Hello community,
here is the log from the commit of package krb5.1415 for openSUSE:12.2:Update checked in at 2013-03-20 10:46:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/krb5.1415 (Old)
and /work/SRC/openSUSE:12.2:Update/.krb5.1415.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5.1415", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-26 18:15:11.936010755 +0100
+++ /work/SRC/openSUSE:12.2:Update/.krb5.1415.new/krb5-doc.changes 2013-03-20 10:46:57.000000000 +0100
@@ -0,0 +1,191 @@
+-------------------------------------------------------------------
+Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de
+
+- update to version 1.10.2
+
+-------------------------------------------------------------------
+Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
+
+- update to version 1.9.1
+
+-------------------------------------------------------------------
+Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de
+
+- update to version 1.8.1
+
+-------------------------------------------------------------------
+Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
+
+- add post 1.8 fixes
+ * Document the ticket_lifetime libdefaults setting
+
+-------------------------------------------------------------------
+Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
+
+- update to version 1.8
+
+-------------------------------------------------------------------
+Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
+
+- update to final version 1.7
+
+-------------------------------------------------------------------
+Wed May 13 11:34:07 CEST 2009 - mc@suse.de
+
+- update to version 1.7 Beta2
+
+-------------------------------------------------------------------
+Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
+
+- update to pre 1.7 version
+ * remove outdated documentation for kadm5 API
+
+-------------------------------------------------------------------
+Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de
+
+- add patches from SVN post 1.6.3
+ * some fixes in the man pages
+
+-------------------------------------------------------------------
+Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de
+
+- reduce rpmlint warnings
+
+-------------------------------------------------------------------
+Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
+
+- update to krb5 version 1.6.3
+ * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
+ * fix CVE-2007-4000 modify_policy vulnerability
+ * Add PKINIT support
+- remove patches which are upstream now
+- enhance init scripts and xinetd profiles
+
+-------------------------------------------------------------------
+Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de
+
+- update to version 1.6.2
+- remove krb5-1.6.1-post.dif all fixes are included in this release
+
+-------------------------------------------------------------------
+Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de
+
+- removed executable permission from doc file
+
+-------------------------------------------------------------------
+Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de
+
+- update to final 1.6.1 version
+- replace te_ams with texlive in BuildRequires
+
+-------------------------------------------------------------------
+Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de
+
+- build implementor.ps
+
+-------------------------------------------------------------------
+Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de
+
+- update to version 1.6.1 Beta1
+- remove obsolete patches
+ (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
+
+-------------------------------------------------------------------
+Mon Feb 19 14:00:49 CET 2007 - mc@suse.de
+
+- add krb5-1.6-post.dif
+
+-------------------------------------------------------------------
+Mon Jan 22 12:21:20 CET 2007 - mc@suse.de
+
+- update to version 1.6
+ * Major changes in 1.6 include
+ * Partial client implementation to handle server name referrals.
+ * Pre-authentication plug-in framework, donated by Red Hat.
+ * LDAP KDB plug-in, donated by Novell.
+
+-------------------------------------------------------------------
+Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de
+
+- update to version 1.5.1
+- remove obsolete patches which are now included upstream
+ * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
+ * trunk-fix-uninitialized-vars.dif
+
+-------------------------------------------------------------------
+Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de
+
+- update to version 1.5
+ * KDB abstraction layer, donated by Novell.
+ * plug-in architecture, allowing for extension modules to be
+ loaded at run-time.
