its feed
+ output due to a typo.
+
+ * The "-Xours" (and similarly -Xtheirs) backend option to "git
+ merge -s recursive" was ignored for binary files. Now it is
+ honored.
+
+ * The "binary" synthetic attribute made "diff" to treat the path as
+ binary, but not "merge".
+
+ Also contains many documentation updates.
+
+-------------------------------------------------------------------
+Thu Oct 11 00:19:07 CST 2012 - douglarek(a)outlook.com
+
+- updated to version 1.7.12.3:
+
+ * "git am" mishandled a patch attached as application/octet-stream
+ (e.g. not text/*); Content-Transfer-Encoding (e.g. base64) was not
+ honored correctly.
+
+ * It was unclear in the documentation for "git blame" that it is
+ unnecessary for users to use the "--follow" option.
+
+ * A repository created with "git clone --single" had its fetch
+ refspecs set up just like a clone without "--single", leading the
+ subsequent "git fetch" to slurp all the other branches, defeating
+ the whole point of specifying "only this branch".
+
+ * "git fetch" over http had an old workaround for an unlikely server
+ misconfiguration; it turns out that this hurts debuggability of the
+ configuration in general, and has been reverted.
+
+ * "git fetch" over http advertised that it supports "deflate", which
+ is much less common, and did not advertise the more common "gzip" on
+ its Accept-Encoding header.
+
+ * "git receive-pack" (the counterpart to "git push") did not give
+ progress output while processing objects it received to the puser
+ when run over the smart-http protocol.
+
+ * "git status" honored the ignore=dirty settings in .gitmodules but
+ "git commit" didn't.
+
+ Also contains a handful of documentation updates.
+
+-------------------------------------------------------------------
+Mon Oct 8 20:50:47 UTC 2012 - schwab(a)linux-m68k.org
+
+- Use ./.make also in %check to test exactly what was built
+- Avoid duplicate file warnings
+
+-------------------------------------------------------------------
+Thu Oct 4 22:29:10 CST 2012 - douglarek(a)outlook.com
+
+- updated to version 1.7.12.2:
+
+ * When "git am" is fed an input that has multiple "Content-type: ..."
+ header, it did not grok charset= attribute correctly.
+
++++ 1680 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.git.1371.new/git.changes
New:
----
apache2-gitweb.conf
completion-wordbreaks.diff
git-1.8.1.4.tar.gz
git-bash-completion-egrep-color-fix.diff
git-daemon.init
git-prevent_xss-default.diff
git-python-install-fix.diff
git.changes
git.spec
git.xinetd
susefirewall-git-daemon
sysconfig.git-daemon
usr.share.git-web.gitweb.cgi
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ git.spec ++++++
#
# spec file for package git
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define gitexecdir %_libexecdir/git
%define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services
Name: git
BuildRequires: asciidoc
BuildRequires: curl
BuildRequires: fdupes
BuildRequires: libcurl-devel
BuildRequires: libexpat-devel
BuildRequires: libopenssl-devel
BuildRequires: perl-Error
BuildRequires: python
BuildRequires: sgml-skel
BuildRequires: xmlto
Version: 1.8.1.4
Release: 0
Summary: Fast, scalable, distributed revision control system
License: GPL-2.0
Group: Development/Tools/Version Control
Url: http://git-scm.com
Source0: http://git-core.googlecode.com/files/%name-%{version}.tar.gz
Source1: apache2-gitweb.conf
Source2: sysconfig.git-daemon
Source3: git-daemon.init
Source4: git.xinetd
Source5: usr.share.git-web.gitweb.cgi
Source6: susefirewall-git-daemon
Patch2: git-python-install-fix.diff
Patch3: completion-wordbreaks.diff
# CVE-2011-2186, bnc#698456
Patch4: git-prevent_xss-default.diff
# fix broken bash copmletion with colored egrep (bnc#779536)
Patch5: git-bash-completion-egrep-color-fix.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: git-core = %{version}
Recommends: git-svn git-cvs git-email gitk git-gui git-web
Suggests: git-daemon
%description
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations and
full access to internals.
