Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at Mon Aug 22 15:22:24 CEST 2011. -------- --- krb5/krb5-doc.changes 2010-04-09 12:47:36.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-doc.changes 2011-08-22 10:22:11.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de + +- update to version 1.9.1 + +------------------------------------------------------------------- --- krb5/krb5-mini.changes 2011-04-14 11:34:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-mini.changes 2011-08-22 10:17:47.000000000 +0200 @@ -1,0 +2,19 @@ +Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com + +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) + +------------------------------------------------------------------- +Fri Aug 19 15:48:35 UTC 2011 - mc@novell.com + +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +------------------------------------------------------------------- krb5.changes: same change calling whatdependson for head-i586 Old: ---- MITKRB5-SA-2010-007-1.8.dif krb5-1.4.3-enospc.dif krb5-1.6.1-compile_pie.dif krb5-1.6.3-fix-ipv6-query.dif krb5-1.6.3-kprop-use-mkstemp.dif krb5-1.7-manpaths.dif krb5-1.7-manpaths.txt krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.8.3-rpmlintrc krb5-1.8.3.tar.bz2 krb5-doc-1.8.3-rpmlintrc New: ---- krb5-1.7-doublelog.patch krb5-1.7-nodeplibs.patch krb5-1.8-api.patch krb5-1.8-manpaths.txt krb5-1.8-pam.patch krb5-1.9-buildconf.patch krb5-1.9-canonicalize-fallback.patch krb5-1.9-kprop-mktemp.patch krb5-1.9-ksu-path.patch krb5-1.9-manpaths.dif krb5-1.9-paren.patch krb5-1.9-selinux-label.patch krb5-1.9.1-ai_addrconfig.patch krb5-1.9.1-ai_addrconfig2.patch krb5-1.9.1-sendto_poll.patch krb5-1.9.1.tar.bz2 krb5-doc-rpmlintrc krb5-klist_s.patch krb5-pkinit-cms2.patch krb5-rpmlintrc krb5-trunk-chpw-err.patch krb5-trunk-gss_delete_sec.patch krb5-trunk-kadmin-oldproto.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-doc.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -20,15 +20,15 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.8.3 -Release: 6 -%define srcRoot krb5-1.8.3 +Version: 1.9.1 +Release: 1 +%define srcRoot krb5-1.9.1 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.8.3.tar.bz2 -Source3: %{name}-%{version}-rpmlintrc +Source: krb5-%{version}.tar.bz2 +Source3: %{name}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 -Release: 6 +BuildRequires: libselinux-devel +Version: 1.9.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:26.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:26.000000000 +0200 @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.8.3 +%define srcRoot krb5-1.9.1 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,10 +27,12 @@ Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.8.3 -Release: 19 +BuildRequires: libselinux-devel +Version: 1.9.1 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel +BuildRequires: pam-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -42,25 +44,33 @@ Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.8.3.tar.bz2 +Source: krb5-1.9.1.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf -Source5: krb5-%{version}-rpmlintrc -Source10: krb5-1.7-manpaths.txt -Patch1: krb5-1.6.1-compile_pie.dif -Patch2: krb5-1.6.3-kprop-use-mkstemp.dif -Patch3: krb5-1.7-manpaths.dif -Patch4: krb5-1.4.3-enospc.dif +Source5: krb5-rpmlintrc +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.9-buildconf.patch +Patch3: krb5-1.9-manpaths.dif Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif Patch6: krb5-1.6.3-kpasswd_tcp.patch Patch7: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.6.3-fix-ipv6-query.dif -Patch12: krb5-1.8-MITKRB5-SA-2010-006.dif -Patch13: MITKRB5-SA-2010-007-1.8.dif -Patch14: krb5-1.8-MITKRB5-SA-2011-001.dif -Patch15: krb5-1.8-MITKRB5-SA-2011-002.dif -Patch16: krb5-1.8-MITKRB5-SA-2011-003.dif -Patch17: krb5-1.8-MITKRB5-SA-2011-004.dif +Patch10: krb5-1.7-doublelog.patch +Patch11: krb5-1.7-nodeplibs.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch14: krb5-1.9.1-ai_addrconfig.patch +Patch15: krb5-1.9.1-ai_addrconfig2.patch +Patch16: krb5-1.9.1-sendto_poll.patch +Patch17: krb5-1.9-canonicalize-fallback.