+ * multi-mechanism GSS-API implementation ("mechglue"),
+ donated by Sun Microsystems
+ * Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
+ implementation, donated by Sun Microsystems
+- remove obsolete patches and add some new
+
+-------------------------------------------------------------------
+Mon Mar 13 18:01:06 CET 2006 - mc@suse.de
+
+- set BuildArchitectures to noarch
+- set norootforbuild
+
+-------------------------------------------------------------------
+Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Fri Nov 18 12:15:07 CET 2005 - mc@suse.de
+
+- update to version 1.4.3
+- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
+
+-------------------------------------------------------------------
+Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de
+
+- build kadm5 documentation
+- build documentation also as html
+- include the text only documentation
+
+-------------------------------------------------------------------
+Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de
+
+- update to version 1.4.2
+- remove some obsolet patches
+
+-------------------------------------------------------------------
+Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de
+
+- update to version 1.4.1
+- remove obsolet patches
+ - krb5-1.4-VUL-0-telnet.dif
+
+-------------------------------------------------------------------
+Thu Feb 10 02:38:39 CET 2005 - ro@suse.de
+
+- added libpng to neededforbuild (for tetex)
+
+-------------------------------------------------------------------
+Fri Feb 4 16:50:34 CET 2005 - mc@suse.de
+
+- remove spx.c from tarball because of legal risk
+- add README.Source which tell the user about this
+ action.
+
+-------------------------------------------------------------------
+Fri Jan 28 13:28:18 CET 2005 - mc@suse.de
+
+- update to version 1.4
+
+-------------------------------------------------------------------
+Mon Jan 10 12:20:11 CET 2005 - mc@suse.de
+
+- update to version 1.3.6
+
+-------------------------------------------------------------------
+Tue Dec 14 15:21:02 CET 2004 - mc@suse.de
+
+- initial release
+
New Changes file:
--- /dev/null 2013-02-26 18:15:11.936010755 +0100
+++ /work/SRC/openSUSE:12.2:Update/.krb5.1415.new/krb5-mini.changes 2013-03-20 10:46:57.000000000 +0100
@@ -0,0 +1,1005 @@
+-------------------------------------------------------------------
+Wed Mar 6 11:12:14 CET 2013 - mc@suse.de
+
+- fix PKINIT null pointer deref in pkinit_check_kdc_pkid()
+ CVE-2012-1016 (bnc#807556)
+ bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
+
+-------------------------------------------------------------------
+Mon Mar 4 10:45:41 CET 2013 - mc@suse.de
+
+- fix PKINIT null pointer deref
+ CVE-2013-1415 (bnc#806715)
+ bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
+
+-------------------------------------------------------------------
+Fri Feb 15 11:51:26 CET 2013 - mc@suse.de
+
+- Fix krb5-send-pr (bnc#794784)
+
+-------------------------------------------------------------------
+Wed Aug 1 09:57:01 CEST 2012 - mc@suse.de
+
+- fix potentially execute code flaws
+ CVE-2012-1015, CVE-2012-1014 (bnc#770172)
+
+-------------------------------------------------------------------
+Wed Jun 13 08:40:56 UTC 2012 - coolo@suse.com
+
+- fix %files section for krb5-mini
+
+-------------------------------------------------------------------
+Thu Jun 7 11:39:18 UTC 2012 - mc@suse.de
+
+- fix gcc47 issues
+
+-------------------------------------------------------------------
+Wed Jun 6 16:25:41 CEST 2012 - mc@suse.de
+
+- update to version 1.10.2
+ obsolte patches:
+ * krb5-1.7-nodeplibs.patch
+ * krb5-1.9.1-ai_addrconfig.patch
+ * krb5-1.9.1-ai_addrconfig2.patch
+ * krb5-1.9.1-sendto_poll.patch
+ * krb5-1.9-canonicalize-fallback.patch
+ * krb5-1.9-paren.patch
+ * krb5-klist_s.patch
+ * krb5-pkinit-cms2.patch
+ * krb5-trunk-chpw-err.patch
+ * krb5-trunk-gss_delete_sec.patch
+ * krb5-trunk-kadmin-oldproto.patch
+ * krb5-1.9-MITKRB5-SA-2011-006.dif
+ * krb5-1.9-gss_display_status-iakerb.patch
+ * krb5-1.9.1-sendto_poll2.patch
+ * krb5-1.9.1-sendto_poll3.patch
+ * krb5-1.9-MITKRB5-SA-2011-007.dif
+- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain
+ Controllers.
+- Update a workaround for a glibc bug that would cause DNS PTR queries
+ to occur even when rdns = false.