This package itself only provides the README of git but with the
packages it requires, it brings you a complete Git environment
including GTK and email interfaces and tools for importing source code
repositories from other revision control systems such as subversion,
CVS, and GNU arch.
%package core
Summary: Core git tools
Group: Development/Tools/Version Control
Requires: less
Requires: openssh
Requires: perl-Error
Requires: perl-base = %{perl_version}
Requires: rsync
%description core
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations and
full access to internals.
These are the core tools with minimal dependencies.
%package svn
Summary: Git tools for importing Subversion repositories
Group: Development/Tools/Version Control
Requires: git-core = %{version}
Requires: subversion
Requires: subversion-perl
%description svn
Tools for importing Subversion repositories to the Git version control
system.
%package cvs
Summary: Git tools for importing CVS repositories
Group: Development/Tools/Version Control
Requires: cvs
Requires: cvsps
Requires: git-core = %{version}
Requires: perl-DBD-SQLite
%description cvs
Tools for importing CVS repositories to the Git version control system.
%package arch
Summary: Git tools for importing Arch repositories
Group: Development/Tools/Version Control
Requires: git-core = %{version}
# Requires: tla
%description arch
Tools for importing GNU Arch repositories to the GIT version control
system.
%package email
Summary: Git tools for sending email
Group: Development/Tools/Version Control
Requires: git-core = %{version}
# For sending mails over secure SMTP:
Recommends: perl-Net-SMTP-SSL, perl-Authen-SASL
%description email
Email interface for the GIT version control system.
%package daemon
Summary: Simple Server for Git Repositories
Group: Development/Tools/Version Control
Requires: git-core = %{version}
PreReq: /usr/sbin/useradd %fillup_prereq %insserv_prereq
%description daemon
A really simple TCP git daemon. In the default configuration it allows
read only access to repositories in /srv/git/ that contain the
'git-daemon-export-ok' file.
%package -n gitk
Summary: Git revision tree visualiser
Group: Development/Tools/Version Control
Requires: git-core = %{version}
Requires: tk >= 8.4
Supplements: packageand(git-core:tk)
%description -n gitk
Grapical tool for visualization of revision trees of projects
maintained in the Git version control system. It name gitk indicates
that it's written using the Tk Widget set.
A simple Tk based graphical interface for common Git operations is
found in the package git-gui.
%package gui
Summary: Grapical tool for common git operations
Group: Development/Tools/Version Control
Requires: git-core = %{version}
Requires: tk >= 8.4
Supplements: packageand(git-core:tk)
%description gui
A Tcl/Tk based graphical user interface to Git. git-gui focuses on
allowing users to make changes to their repository by making new
commits, amending existing ones, creating branches, performing local
merges, and fetching/pushing to remote repositories.
Unlike gitk, git-gui focuses on commit generation and single file
annotation, and does not show project history. It does however supply
menu actions to start a gitk session from within git-gui.
%package web
Summary: Git Web Interface
Group: Development/Tools/Version Control
Requires: git-core = %{version}
Supplements: packageand(git-core:apache2)
%description web
CGI script that allows browsing git repositories via web interface.
The apache2 configuration contained in this package installs a virtual
directory /git/ that calls the cgi script.
%package remote-helpers
Summary: Python package for remote helper scripts
Group: Development/Tools/Version Control
Requires: git-core = %{version}
Requires: python
%description remote-helpers
This package contains the building blocks for remote helpers written in Python.