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.9-paren.patch +Patch21: krb5-1.9-selinux-label.patch +Patch22: krb5-klist_s.patch +Patch23: krb5-pkinit-cms2.patch +Patch24: krb5-trunk-chpw-err.patch +Patch25: krb5-trunk-gss_delete_sec.patch +Patch26: krb5-trunk-kadmin-oldproto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -200,20 +210,28 @@ %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -%patch2 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 %patch7 -p1 -%patch8 -p1 +%patch10 -p1 +%patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 +%patch14 +%patch15 +%patch16 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 +%patch25 -p1 +%patch26 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -242,6 +260,9 @@ --disable-rpath \ %if ! %{build_mini} --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ %endif ++++++ krb5-1.6.3-kpasswd_tcp.patch ++++++ --- /var/tmp/diff_new_pack.dRm5I9/_old 2011-08-22 15:18:27.000000000 +0200 +++ /var/tmp/diff_new_pack.dRm5I9/_new 2011-08-22 15:18:27.000000000 +0200 @@ -5,7 +5,7 @@ =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -280,10 +280,22 @@ change_set_password(krb5_context context +@@ -282,10 +282,22 @@ change_set_password(krb5_context context NULL ))) { ++++++ krb5-1.7-doublelog.patch ++++++ Don't double-log (actually, don't process /etc/krb5.conf twice) just because we built with --sysconfdir=/etc. RT#3277 Index: krb5-1.9.1/src/include/Makefile.in =================================================================== --- krb5-1.9.1.orig/src/include/Makefile.in +++ krb5-1.9.1/src/include/Makefile.in @@ -66,7 +66,9 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$( -e "s+@MODULEDIR+$(MODULE_DIR)+" \ -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ - -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' + -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ + -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ + -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' OSCONFSRC = $(srcdir)/osconf.hin ++++++ krb5-1.7-nodeplibs.patch ++++++ Omit extra libraries because their interfaces aren't exposed to applications by libkrb5, unless do_deps is set to 1, which indicates that the caller wants the whole list. Index: krb5-1.9.1/src/krb5-config.in =================================================================== --- krb5-1.9.1.orig/src/krb5-config.in +++ krb5-1.9.1/src/krb5-config.in @@ -221,7 +221,11 @@ if test -n "$do_libs"; then fi if test $library = 'krb5'; then - lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + if test 0$do_deps -eq 1 ; then + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + else + lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" + fi fi echo $lib_flags ++++++ krb5-1.8-api.patch ++++++ Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c --- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 +++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 @@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + + if ((realm1 == NULL) || (realm2 == NULL)) + return FALSE; + if (realm1->length != realm2->length) return FALSE; @@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; + if ((princ1 == NULL) || (princ2 == NULL)) + return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { ++++++ krb5-1.7-manpaths.txt -> krb5-1.8-manpaths.txt ++++++ --- krb5/krb5-1.7-manpaths.txt 2010-01-08 15:25:29.000000000 +0100 +++ /mounts/work_src_done/STABLE/krb5/krb5-1.8-manpaths.txt 2011-03-15 04:13:45.000000000 +0100 @@ -1,30 +1,6 @@ -appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M -clients/kcpytkt/kcpytkt.M -clients/kdeltkt/kdeltkt.M -clients/kdestroy/kdestroy.M -clients/kinit/kinit.M -clients/klist/klist.M -clients/kpasswd/kpasswd.M -clients/ksu/ksu.M -clients/kvno/kvno.M config-files/kdc.conf.M config-files/krb5.conf.M -gen-manpages/k5login.M -gen-manpages/kerberos.M -kadmin/cli/k5srvutil.M -kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M -kadmin/dbutil/kdb5_util.M -kadmin/ktutil/ktutil.M -kadmin/server/kadmind.M -kdc/krb5kdc.M -krb5-config.M -plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M slave/kpropd.M slave/kprop.M -tests/create/kdb5_mkdums.M -util/et/com_err.3 -util/et/compile_et.1 -util/profile/profile.5 -util/send-pr/send-pr.1 ++++++ krb5-1.8-pam.patch ++++++ ++++ 757 lines (skipped) ++++++ krb5-1.9-buildconf.patch ++++++ Build binaries in this package as RELRO PIEs and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. diff -up krb5-1.9/src/config/shlib.conf krb5-1.9/src/config/shlib.conf --- krb5-1.9/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 +++ krb5-1.9/src/config/shlib.conf 2009-06-04 14:01:28.000000000 -0400 @@ -430,7 +430,8 @@ SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' PROFFLAGS=-pg PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)' + INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff -up krb5-1.9/src/krb5-config.in krb5-1.9/src/krb5-config.in --- krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.9/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 @@ -187,8 +187,14 @@ if test -n "$do_libs"; then -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` + -e 's#\$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` + fi + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"` + if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ++++++ krb5-1.9-canonicalize-fallback.patch ++++++
