Hello community,
here is the log from the commit of package krb5.558 for openSUSE:12.1:Update checked in at 2012-07-04 08:44:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/krb5.558 (Old)
and /work/SRC/openSUSE:12.1:Update/.krb5.558.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5.558", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2012-06-28 07:48:42.835576985 +0200
+++ /work/SRC/openSUSE:12.1:Update/.krb5.558.new/krb5-doc.changes 2012-07-04 08:44:54.000000000 +0200
@@ -0,0 +1,186 @@
+-------------------------------------------------------------------
+Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
+
+- update to version 1.9.1
+
+-------------------------------------------------------------------
+Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de
+
+- update to version 1.8.1
+
+-------------------------------------------------------------------
+Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
+
+- add post 1.8 fixes
+ * Document the ticket_lifetime libdefaults setting
+
+-------------------------------------------------------------------
+Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
+
+- update to version 1.8
+
+-------------------------------------------------------------------
+Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
+
+- update to final version 1.7
+
+-------------------------------------------------------------------
+Wed May 13 11:34:07 CEST 2009 - mc@suse.de
+
+- update to version 1.7 Beta2
+
+-------------------------------------------------------------------
+Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
+
+- update to pre 1.7 version
+ * remove outdated documentation for kadm5 API
+
+-------------------------------------------------------------------
+Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de
+
+- add patches from SVN post 1.6.3
+ * some fixes in the man pages
+
+-------------------------------------------------------------------
+Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de
+
+- reduce rpmlint warnings
+
+-------------------------------------------------------------------
+Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
+
+- update to krb5 version 1.6.3
+ * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
+ * fix CVE-2007-4000 modify_policy vulnerability
+ * Add PKINIT support
+- remove patches which are upstream now
+- enhance init scripts and xinetd profiles
+
+-------------------------------------------------------------------
+Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de
+
+- update to version 1.6.2
+- remove krb5-1.6.1-post.dif all fixes are included in this release
+
+-------------------------------------------------------------------
+Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de
+
+- removed executable permission from doc file
+
+-------------------------------------------------------------------
+Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de
+
+- update to final 1.6.1 version
+- replace te_ams with texlive in BuildRequires
+
+-------------------------------------------------------------------
+Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de
+
+- build implementor.ps
+
+-------------------------------------------------------------------
+Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de
+
+- update to version 1.6.1 Beta1
+- remove obsolete patches
+ (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
+
+-------------------------------------------------------------------
+Mon Feb 19 14:00:49 CET 2007 - mc@suse.de
+
+- add krb5-1.6-post.dif
+
+-------------------------------------------------------------------
+Mon Jan 22 12:21:20 CET 2007 - mc@suse.de
+
+- update to version 1.6
+ * Major changes in 1.6 include
+ * Partial client implementation to handle server name referrals.
+ * Pre-authentication plug-in framework, donated by Red Hat.
+ * LDAP KDB plug-in, donated by Novell.
+
+-------------------------------------------------------------------
+Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de
+
+- update to version 1.5.1
+- remove obsolete patches which are now included upstream
+ * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
+ * trunk-fix-uninitialized-vars.dif
+
+-------------------------------------------------------------------
+Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de
+
+- update to version 1.5
+ * KDB abstraction layer, donated by Novell.
+ * plug-in architecture, allowing for extension modules to be
+ loaded at run-time.