%prep
%setup -q
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
cat > .make <<'EOF'
#!/bin/bash
make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \
GITWEB_CONFIG="/etc/gitweb.conf" \
GITWEB_PROJECTROOT="/srv/git" \
WITH_OWN_SUBPROCESS_PY=YesPlease \
DESTDIR=$RPM_BUILD_ROOT \
NO_CROSS_DIRECTORY_HARDLINKS=1 \
NO_INSTALL_HARDLINKS=1 \
V=1 \
prefix=%{_prefix} mandir=%{_mandir} \
gitexecdir=%{gitexecdir} \
htmldir=%{_docdir}/git-core \
"$@"
EOF
#
chmod 755 .make
./.make all %{?_smp_mflags}
%{!?_without_docs: ./.make doc}
%install
./.make install %{!?_without_docs: install-doc}
### git-web
cp gitweb/INSTALL INSTALL.gitweb
cp gitweb/README README.gitweb
install -d %{buildroot}/usr/share/git-web
install -d %{buildroot}/etc/apache2/conf.d
install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/apache2/conf.d/gitweb.conf
### git-daemon
install -d -m 755 $RPM_BUILD_ROOT/etc/init.d
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/etc/init.d/git-daemon
install -d -m 755 $RPM_BUILD_ROOT%{_sbindir}
ln -s ../../etc/init.d/git-daemon $RPM_BUILD_ROOT%{_sbindir}/rcgit-daemon
install -d -m 755 $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.git-daemon
install -d -m 755 $RPM_BUILD_ROOT/srv/git
install -d -m 755 $RPM_BUILD_ROOT/etc/xinetd.d
install -m 644 %{S:4} $RPM_BUILD_ROOT/etc/xinetd.d/git
mkdir -p $RPM_BUILD_ROOT/%{_fwdefdir}
install -m 644 %{S:6} $RPM_BUILD_ROOT/%{_fwdefdir}/git-daemon
###
(find $RPM_BUILD_ROOT%{_bindir} -type f -o -type l | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) > bin-man-doc-files
(find $RPM_BUILD_ROOT%{gitexecdir} ! -type d | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) >> bin-man-doc-files
(find $RPM_BUILD_ROOT%{_mandir} $RPM_BUILD_ROOT/Documentation -type f | grep -vE "archimport|svn|git-cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@ -e 's/$/*/' ) >> bin-man-doc-files
( pushd perl
perl Makefile.PL
make -f perl.mak DESTDIR=%{buildroot} install_vendor
)
rm -rf %{buildroot}/usr/lib/perl5/site_perl
%perl_process_packlist
find $RPM_BUILD_ROOT/%_mandir -type f -print0 | xargs -0 chmod 644
install -m 644 -D contrib/completion/git-completion.bash $RPM_BUILD_ROOT/etc/bash_completion.d/git.sh
install -m 644 -D contrib/completion/git-prompt.sh $RPM_BUILD_ROOT/etc/bash_completion.d/git-prompt.sh
#
# apparmor profile for git-web
#
install -d -m 755 $RPM_BUILD_ROOT/etc/apparmor.d
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/apparmor.d
#
# create predictable symlinks to make apparmor profile work
for i in git git-upload-archive git-receive-pack; do
rm $RPM_BUILD_ROOT%{_bindir}/$i
ln -s %{gitexecdir}/git-add $RPM_BUILD_ROOT%{_bindir}/$i
done
if ! test -f $RPM_BUILD_ROOT%{gitexecdir}/git-add; then
echo "git-add is not a regular file, apparmor profile won't work!" >&2
exit 1
fi
%find_lang %{name}
cat %{name}.lang >>bin-man-doc-files
# use symlinks instead of hardlinks in sub-commands
%fdupes -s $RPM_BUILD_ROOT
%check
./.make %{?_smp_mflags} test
%pre daemon
if ! /usr/bin/getent passwd git-daemon >/dev/null; then
/usr/sbin/useradd -r -d /var/lib/empty -s /bin/false -c "git daemon" -g nogroup git-daemon || :
fi
%post daemon
%{fillup_and_insserv -n git-daemon}