+- Fix a kadmind denial of service issue (null pointer dereference),
+ which could only be triggered by an administrator with the "create"
+ privilege. [CVE-2012-1013]
+- Fix access controls for KDB string attributes [CVE-2012-1012]
+- Make the ASN.1 encoding of key version numbers interoperate with
+ Windows Read-Only Domain Controllers
+- Avoid generating spurious password expiry warnings in cases where
+ the KDC sends an account expiry time without a password expiry time
+- Make PKINIT work with FAST in the client library.
+- Add the DIR credential cache type, which can hold a collection of
+ credential caches.
+- Enhance kinit, klist, and kdestroy to support credential cache
+ collections if the cache type supports it.
+- Add the kswitch command, which changes the selected default cache
+ within a collection.
+- Add heuristic support for choosing client credentials based on
+ the service realm.
+- Add support for $HOME/.k5identity, which allows credential
+ choice based on configured rules.
+
+-------------------------------------------------------------------
+Sun Feb 26 22:23:15 UTC 2012 - stefan.bruens@rwth-aachen.de
+
+- add autoconf macro to devel subpackage
+
+-------------------------------------------------------------------
+Tue Jan 31 15:33:05 CET 2012 - meissner@suse.de
+
+- fix license in krb5-mini
+
+-------------------------------------------------------------------
+Tue Dec 20 20:57:26 UTC 2011 - coolo@suse.com
+
+- add autoconf as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Tue Dec 20 11:01:39 UTC 2011 - coolo@suse.com
+
+- remove call to suse_update_config, very old work around
+
+-------------------------------------------------------------------
+Mon Nov 21 11:24:12 CET 2011 - mc@suse.de
+
+- fix KDC null pointer dereference in TGS handling
+ (MITKRB5-SA-2011-007, bnc#730393)
+ CVE-2011-1530
+
+-------------------------------------------------------------------
+Mon Nov 21 11:11:54 CET 2011 - mc@suse.de
+
+- fix KDC HA feature introduced with implementing KDC poll
+ (RT#6951, bnc#731648)
+
+-------------------------------------------------------------------
+Fri Nov 18 08:35:52 UTC 2011 - rhafer@suse.de
+
+- fix minor error messages for the IAKERB GSSAPI mechanism
+ (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)
+
+-------------------------------------------------------------------
+Mon Oct 17 16:11:03 CEST 2011 - mc@suse.de
+
+- fix kdc remote denial of service
+ (MITKRB5-SA-2011-006, bnc#719393)
+ CVE-2011-1527, CVE-2011-1528, CVE-2011-1529
+
+-------------------------------------------------------------------
+Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de
+
+- use --without-pam to build krb5-mini
+
+-------------------------------------------------------------------
+Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
+
+- add patches from Fedora and upstream
+- fix init scripts (bnc#689006)
+
+-------------------------------------------------------------------
+Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com
+
+- update to version 1.9.1
+ * obsolete patches:
+ MITKRB5-SA-2010-007-1.8.dif
+ krb5-1.8-MITKRB5-SA-2010-006.dif
+ krb5-1.8-MITKRB5-SA-2011-001.dif
+ krb5-1.8-MITKRB5-SA-2011-002.dif
+ krb5-1.8-MITKRB5-SA-2011-003.dif
+ krb5-1.8-MITKRB5-SA-2011-004.dif
+ krb5-1.4.3-enospc.dif
+ * replace krb5-1.6.1-compile_pie.dif
+-------------------------------------------------------------------
+Thu Apr 14 11:33:18 CEST 2011 - mc@suse.de
+
+- fix kadmind invalid pointer free()
+ (MITKRB5-SA-2011-004, bnc#687469)
+ CVE-2011-0285
+
+-------------------------------------------------------------------
+Tue Mar 1 12:43:22 CET 2011 - mc@suse.de
+
+- Fix vulnerability to a double-free condition in KDC daemon
+ (MITKRB5-SA-2011-003, bnc#671717)
+ CVE-2011-0284
+
+-------------------------------------------------------------------
+Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
+
+- Fix kpropd denial of service
+ (MITKRB5-SA-2011-001, bnc#662665)
+ CVE-2010-4022
+- Fix KDC denial of service attacks with LDAP back end
+ (MITKRB5-SA-2011-002, bnc#663619)
+ CVE-2011-0281, CVE-2011-0282
+
+-------------------------------------------------------------------
+Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
+
+- Fix multiple checksum handling vulnerabilities
+ (MITKRB5-SA-2010-007, bnc#650650)
+ CVE-2010-1324
+ * krb5 GSS-API applications may accept unkeyed checksums
+ * krb5 application services may accept unkeyed PAC checksums
+ * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums
+ CVE-2010-1323
+ * krb5 clients may accept unkeyed SAM-2 challenge checksums
+ * krb5 may accept KRB-SAFE checksums with low-entropy derived keys
+ CVE-2010-4020
+ * krb5 may accept authdata checksums with low-entropy derived keys
+ CVE-2010-4021
+ * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
+
+-------------------------------------------------------------------
+Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de
+
+- fix csh profile (bnc#649856)
+
+-------------------------------------------------------------------
++++ 808 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.krb5.1415.new/krb5-mini.changes
New Changes file:
krb5.changes: same change
New:
----
MITKRB5-SA-2012-001.dif
baselibs.conf
bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
krb5-1.10-buildconf.patch
krb5-1.10-gcc47.patch
krb5-1.10-kpasswd_tcp.patch
krb5-1.10-selinux-label.patch
krb5-1.10.2.tar.bz2
krb5-1.3.5-perlfix.dif
krb5-1.6.3-gssapi_improve_errormessages.dif
krb5-1.6.3-ktutil-manpage.dif
krb5-1.7-doublelog.patch
krb5-1.8-api.patch
krb5-1.8-manpaths.txt
krb5-1.8-pam.patch
krb5-1.9-kprop-mktemp.patch
krb5-1.9-ksu-path.patch
krb5-1.9-manpaths.dif
krb5-doc-rpmlintrc
krb5-doc.changes
krb5-doc.spec
krb5-mini.changes
krb5-mini.spec
krb5-rpmlintrc
krb5.changes
krb5.spec
pre_checkin.sh
vendor-files.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ krb5-doc.spec ++++++
#
# spec file for package krb5-doc
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: latex2html
BuildRequires: texlive
Version: 1.10.2
Release: 0
%define srcRoot krb5-1.10.2
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other
Url: http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
Authors:
--------
The MIT Kerberos Team
Sam Hartman
Ken Raeburn
Tom Yu
%prep
%setup -n %{srcRoot}
%patch0
%build
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
sed -i -e '1c\
\\documentclass{article}\
\\usepackage{fixunder}\
\\usepackage{functions}\
\\usepackage{fancyheadings}\
\\usepackage{hyperref}' doc/implement/implement.tex
%install
cd doc
mkdir -p html
make
make implementor.ps
make -C api
make -C implement
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
chmod 644 doc/man2ps
chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog
++++++ krb5-mini.spec ++++++
#
# spec file for package krb5-mini
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define build_mini 1
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
%endif
#
%endif
Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.8-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-selinux-label.patch
Patch4: krb5-1.10-buildconf.patch
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.7-doublelog.patch
Patch9: krb5-1.8-api.patch
Patch10: krb5-1.9-kprop-mktemp.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.10-gcc47.patch
Patch13: MITKRB5-SA-2012-001.dif
Patch14: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch15: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
%if ! %{build_mini}
%package client
Summary: MIT Kerberos5 implementation - client programs
Group: Productivity/Networking/Security
%description client
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
%package server
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
Requires: logrotate
Requires: perl-Date-Calc
PreReq: %insserv_prereq %fillup_prereq
%description server
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
%package plugin-kdb-ldap
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
%description plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
%package plugin-preauth-pkinit
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%endif #! build_mini
%package devel
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: keyutils-devel
Requires: libcom_err-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
%endif
%if %{build_mini}
Provides: krb5-devel = %{version}
%endif
#
%description devel
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12
%patch13 -p1
%patch14 -p1
%patch15 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
# needs to be re-generated
rm -f src/lib/krb5/krb/deltat.c
cd src
./util/reconf
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
./configure \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--disable-rpath \
%if ! %{build_mini}
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
%endif
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%install
cd src
make DESTDIR=%{buildroot} install
cd ..