+ * multi-mechanism GSS-API implementation ("mechglue"),
+ donated by Sun Microsystems
+ * Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
+ implementation, donated by Sun Microsystems
+- remove obsolete patches and add some new
+
+-------------------------------------------------------------------
+Mon Mar 13 18:01:06 CET 2006 - mc@suse.de
+
+- set BuildArchitectures to noarch
+- set norootforbuild
+
+-------------------------------------------------------------------
+Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Fri Nov 18 12:15:07 CET 2005 - mc@suse.de
+
+- update to version 1.4.3
+- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
+
+-------------------------------------------------------------------
+Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de
+
+- build kadm5 documentation
+- build documentation also as html
+- include the text only documentation
+
+-------------------------------------------------------------------
+Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de
+
+- update to version 1.4.2
+- remove some obsolet patches
+
+-------------------------------------------------------------------
+Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de
+
+- update to version 1.4.1
+- remove obsolet patches
+ - krb5-1.4-VUL-0-telnet.dif
+
+-------------------------------------------------------------------
+Thu Feb 10 02:38:39 CET 2005 - ro@suse.de
+
+- added libpng to neededforbuild (for tetex)
+
+-------------------------------------------------------------------
+Fri Feb 4 16:50:34 CET 2005 - mc@suse.de
+
+- remove spx.c from tarball because of legal risk
+- add README.Source which tell the user about this
+ action.
+
+-------------------------------------------------------------------
+Fri Jan 28 13:28:18 CET 2005 - mc@suse.de
+
+- update to version 1.4
+
+-------------------------------------------------------------------
+Mon Jan 10 12:20:11 CET 2005 - mc@suse.de
+
+- update to version 1.3.6
+
+-------------------------------------------------------------------
+Tue Dec 14 15:21:02 CET 2004 - mc@suse.de
+
+- initial release
+
New Changes file:
--- /dev/null 2012-06-28 07:48:42.835576985 +0200
+++ /work/SRC/openSUSE:12.1:Update/.krb5.558.new/krb5-mini.changes 2012-07-04 08:44:54.000000000 +0200
@@ -0,0 +1,911 @@
+-------------------------------------------------------------------
+Mon Jun 18 12:03:59 CEST 2012 - mc@suse.de
+
+- fix kadmind denial of service via null pointer dereference
+ CVE-2012-1013 (bnc#765485)
+
+-------------------------------------------------------------------
+Mon Nov 21 11:23:02 CET 2011 - mc@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+ (MITKRB5-SA-2011-007, bnc#730393)
+ CVE-2011-1530
+
+-------------------------------------------------------------------
+Mon Nov 21 11:06:33 CET 2011 - mc@suse.de
+
+- fix KDC HA feature introduced with implementing KDC poll
+ (RT#6951, bnc#731648)
+
+-------------------------------------------------------------------
+Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
+
+- fix minor error messages for the IAKERB GSSAPI mechanism
+ (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
+
+-------------------------------------------------------------------
+Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de
+
+- fix kdc remote denial of service
+ (MITKRB5-SA-2011-006, bnc#719393)
+ CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
+
+-------------------------------------------------------------------
+Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de
+
+- use --without-pam to build krb5-mini
+
+-------------------------------------------------------------------
+Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
+
+- add patches from Fedora and upstream
+- fix init scripts (bnc#689006)
+
+-------------------------------------------------------------------
+Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com
+
+- update to version 1.9.1
+ * obsolete patches:
+ MITKRB5-SA-2010-007-1.8.dif
+ krb5-1.8-MITKRB5-SA-2010-006.dif
+ krb5-1.8-MITKRB5-SA-2011-001.dif
+ krb5-1.8-MITKRB5-SA-2011-002.dif
+ krb5-1.8-MITKRB5-SA-2011-003.dif
+ krb5-1.8-MITKRB5-SA-2011-004.dif
+ krb5-1.4.3-enospc.dif
+ * replace krb5-1.6.1-compile_pie.dif
+-------------------------------------------------------------------
+Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de
+
+- fix kadmind invalid pointer free()
+ (MITKRB5-SA-2011-004, bnc#687469)
+ CVE-2011-0285
+
+-------------------------------------------------------------------
+Tue Mar 1 12:43:22 CET 2011 - mc@suse.de