%postun daemon
%{insserv_cleanup}
%preun daemon
%stop_on_removal
%files
%defattr(-,root,root)
%doc README
%files svn
%defattr(-,root,root)
%{gitexecdir}/*svn*
%doc Documentation/*svn*.txt
%{!?_without_docs: %{_mandir}/man1/*svn*.1*}
%{!?_without_docs: %doc Documentation/*svn*.html }
%files cvs
%defattr(-,root,root)
%doc Documentation/*git-cvs*.txt
%{_bindir}/git-cvs*
%{gitexecdir}/*cvs*
%{!?_without_docs: %{_mandir}/man1/*cvs*.1*}
%{!?_without_docs: %doc Documentation/*git-cvs*.html }
%files arch
%defattr(-,root,root)
%doc Documentation/git-archimport.txt
%{gitexecdir}/git-archimport
%{!?_without_docs: %{_mandir}/man1/git-archimport.1*}
%{!?_without_docs: %doc Documentation/git-archimport.html }
%files email
%defattr(-,root,root)
%doc Documentation/*email*.txt
%{gitexecdir}/*email*
%{!?_without_docs: %{_mandir}/man1/*email*.1*}
%{!?_without_docs: %doc Documentation/*email*.html }
%files daemon
%defattr(-,root,root)
%doc Documentation/*daemon*.txt
%{gitexecdir}/*daemon*
/etc/init.d/git-daemon
%{_sbindir}/rcgit-daemon
%dir /srv/git
/var/adm/fillup-templates/sysconfig.git-daemon
%{!?_without_docs: %{_mandir}/man1/*daemon*.1*}
%{!?_without_docs: %doc Documentation/*daemon*.html }
%config(noreplace) /etc/xinetd.d/git
%config %{_fwdefdir}/*
%files -n gitk
%defattr(-,root,root)
%doc Documentation/*gitk*.txt
%{_bindir}/gitk
/usr/share/gitk
%{!?_without_docs: %{_mandir}/man1/*gitk*.1*}
%{!?_without_docs: %doc Documentation/*gitk*.html }
%files gui
%defattr(-,root,root)
%doc Documentation/*gui*.txt
%{gitexecdir}/git-gui*
/usr/share/git-gui
%{!?_without_docs: %{_mandir}/man1/*gui*.1*}
%{!?_without_docs: %doc Documentation/*gui*.html }
%files web
%defattr(-,root,root)
%doc README.gitweb INSTALL.gitweb
%dir /etc/apache2
%dir /etc/apache2/conf.d
%config(noreplace) /etc/apache2/conf.d/gitweb.conf
/usr/share/gitweb
/etc/apparmor.d
%files remote-helpers
%defattr(-,root,root)
%if %suse_version >= 1120
%python_sitelib/*
%else
%py_sitedir/*
%endif
%files core -f bin-man-doc-files
%defattr(-,root,root)
%{_datadir}/git-core/
%dir %{gitexecdir}
%dir %{gitexecdir}/mergetools
%doc README COPYING Documentation/*.txt
%{!?_without_docs: %doc Documentation/*.html }
%if 0%{?suse_version} < 1140
/var/adm/perl-modules/%{name}
%endif
%{perl_vendorlib}/Git.pm
%{perl_vendorlib}/Git/
%{perl_vendorarch}/auto/Git/
/etc/bash_completion.d/*.sh
%changelog
++++++ apache2-gitweb.conf ++++++
Alias /git "/usr/share/gitweb/"
<Directory "/usr/share/gitweb">
Options ExecCGI
AllowOverride None
AddHandler cgi-script .cgi
DirectoryIndex gitweb.cgi
Order allow,deny
Allow from all
</Directory>
++++++ completion-wordbreaks.diff ++++++
---
contrib/completion/git-completion.bash | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/contrib/completion/git-completion.bash
+++ b/contrib/completion/git-completion.bash
@@ -23,10 +23,12 @@
# 3) Consider changing your PS1 to also show the current branch,
# see git-prompt.sh for details.
-case "$COMP_WORDBREAKS" in
-*:*) : great ;;
-*) COMP_WORDBREAKS="$COMP_WORDBREAKS:"
-esac
+# SUSE-specific: We trust the system is consistent and do not let individual
+# scripts play ping-pong with the global $COMP_WORDBREAKS value.