From RT#6917.
Index: krb5-1.9.1/src/lib/krb5/krb/get_creds.c =================================================================== --- krb5-1.9.1.orig/src/lib/krb5/krb/get_creds.c +++ krb5-1.9.1/src/lib/krb5/krb/get_creds.c @@ -470,13 +470,10 @@ begin_non_referral(krb5_context context, /***** STATE_REFERRALS *****/ -/* - * Possibly retry a request in the fallback realm after a referral request - * failure in the local realm. Expects ctx->reply_code to be set to the error - * from a referral request. - */ +/* Possibly try a non-referral request after a referral request failure. + * Expects ctx->reply_code to be set to the error from a referral request. */ static krb5_error_code -try_fallback_realm(krb5_context context, krb5_tkt_creds_context ctx) +try_fallback(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; char **hrealms; @@ -485,9 +482,10 @@ try_fallback_realm(krb5_context context, if (ctx->referral_count > 1) return ctx->reply_code; - /* Only fall back if the original request used the referral realm. */ + /* If the request used a specified realm, make a non-referral request to + * that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */ if (!krb5_is_referral_realm(&ctx->req_server->realm)) - return ctx->reply_code; + return begin_non_referral(context, ctx); if (ctx->server->length < 2) { /* We need a type/host format principal to find a fallback realm. */ @@ -500,10 +498,10 @@ try_fallback_realm(krb5_context context, if (code != 0) return code; - /* Give up if the fallback realm isn't any different. */ + /* If the fallback realm isn't any different, use the existing TGT. */ if (data_eq_string(ctx->server->realm, hrealms[0])) { krb5_free_host_realm(context, hrealms); - return ctx->reply_code; + return begin_non_referral(context, ctx); } /* Rewrite server->realm to be the fallback realm. */ @@ -540,9 +538,9 @@ step_referrals(krb5_context context, krb krb5_error_code code; const krb5_data *referral_realm; - /* Possibly retry with the fallback realm on error. */ + /* Possibly try a non-referral fallback request on error. */ if (ctx->reply_code != 0) - return try_fallback_realm(context, ctx); + return try_fallback(context, ctx); if (krb5_principal_compare(context, ctx->reply_creds->server, ctx->server)) { ++++++ krb5-1.9-kprop-mktemp.patch ++++++ Use an in-memory ccache to silence a compiler warning, for RT#6414. Index: krb5-1.9.1/src/slave/kprop.c =================================================================== --- krb5-1.9.1.orig/src/slave/kprop.c +++ krb5-1.9.1/src/slave/kprop.c @@ -188,9 +188,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { - char buf[BUFSIZ], *def_realm; + char buf[] = "MEMORY:_kproptkt", *def_realm; krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; krb5_keytab keytab = NULL; /* @@ -229,11 +228,8 @@ void get_tickets(context) #endif /* - * Initialize cache file which we're going to be using + * Initialize an in-memory cache for temporary use */ - (void) mktemp(tkstring); - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); if (retval) { com_err(progname, retval, "while opening credential cache %s", ++++++ krb5-1.9-ksu-path.patch ++++++ Set the default PATH to the one set by login. diff -up krb5-1.9/src/clients/ksu/Makefile.in.ksu-path krb5-1.9/src/clients/ksu/Makefile.in --- krb5-1.9/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 +++ krb5-1.9/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 @@ -1,6 +1,6 @@ mydir=clients$(S)ksu BUILDTOP=$(REL)..$(S).. -DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' +DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' DEFS= PROG_LIBPATH=-L$(TOPLIBD) ++++++ krb5-1.7-manpaths.dif -> krb5-1.9-manpaths.dif ++++++ --- krb5/krb5-1.7-manpaths.dif 2010-10-22 11:17:26.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-1.9-manpaths.dif 2011-08-21 11:42:57.000000000 +0200 @@ -1,9 +1,41 @@ +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 - -Index: krb5-1.8.3/src/appl/sample/sserver/sserver.M +Index: krb5-1.9.1/src/aclocal.m4 +=================================================================== +--- krb5-1.9.1.orig/src/aclocal.m4 ++++ krb5-1.9.1/src/aclocal.m4 +@@ -1782,3 +1782,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +Index: krb5-1.9.1/src/appl/sample/sserver/sserver.M =================================================================== ---- krb5-1.8.3.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.8.3/src/appl/sample/sserver/sserver.M +--- krb5-1.9.1.