+
+- Fix vulnerability to a double-free condition in KDC daemon
+ (MITKRB5-SA-2011-003, bnc#671717)
+ CVE-2011-0284
+
+-------------------------------------------------------------------
+Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
+
+- Fix kpropd denial of service
+ (MITKRB5-SA-2011-001, bnc#662665)
+ CVE-2010-4022
+- Fix KDC denial of service attacks with LDAP back end
+ (MITKRB5-SA-2011-002, bnc#663619)
+ CVE-2011-0281, CVE-2011-0282
+
+-------------------------------------------------------------------
+Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
+
+- Fix multiple checksum handling vulnerabilities
+ (MITKRB5-SA-2010-007, bnc#650650)
+ CVE-2010-1324
+ * krb5 GSS-API applications may accept unkeyed checksums
+ * krb5 application services may accept unkeyed PAC checksums
+ * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
+ CVE-2010-1323
+ * krb5 clients may accept unkeyed SAM-2 challenge checksums
+ * krb5 may accept KRB-SAFE checksums with low-entropy derived keys
+ CVE-2010-4020
+ * krb5 may accept authdata checksums with low-entropy derived keys
+ CVE-2010-4021
+ * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
+
+-------------------------------------------------------------------
+Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de
+
+- fix csh profile (bnc#649856)
+
+-------------------------------------------------------------------
+Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de
+
+- update to krb5-1.8.3
+ * remove patches which are now upstrem
+ - krb5-1.7-MITKRB5-SA-2010-004.dif
+ - krb5-1.8.1-gssapi-error-table.dif
+ - krb5-MITKRB5-SA-2010-005.dif
+
+-------------------------------------------------------------------
+Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
+
+- change environment variable PATH directly for csh
+ (bnc#642080)
+
+-------------------------------------------------------------------
+Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de
+
+- fix a dereference of an uninitialized pointer while processing
+ authorization data.
+ CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
+
+-------------------------------------------------------------------
+Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com
+
+- add correct error table when initializing gss-krb5 (bnc#606584,
+ bnc#608295)
+
+-------------------------------------------------------------------
+Wed May 19 14:27:19 CEST 2010 - mc@suse.de
+
+- fix GSS-API library null pointer dereference
+ CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
+
+-------------------------------------------------------------------
+Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de
+
+- fix a double free vulnerability in the KDC
+ CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
+
+-------------------------------------------------------------------
+Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de
+
+- update to version 1.8.1
+ * include krb5-1.8-POST.dif
+ * include MITKRB5-SA-2010-002
+
+-------------------------------------------------------------------
+Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de
+
+- update krb5-1.8-POST.dif
+
+-------------------------------------------------------------------
+Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
+
+- fix a bug where an unauthenticated remote attacker could cause
+ a GSS-API application including the Kerberos administration
+ daemon (kadmind) to crash.
+ CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
+
+-------------------------------------------------------------------
+Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
+
+- add post 1.8 fixes
+ * Add IPv6 support to changepw.c
+ * fix two problems in kadm5_get_principal mask handling
+ * Ignore improperly encoded signedpath AD elements
+ * handle NT_SRV_INST in service principal referrals
+ * dereference options while checking
+ KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
+ * Fix the kpasswd fallback from the ccache principal name
+ * Document the ticket_lifetime libdefaults setting
+ * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
+
+-------------------------------------------------------------------
+Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
+
+- update to version 1.8
+ * Increase code quality
+ * Move toward improved KDB interface
+ * Investigate and remedy repeatedly-reported performance
+ bottlenecks.
+ * Reduce DNS dependence by implementing an interface that allows
+ client library to track whether a KDC supports service
+ principal referrals.