# Munge the krb5-config script to remove rpaths and CFLAGS.
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
# and binaries too
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
# install init scripts
mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
# create rc* links
mkdir -p %{buildroot}/usr/bin/
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
%if ! %{build_mini}
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
%endif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
#####################################################
# krb5-mini-devel pre/post/postun
#####################################################
%if %{build_mini}
%preun
%stop_on_removal krb5kdc kadmind kpropd
%postun
/sbin/ldconfig
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
%post -p /sbin/ldconfig
%else
#####################################################
# krb5 pre/post/postun
#####################################################
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%preun server
#####################################################
# krb5-server preun/postun
#####################################################
%stop_on_removal krb5kdc kadmind kpropd
%postun server
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
#####################################################
# krb5-plugin-kdb-ldap post/postun
#####################################################
%post plugin-kdb-ldap -p /sbin/ldconfig
%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
########################################################
# files sections
########################################################
%files devel
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/bin
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_sysconfdir}/init.d/*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
%if ! 0%{?build_mini}
%{_libdir}/krb5/plugins/preauth/*
%endif
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/kswitch
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rc*
#%{_mandir}/man1/*
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man8/*
%else
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add plugin directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
%{_sysconfdir}/init.d/kpropd
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
/usr/bin/rc*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
%{_mandir}/man8/kprop.8*
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%{_mandir}/man8/sserver.8*
%files client
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/ksu
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/kswitch
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man5/k5identity.5*
%{_mandir}/man5/k5login.5*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%files plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/kldap.so
/usr/lib/mit/sbin/kdb5_ldap_util
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/kdb5_ldap_util.8*
%files plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%endif #build_mini
%changelog
++++++ krb5.spec ++++++
#
# spec file for package krb5
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define build_mini 0
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
Group: Productivity/Networking/Security
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
%endif
#
%endif
Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.8-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-selinux-label.patch
Patch4: krb5-1.10-buildconf.patch
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.7-doublelog.patch
Patch9: krb5-1.8-api.patch
Patch10: krb5-1.9-kprop-mktemp.patch
Patch11: krb5-1.9-ksu-path.patch
Patch12: krb5-1.10-gcc47.patch
Patch13: MITKRB5-SA-2012-001.dif
Patch14: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
Patch15: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
%if ! %{build_mini}
%package client
Summary: MIT Kerberos5 implementation - client programs
Group: Productivity/Networking/Security
%description client
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
%package server
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: cron
Requires: logrotate
Requires: perl-Date-Calc
PreReq: %insserv_prereq %fillup_prereq
%description server
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
%package plugin-kdb-ldap
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
%description plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
%package plugin-preauth-pkinit
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%endif #! build_mini
%package devel
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: keyutils-devel
Requires: libcom_err-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
%endif
%if %{build_mini}
Provides: krb5-devel = %{version}
%endif
#
%description devel
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12
%patch13 -p1
%patch14 -p1
%patch15 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
# needs to be re-generated
rm -f src/lib/krb5/krb/deltat.c
cd src
./util/reconf
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
./configure \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--disable-rpath \
%if ! %{build_mini}
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
%endif
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%install
cd src
make DESTDIR=%{buildroot} install
cd ..