+#case "$COMP_WORDBREAKS" in
+#*:*) : great ;;
+#*) COMP_WORDBREAKS="$COMP_WORDBREAKS:"
+#esac
# __gitdir accepts 0 or 1 arguments (i.e., location)
# returns location of .git repo
++++++ git-bash-completion-egrep-color-fix.diff ++++++
---
contrib/completion/git-completion.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/contrib/completion/git-completion.bash
+++ b/contrib/completion/git-completion.bash
@@ -538,7 +538,7 @@ __git_commands () {
then
printf "%s" "${GIT_TESTING_COMMAND_COMPLETION}"
else
- git help -a|egrep '^ [a-zA-Z0-9]'
+ git help -a|egrep --color=never '^ [a-zA-Z0-9]'
fi
}
++++++ git-daemon.init ++++++
#!/bin/sh
#
# SUSE system startup script for git-daemon
# Copyright (C) 1995-2008 SUSE / Novell Inc.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
# USA.
#
# /etc/init.d/git-daemon
# and its symbolic link
# /usr/sbin/rcgit-daemon
#
### BEGIN INIT INFO
# Provides: git-daemon
# Required-Start: $syslog $remote_fs $network
# Required-Stop: $syslog $remote_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: server for git repositories
# Description: server for git repositories
### END INIT INFO
if test -x /usr/lib64/git/git-daemon; then
git_daemon=/usr/lib64/git/git-daemon
elif test -x /usr/lib/git/git-daemon; then
git_daemon=/usr/lib/git/git-daemon
else
echo "git-daemon not installed"
if [ "$1" = "stop" ]; then
exit 0
else
exit 5
fi
fi
pidfile=/var/run/git-daemon.pid
# Check for existence of needed config file and read it
git_daemon_config=/etc/sysconfig/git-daemon
test -r $git_daemon_config || { echo "$git_daemon_config not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $git_daemon_config
: ${GIT_DAEMON_BASE_PATH:=/srv/git}
: ${GIT_DAEMON_USER:=git-daemon}
: ${GIT_DAEMON_GROUP:=nogroup}
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting git-daemon "
/sbin/startproc -p $pidfile $git_daemon \
--syslog \
--detach \
--reuseaddr \
--user=${GIT_DAEMON_USER} \
--group=${GIT_DAEMON_GROUP} \
--pid-file=$pidfile \
--base-path="$GIT_DAEMON_BASE_PATH" \
$GIT_DAEMON_ARGS
rc_status -v
;;
stop)
echo -n "Shutting down git-daemon "
/sbin/killproc -p $pidfile $git_daemon -TERM
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
$0 try-restart
rc_status
;;
reload)
echo -n "Reload service git-daemon "
## does not support reload
rc_failed 3
rc_status -v
;;
status)
echo -n "Checking for service git-daemon "
/sbin/checkproc -p $pidfile $git_daemon
rc_status -v
;;
probe)
test $git_daemon_config -nt $pidfile && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
++++++ git-prevent_xss-default.diff ++++++
From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default
This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804
Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
git-instaweb.sh | 4 ++++
gitweb/README | 5 +++--
gitweb/gitweb.perl | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
--- a/git-instaweb.sh
+++ b/git-instaweb.sh
@@ -583,6 +583,10 @@
our \$git_temp = "$fqgitdir/gitweb/tmp";
our \$projects_list = \$projectroot;
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
\$feature{'remote_heads'}{'default'} = [1];