+ * Disable DES by default
+ * Account lockout for repeated login failures
+ * Bridge layer to allow Heimdal HDB modules to act as KDB
+ backend modules
+ * FAST enhancements
+ * Microsoft Services for User (S4U) compatibility
+ * Anonymous PKINIT
+- fix KDC denial of service
+ CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
+- fix KDC denial of service in cross-realm referral processing
++++ 714 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.krb5.558.new/krb5-mini.changes
New Changes file:
krb5.changes: same change
New:
----
baselibs.conf
bug-765485-CVE-2012-1013-kadmind_dos_via_null_pointer_dereference.dif
krb5-1.3.5-perlfix.dif
krb5-1.6.3-gssapi_improve_errormessages.dif
krb5-1.6.3-kpasswd_tcp.patch
krb5-1.6.3-ktutil-manpage.dif
krb5-1.6.3-texi2dvi-fix.dif
krb5-1.7-doublelog.patch
krb5-1.7-nodeplibs.patch
krb5-1.8-api.patch
krb5-1.8-manpaths.txt
krb5-1.8-pam.patch
krb5-1.9-MITKRB5-SA-2011-006.dif
krb5-1.9-MITKRB5-SA-2011-007.dif
krb5-1.9-buildconf.patch
krb5-1.9-canonicalize-fallback.patch
krb5-1.9-gss_display_status-iakerb.patch
krb5-1.9-kprop-mktemp.patch
krb5-1.9-ksu-path.patch
krb5-1.9-manpaths.dif
krb5-1.9-paren.patch
krb5-1.9-selinux-label.patch
krb5-1.9.1-ai_addrconfig.patch
krb5-1.9.1-ai_addrconfig2.patch
krb5-1.9.1-sendto_poll.patch
krb5-1.9.1-sendto_poll2.patch
krb5-1.9.1-sendto_poll3.patch
krb5-1.9.1.tar.bz2
krb5-doc-rpmlintrc
krb5-doc.changes
krb5-doc.spec
krb5-klist_s.patch
krb5-mini.changes
krb5-mini.spec
krb5-pkinit-cms2.patch
krb5-rpmlintrc
krb5-trunk-chpw-err.patch
krb5-trunk-gss_delete_sec.patch
krb5-trunk-kadmin-oldproto.patch
krb5.changes
krb5.spec
pre_checkin.sh
vendor-files.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-doc.spec ++++++
#
# spec file for package krb5-doc
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: latex2html
BuildRequires: texlive
Version: 1.9.1
Release: 0
%define srcRoot krb5-1.9.1
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other
Url: http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
Authors:
--------
The MIT Kerberos Team
Sam Hartman
From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c +++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c @@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, /***** STATE_REFERRALS *****/ -/* - * Possibly retry a request in the fallback realm after a referral request - * failure in the local realm. Expects ctx->reply_code to be set to the error - * from a referral request. - */ +/* Possibly try a non-referral request after a referral request failure. + * Expects ctx->reply_code to be set to the error from a referral request. */ static krb5_error_code -try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) +try_fallback(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; char **hrealms; @@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, if (ctx->referral_count > 1) return ctx->reply_code; - /* Only fall back if the original request used the referral realm. */ + /* If the request used a specified realm, make a non-referral request to + * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ if (!krb5_is_referral_realm(&ctx->req_server->realm)) - return ctx->reply_code; + return begin_non_referral(context, ctx); if (ctx->server->length < 2) { /* We need a type/host format principal to find a fallback realm. */ @@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, if (code != 0) return code; - /* Give up if the fallback realm isn't any different. */ + /* If the fallback realm isn't any different, use the existing TGT. */ if (data_eq_string(ctx->server->realm, hrealms[0])) { krb5_free_host_realm(context, hrealms); - return ctx->reply_code; + return begin_non_referral(context, ctx); } /* Rewrite server->realm to be the fallback realm. */ @@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb krb5_error_code code; const krb5_data *referral_realm; - /* Possibly retry with the fallback realm on error. */ + /* Possibly try a non-referral fallback request on error. */ if (ctx->reply_code != 0) - return try_fallback_realm(context, ctx); + return try_fallback(context, ctx); if (krb5_principal_compare(context, ctx->reply_creds->server, ctx->server)) { ++++++ krb5-1.9-gss_display_status-iakerb.patch ++++++ Index: krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c =================================================================== --- krb5-1.9.1.orig/src/lib/gssapi/krb5/disp_status.c +++ krb5-1.9.1/src/lib/gssapi/krb5/disp_status.c @@ -167,7 +167,8 @@ krb5_gss_display_status(minor_status, st if ((mech_type != GSS_C_NULL_OID) && !g_OID_equal(gss_mech_krb5, mech_type) && - !g_OID_equal(gss_mech_krb5_old, mech_type)) { + !g_OID_equal(gss_mech_krb5_old, mech_type) && + !g_OID_equal(gss_mech_iakerb, mech_type)) { *minor_status = 0; return(GSS_S_BAD_MECH); } ++++++ krb5-1.9-kprop-mktemp.patch ++++++ Use an in-memory ccache to silence a compiler warning, for RT#6414. Index: krb5-1.9.1/src/slave/kprop.c =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.c +++ krb5-1.9.1/src/slave/kprop.c @@ -188,9 +188,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { - char buf[BUFSIZ], *def_realm; + char buf[] = "MEMORY:_kproptkt", *def_realm; krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; krb5_keytab keytab = NULL; /* @@ -229,11 +228,8 @@ void get_tickets(context) #endif /* - * Initialize cache file which we're going to be using + * Initialize an in-memory cache for temporary use */ - (void) mktemp(tkstring); - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); if (retval) { com_err(progname, retval, "while opening credential cache %s", ++++++ krb5-1.9-ksu-path.patch ++++++ Set the default PATH to the one set by login. diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in --- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 +++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' DEFS= PROG_LIBPATH=-L$(TOPLIBD) ++++++ krb5-1.9-manpaths.dif ++++++ Change the absolute paths included in the man pages so that the correct values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 Index: krb5-1.9.1/src/aclocal.m4 =================================================================== --- krb5-1.9.1.orig/src/aclocal.m4 +++ krb5-1.9.1/src/aclocal.m4 @@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl +AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ +mansysconfdir=$sysconfdir +mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` +mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` +mansbindir=$sbindir +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` +mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` +manlocalstatedir=$localstatedir +manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` +manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` +manlibexecdir=$libexecdir +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` +manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` +AC_SUBST(mansysconfdir) +AC_SUBST(mansbindir) +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_CONFIG_FILES($1) +]) Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M =================================================================== --- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M +++ krb5-1.9.1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: .PP -sample stream tcp nowait root /usr/local/sbin/sserver sserver +sample stream tcp nowait root @mansbindir@/sserver sserver .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: Index: krb5-1.9.1/src/config-files/kdc.conf.M =================================================================== --- krb5-1.9.1.orig/src/config-files/kdc.conf.M +++ krb5-1.9.1/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions -on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. +on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. .IP admin_keytab This .B string Specifies the location of the keytab file that kadmin uses to authenticate to the database. The default value is -/usr/local/var/krb5kdc/kadm5.keytab. +@manlocalstatedir@/krb5kdc/kadm5.keytab. .IP database_name This @@ -274,7 +274,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES -/usr/local/var/krb5kdc/kdc.conf +@manlocalstatedir@/krb5kdc/kdc.conf .SH SEE ALSO krb5.conf(5), krb5kdc(8) Index: krb5-1.9.1/src/config-files/krb5.conf.M =================================================================== --- krb5-1.9.1.orig/src/config-files/krb5.conf.M +++ krb5-1.9.1/src/config-files/krb5.conf.M @@ -768,6 +768,6 @@ with another database such