# Munge the krb5-config script to remove rpaths and CFLAGS.
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
# and binaries too
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
# install init scripts
mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
# create rc* links
mkdir -p %{buildroot}/usr/bin/
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
%if ! %{build_mini}
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
%endif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
#####################################################
# krb5-mini-devel pre/post/postun
#####################################################
%if %{build_mini}
%preun
%stop_on_removal krb5kdc kadmind kpropd
%postun
/sbin/ldconfig
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
%post -p /sbin/ldconfig
%else
#####################################################
# krb5 pre/post/postun
#####################################################
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%preun server
#####################################################
# krb5-server preun/postun
#####################################################
%stop_on_removal krb5kdc kadmind kpropd
%postun server
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
#####################################################
# krb5-plugin-kdb-ldap post/postun
#####################################################
%post plugin-kdb-ldap -p /sbin/ldconfig
%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
########################################################
# files sections
########################################################
%files devel
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/bin
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_sysconfdir}/init.d/*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
%if ! 0%{?build_mini}
%{_libdir}/krb5/plugins/preauth/*
%endif
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/kswitch
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rc*
#%{_mandir}/man1/*
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man8/*
%else
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add plugin directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
%{_sysconfdir}/init.d/kpropd
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
/usr/bin/rc*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
%{_mandir}/man8/kprop.8*
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%{_mandir}/man8/sserver.8*
%files client
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/ksu
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/kswitch
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kswitch.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man5/k5identity.5*
%{_mandir}/man5/k5login.5*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%files plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/kldap.so
/usr/lib/mit/sbin/kdb5_ldap_util
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/kdb5_ldap_util.8*
%files plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%endif #build_mini
%changelog
++++++ MITKRB5-SA-2012-001.dif ++++++
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 23623fe..8ada9d0 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
krb5_enctype useenctype;
struct as_req_state *state;
- state = malloc(sizeof(*state));
+ state = calloc(sizeof(*state), 1);
if (!state) {
(*respond)(arg, ENOMEM, NULL);
return;
@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->authtime = 0;
state->c_flags = 0;
state->req_pkt = req_pkt;
+ state->inner_body = NULL;
state->rstate = NULL;
state->sname = 0;
state->cname = 0;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 9d8cb34..d4ece3f 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
continue;
}
- if (request_contains_enctype(context, request, db_etype)) {
+ if (krb5_is_permitted_enctype(context, db_etype) &&
+ request_contains_enctype(context, request, db_etype)) {
retval = _make_etype_info_entry(context, client->princ,
client_key, db_etype,
&entry[i], etype_info2);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a43b291..94dad3a 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
return 0;
pa.magic = KV5M_PA_DATA;
pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+ memset(&checksum, 0, sizeof(checksum));
retval = krb5_c_make_checksum(kdc_context,0, reply_key,
KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
if (retval != 0)
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index c4bf92e..367c894 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
krb5_boolean saw_non_permitted = FALSE;
ret = 0;
+ if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+ return KRB5_KDB_NO_PERMITTED_KEY;
+
if (kvno == -1 && stype == -1 && ktype == -1)
kvno = 0;
++++++ baselibs.conf ++++++
krb5
obsoletes "heimdal-lib-<targettype>"
provides "heimdal-lib-<targettype>"
krb5-devel
++++++ bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif ++++++
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
Author: Xi Wang
Date: Thu Feb 14 18:17:40 2013 -0500
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]
ticket: 7570 (new)
target_version: 1.11.1
tags: pullup
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
}
retval = 0;
-cleanup:
X509_NAME_free(is->issuer);
ASN1_INTEGER_free(is->serial);
free(is);
++++++ bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif ++++++
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
Author: Nalin Dahyabhai
Date: Thu Dec 13 14:26:07 2012 -0500
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu@mit.edu: reformat comment and edit log message]
ticket: 7506 (new)
target_version: 1.11
tags: pullup
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
- /* If mutually supported KDFs were found, use the alg agility KDF */
- if (rep->u.dh_Info.kdfID) {
- secret.data = server_key;
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