EOF
}
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -170,7 +170,7 @@
# Disables features that would allow repository owners to inject script into
# the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
# Path to the highlight executable to use (must be the one from
# http://www.andre-simon.de due to assumptions about parameters and output).
++++++ git-python-install-fix.diff ++++++
---
Makefile | 2 +-
git_remote_helpers/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/git_remote_helpers/Makefile
+++ b/git_remote_helpers/Makefile
@@ -29,7 +29,7 @@
$(QUIET)$(PYTHON_PATH) $(pysetupfile) $(QUIETSETUP) build
install: $(pysetupfile)
- $(PYTHON_PATH) $(pysetupfile) install --prefix $(DESTDIR_SQ)$(prefix)
+ $(PYTHON_PATH) $(pysetupfile) install --prefix $(prefix) --root $(DESTDIR_SQ)
instlibdir: $(pysetupfile)
@echo "$(DESTDIR_SQ)$(prefix)/$(PYLIBDIR)"
--- a/Makefile
+++ b/Makefile
@@ -1800,7 +1800,7 @@
$(patsubst %.py,%,$(SCRIPT_PYTHON)): % : %.py
$(QUIET_GEN)$(RM) $@ $@+ && \
INSTLIBDIR=`MAKEFLAGS= $(MAKE) -C git_remote_helpers -s \
- --no-print-directory prefix='$(prefix_SQ)' DESTDIR='$(DESTDIR_SQ)' \
+ --no-print-directory prefix='$(prefix_SQ)' DESTDIR=\
instlibdir` && \
sed -e '1s|#!.*python|#!$(PYTHON_PATH_SQ)|' \
-e 's|\(os\.getenv("GITPYTHONLIB"\)[^)]*)|\1,"@@INSTLIBDIR@@")|' \
++++++ git.xinetd ++++++
# default: off
# description: The git server offers access to git repositories
service git
{
disable = yes
socket_type = stream
protocol = tcp
wait = no
user = git-daemon
group = nogroup
server = /usr/bin/git
server_args = daemon --syslog --inetd --base-path=/srv/git
type = UNLISTED
port = 9418
log_on_failure += USERID
}
++++++ susefirewall-git-daemon ++++++
## Name: git-daemon
## Description: Open ports for git-daemon
TCP="git"
++++++ sysconfig.git-daemon ++++++
## Path: Network/git-daemon
## Description: git daemon configuration
## ServiceRestart: git-daemon
## Type: string
## Default:
#
# base path for exported directories
#
# defaults to "/srv/git" if not set
#
GIT_DAEMON_BASE_PATH=""
## Type: string
## Default:
#
# additional arguments for git-daemon. See manual page
GIT_DAEMON_ARGS=""
## Type: string
## Default:
#
# defaults to "git-daemon" if not set
#
# User to run git-daemon as.
GIT_DAEMON_USER=""
## Type: string
## Default:
#
# defaults to "nogroup" if not set
#
# Group to run git-daemon as.
GIT_DAEMON_GROUP=""
++++++ usr.share.git-web.gitweb.cgi ++++++
# Last Modified: Fri Dec 19 11:03:49 2008
#include <tunables/global>
/usr/share/gitweb/gitweb.cgi {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
#include <abstractions/perl>
/bin/bash rix,
/dev/tty rw,
/etc/gitweb.conf r,
/etc/mime.types r,
/proc/meminfo r,
/proc/sys/kernel/ngroups_max r,
/srv/git/ r,
/srv/git/** r,
/usr/bin/perl ix,
/usr/lib/git/git rix,
/usr/bin/git-receive-pack rix,
/usr/share/gitweb/* r,
/usr/share/gitweb/static/* r,
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0
Hello community,
here is the log from the commit of package patchinfo.1369 for openSUSE:12.3:Update checked in at 2013-02-24 20:51:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/patchinfo.1369 (Old)
and /work/SRC/openSUSE:12.3:Update/.patchinfo.1369.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.1369", Maintainer is ""
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_patchinfo
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo incident="1369">
<packager>jeff_mahoney</packager>
<issue tracker="bnc" id="802347">sunrpc panics in xprt_alloc_slot</issue>
<issue tracker="bnc" id="804367">openSUSE 12.2 stable kernel 3.7.8 big USB 2.0 slowdown</issue>
<issue tracker="bnc" id="804482">disable pstore by default</issue>
<category>recommended</category>
<rating>moderate</rating>
<summary>kernel: update to 3.7.9</summary>
<description>
The Linux kernel was updated to 3.7.9.
- Update Xen patches to 3.7.9 and c/s 1224.
- Disable efi pstore by default (bnc#804482).
- Revert "USB: EHCI: remove ASS/PSS polling timeout" (bnc#804367).
- drm/nouveau/vm: fix memory corruption when pgt allocation fails
(bnc#802347).
- Linux 3.7.9.
- Linux 3.7.8.
- Update Xen patches to 3.7.9 and c/s 1224.
- Disable efi pstore by default (bnc#804482).
- Revert "USB: EHCI: remove ASS/PSS polling timeout" (bnc#804367).
- drm/nouveau/vm: fix memory corruption when pgt allocation fails
(bnc#802347).
</description>
<reboot_needed/>
</patchinfo>
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
1
0