as Active Dir in for this interface. .SH FILES -/etc/krb5.conf +@mansysconfdir@/krb5.conf .SH SEE ALSO syslog(3) Index: krb5-1.9.1/src/configure.in =================================================================== --- krb5-1.9.1.orig/src/configure.in +++ krb5-1.9.1/src/configure.in @@ -1128,6 +1128,16 @@ fi KRB5_WITH_PAM AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + +V5_AC_OUTPUT_MANPAGE([ + appl/sample/sserver/sserver.M + config-files/kdc.conf.M + config-files/krb5.conf.M + kadmin/cli/kadmin.M + slave/kpropd.M + slave/kprop.M +]) + V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr Index: krb5-1.9.1/src/kadmin/cli/kadmin.M =================================================================== --- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M +++ krb5-1.9.1/src/kadmin/cli/kadmin.M @@ -880,9 +880,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: -kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin +kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. + from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. kadmin: .RE .fi @@ -924,7 +924,7 @@ passwords. .SH HISTORY The .B kadmin -prorgam was originally written by Tom Yu at MIT, as an interface to the +program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), Index: krb5-1.9.1/src/slave/kpropd.M =================================================================== --- krb5-1.9.1.orig/src/slave/kpropd.M +++ krb5-1.9.1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd However, kpropd can also run as a standalone daemon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE -(normally /usr/local/var/krb5kdc/from_master). +(normally @manlocalstatedir@/krb5kdc/from_master). .TP .B \-p allows the user to specify the pathname to the .IR kdb5_util (8) program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL -(normally /usr/local/sbin/kdb5_util). +(normally @mansbindir@/kdb5_util). .TP .B \-S turn on standalone mode. Normally, kpropd is invoked out of @@ -148,14 +148,14 @@ mode. allows the user to specify the path to the kpropd.acl file; by default the path used is KPROPD_ACL_FILE -(normally /usr/local/var/krb5kdc/kpropd.acl). +(normally @manlocalstatedir@/krb5kdc/kpropd.acl). .SH FILES .TP "\w'kpropd.acl\ \ 'u" kpropd.acl Access file for .BR kpropd ; the default location is KPROPD_ACL_FILE (normally -/usr/local/var/krb5kdc/kpropd.acl). +@manlocalstatedir@/krb5kdc/kpropd.acl). Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO Index: krb5-1.9.1/src/slave/kprop.M =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.M +++ krb5-1.9.1/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created by kdb5_util, and is normally KPROP_DEFAULT_FILE -(/usr/local/var/krb5kdc/slave_datatrans). +(@manlocalstatedir@/krb5kdc/slave_datatrans). .SH OPTIONS .TP \fB\-r\fP \fIrealm\fP @@ -51,7 +51,7 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be found; by default the dumped database file is KPROP_DEFAULT_FILE -(normally /usr/local/var/krb5kdc/slave_datatrans). +(normally @manlocalstatedir@/krb5kdc/slave_datatrans). .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the ++++++ krb5-1.9-paren.patch ++++++ Upstream commit #24477. diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c --- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 +++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 @@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn btime = (unsigned int)(2<<(*cnt)); if (btime > MAX_BACKOFF) { btime = MAX_BACKOFF; - *cnt--; + (*cnt)--; } return (btime); ++++++ krb5-1.9-selinux-label.patch ++++++ ++++ 919 lines (skipped) ++++++ krb5-1.9.1-ai_addrconfig.patch ++++++
From RT#6922. When we're converting a host/service pair into a principal name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try to avoid libc having doing a PTR lookup because we also specify AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c
===================================================================
--- src/lib/krb5/os/sn2princ.c.orig
+++ src/lib/krb5/os/sn2princ.c
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
++++++ krb5-1.9.1-ai_addrconfig2.patch ++++++
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
specify hints to getaddrinfo() to get the address of a server.