+ * use the algorithm agility KDF. */
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
+ secret.data = (char *)server_key;
secret.length = server_key_len;
retval = pkinit_alg_agility_kdf(context, &secret,
++++++ krb5-1.10-buildconf.patch ++++++
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Index: krb5-1.10.2/src/config/shlib.conf
===================================================================
--- krb5-1.10.2.orig/src/config/shlib.conf
+++ krb5-1.10.2/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
Index: krb5-1.10.2/src/krb5-config.in
===================================================================
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.10.2/src/config/pre.in
===================================================================
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@
++++++ krb5-1.10-gcc47.patch ++++++
This file also triggers the maybe-uninitialized warning/error. RT#7080
--- src/lib/krb5/krb/x-deltat.y
+++ src/lib/krb5/krb/x-deltat.y
@@ -44,6 +44,7 @@
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wuninitialized"
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
#endif
#include
++++++ krb5-1.10-kpasswd_tcp.patch ++++++
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: krb5-1.10.2/src/lib/krb5/os/changepw.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/os/changepw.c
+++ krb5-1.10.2/src/lib/krb5/os/changepw.c
@@ -274,10 +274,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}
++++++ krb5-1.10-selinux-label.patch ++++++
++++ 999 lines (skipped)
++++++ krb5-1.3.5-perlfix.dif ++++++
--- doc/man2html
+++ doc/man2html 2004/10/18 16:20:53
@@ -1,5 +1,4 @@
-#!/usr/athena/bin/perl
-#!/usr/local/bin/perl
+#!/usr/bin/perl
##---------------------------------------------------------------------------##
## File:
## @(#) man2html 1.2 97/08/12 12:57:30 @(#)
++++++ krb5-1.6.3-gssapi_improve_errormessages.dif ++++++
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
++++++ krb5-1.6.3-ktutil-manpage.dif ++++++
Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
===================================================================
--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M
@@ -63,5 +63,17 @@ Quits
Aliases:
.BR exit ,
.BR q .
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
kadmin(8), kdb5_util(8)
++++++ krb5-1.7-doublelog.patch ++++++
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: krb5-1.10.2/src/include/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/include/Makefile.in
+++ krb5-1.10.2/src/include/Makefile.in
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
OSCONFSRC = $(srcdir)/osconf.hin
++++++ krb5-1.8-api.patch ++++++
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
Index: krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/krb/princ_comp.c
+++ krb5-1.10.2/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
@@ -87,6 +93,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
++++++ krb5-1.8-manpaths.txt ++++++
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/kerberos.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M
++++++ krb5-1.8-pam.patch ++++++
++++ 758 lines (skipped)
++++++ krb5-1.9-kprop-mktemp.patch ++++++
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.10.2/src/slave/kprop.c
===================================================================
--- krb5-1.10.2.orig/src/slave/kprop.c
+++ krb5-1.10.2/src/slave/kprop.c
@@ -186,9 +186,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, _("while opening credential cache %s"), buf);
++++++ krb5-1.9-ksu-path.patch ++++++
Set the default PATH to the one set by login.
diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in
--- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
+++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)
++++++ krb5-1.9-manpaths.dif ++++++
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/kerberos.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/profile/testmod util/send-pr
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.10.2/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
+++ krb5-1.10.2/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -274,7 +274,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.10.2/src/config-files/krb5.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
+++ krb5-1.10.2/src/config-files/krb5.conf.M
@@ -808,6 +808,6 @@ This module implements the encrypted cha
This module implements the encrypted timestamp mechanism.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
===================================================================
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
Specifies the location of the KDC configuration file, which contains
additional configuration directives for the Key Distribution Center
daemon and associated programs. The default is
-/usr/local/var/krb5kdc/kdc.conf.
+@manlocalstatedir@/krb5kdc/kdc.conf.
.TP
.B KRB5RCACHETYPE
Specifies the default type of replay cache to use for servers. Valid
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
@@ -924,9 +924,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
Index: krb5-1.10.2/src/slave/kpropd.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kpropd.M
+++ krb5-1.10.2/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
Index: krb5-1.10.2/src/slave/kprop.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kprop.M
+++ krb5-1.10.2/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
++++++ krb5-doc-rpmlintrc ++++++
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
++++++ krb5-rpmlintrc ++++++
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")
++++++ pre_checkin.sh ++++++
#!/bin/sh
sed -e 's/Name:.*/Name: krb5-mini/g;' \
-e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec
cp krb5.changes krb5-mini.changes
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org