Index: src/plugins/locate/python/py-locate.c
===================================================================
--- src/plugins/locate/python/py-locate.c.orig
+++ src/plugins/locate/python/py-locate.c
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
return -1;
}
aihints.ai_socktype = thissocktype;
+ aihints.ai_flags = AI_ADDRCONFIG;
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
if (x != 0)
continue;
Index: src/appl/sample/sclient/sclient.c
===================================================================
--- src/appl/sample/sclient/sclient.c.orig
+++ src/appl/sample/sclient/sclient.c
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
+ aihints.ai_flags = AI_ADDRCONFIG;
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
if (aierr) {
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
Index: src/kadmin/dbutil/kadm5_create.c
===================================================================
--- src/kadmin/dbutil/kadm5_create.c.orig
+++ src/kadmin/dbutil/kadm5_create.c
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
- ai_hints.ai_flags = AI_CANONNAME;
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
Index: src/lib/kadm5/alt_prof.c
===================================================================
--- src/lib/kadm5/alt_prof.c.orig
+++ src/lib/kadm5/alt_prof.c
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
}
memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
if (err != 0) {
ret = KADM5_CANT_RESOLVE;
Index: src/lib/kadm5/clnt/client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c.orig
+++ src/lib/kadm5/clnt/client_init.c
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
memset(&hint, 0, sizeof(hint));
hint.ai_socktype = SOCK_STREAM;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
if (err != 0)
Index: src/lib/krb5/os/hostaddr.c
===================================================================
--- src/lib/krb5/os/hostaddr.c.orig
+++ src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: src/lib/krb5/os/hst_realm.c
===================================================================
--- src/lib/krb5/os/hst_realm.c.orig
+++ src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_ADDRCONFIG;
error = getaddrinfo(host, port, &hints, &answers);
if (error != 0) {
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
Index: src/lib/krb5/os/locate_kdc.c
===================================================================
--- src/lib/krb5/os/locate_kdc.c.orig
+++ src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
++++++ krb5-1.9.1-sendto_poll.patch ++++++
++++ 624 lines (skipped)
++++++ krb5-1.9.1-sendto_poll2.patch ++++++
RT#6951
Index: krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
===================================================================
--- krb5-1.9.1.orig/src/lib/krb5/os/sendto_kdc.c
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c
@@ -895,12 +895,12 @@ maybe_send(krb5_context context, struct
static void
kill_conn(struct conn_state *conn, struct select_state *selstate, int err)
{
+ dprint("abandoning connection %d: %m\n", conn->fd, err);
+ cm_remove_fd(selstate, conn->fd);
+ closesocket(conn->fd);
+ conn->fd = INVALID_SOCKET;
conn->state = FAILED;
conn->err = err;
- shutdown(conn->fd, SHUTDOWN_BOTH);
- cm_remove_fd(selstate, conn->fd);
- dprint("abandoning connection %d: %m\n", conn->fd, err);
- /* Fix up max fd for next select call. */
}
/* Check socket for error. */
++++++ krb5-1.9.1-sendto_poll3.patch ++++++
If we exit the transmit loop cleanly, don't overestimate the size of the
connections array. This bug appears to have been removed upstream when
this function was rewritten in trunk, and the select()-based implementation
is still what's in 1.9, so this patch has nowhere to go.
--- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:20.560811664 -0400
+++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c 2011-09-28 14:54:11.396812292 -0400
@@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
call with the last one from the above loop, if the loop
actually calls select. */
sel_state->end_time.tv_sec += delay_this_pass;
- e = service_fds(context, sel_state, conns, host+1, &winning_conn,
+ i = host+1;
+ if (i > n_conns)
+ i = n_conns;
+ e = service_fds(context, sel_state, conns, i, &winning_conn,
sel_state+1, msg_handler, msg_handler_data);
if (e)
break;
++++++ krb5-doc-rpmlintrc ++++++
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
++++++ krb5-klist_s.patch ++++++
Don't trip over referral entries. RT#6915
Index: krb5-1.9.1/src/clients/klist/klist.c
===================================================================
--- krb5-1.9.1.orig/src/clients/klist/klist.c
+++ krb5-1.9.1/src/clients/klist/klist.c
@@ -28,7 +28,7 @@
* List out the contents of your credential cache or keytab.
*/
-#include "autoconf.h"
+#include "k5-int.h"
#include