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.9.1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -13,10 +45,10 @@ .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.8.3/src/config-files/kdc.conf.M +Index: krb5-1.9.1/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.8.3.orig/src/config-files/kdc.conf.M -+++ krb5-1.8.3/src/config-files/kdc.conf.M +--- krb5-1.9.1.orig/src/config-files/kdc.conf.M ++++ krb5-1.9.1/src/config-files/kdc.conf.M @@ -92,14 +92,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -43,74 +75,44 @@ .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.8.3/src/configure.in +Index: krb5-1.9.1/src/config-files/krb5.conf.M =================================================================== ---- krb5-1.8.3.orig/src/configure.in -+++ krb5-1.8.3/src/configure.in -@@ -1057,6 +1057,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " - fi +--- krb5-1.9.1.orig/src/config-files/krb5.conf.M ++++ krb5-1.9.1/src/config-files/krb5.conf.M +@@ -768,6 +768,6 @@ with another database such as Active Dir + in for this interface. + + .SH FILES +-/etc/krb5.conf ++@mansysconfdir@/krb5.conf + .SH SEE ALSO + syslog(3) +Index: krb5-1.9.1/src/configure.in +=================================================================== +--- krb5-1.9.1.orig/src/configure.in ++++ krb5-1.9.1/src/configure.in +@@ -1128,6 +1128,16 @@ fi + KRB5_WITH_PAM AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + -+mansysconfdir=$sysconfdir -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` -+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` -+mansbindir=$sbindir -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` -+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlocalstatedir=$localstatedir -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` -+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` -+manlibexecdir=$libexecdir -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` -+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` -+AC_SUBST(mansysconfdir) -+AC_SUBST(mansbindir) -+AC_SUBST(manlocalstatedir) -+AC_SUBST(manlibexecdir) -+AC_OUTPUT([ -+ appl/sample/sclient/sclient.M ++V5_AC_OUTPUT_MANPAGE([ + appl/sample/sserver/sserver.M -+ clients/kcpytkt/kcpytkt.M -+ clients/kdeltkt/kdeltkt.M -+ clients/kdestroy/kdestroy.M -+ clients/kinit/kinit.M -+ clients/klist/klist.M -+ clients/kpasswd/kpasswd.M -+ clients/ksu/ksu.M -+ clients/kvno/kvno.M + config-files/kdc.conf.M + config-files/krb5.conf.M -+ gen-manpages/k5login.M -+ gen-manpages/kerberos.M -+ kadmin/cli/k5srvutil.M -+ kadmin/cli/kadmin.local.M + kadmin/cli/kadmin.M -+ kadmin/dbutil/kdb5_util.M -+ kadmin/ktutil/ktutil.M -+ kadmin/server/kadmind.M -+ kdc/krb5kdc.M -+ krb5-config.M -+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M + slave/kpropd.M + slave/kprop.M -+ tests/create/kdb5_mkdums.M -+ util/et/com_err.3 -+ util/et/compile_et.1 -+ util/profile/profile.5 -+ util/send-pr/send-pr.1 +]) + V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.8.3/src/kadmin/cli/kadmin.M +Index: krb5-1.9.1/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.8.3.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.8.3/src/kadmin/cli/kadmin.M -@@ -869,9 +869,9 @@ option is specified, less verbose status +--- krb5-1.9.1.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.9.1/src/kadmin/cli/kadmin.M +@@ -880,9 +880,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -122,7 +124,7 @@ kadmin: .RE .fi -@@ -913,7 +913,7 @@ passwords. +@@ -924,7 +924,7 @@ passwords. .SH HISTORY The .B kadmin @@ -131,32 +133,10 @@ OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.8.3/src/slave/kprop.M -=================================================================== ---- krb5-1.8.3.orig/src/slave/kprop.M -+++ krb5-1.8.3/src/slave/kprop.M -@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ is used. - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the -Index: krb5-1.8.3/src/slave/kpropd.M +Index: krb5-1.9.1/src/slave/kpropd.M =================================================================== ---- krb5-1.8.3.orig/src/slave/kpropd.M -+++ krb5-1.8.3/src/slave/kpropd.M +--- krb5-1.9.1.orig/src/slave/kpropd.M ++++ krb5-1.9.1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -199,3 +179,25 @@ Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO +Index: krb5-1.9.1/src/slave/kprop.M +=================================================================== +--- krb5-1.9.1.orig/src/slave/kprop.M ++++ krb5-1.9.1/src/slave/kprop.M +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the ++++++ krb5-1.9-paren.patch ++++++ Upstream commit #24477. diff -up krb5-1.9/src/slave/kpropd.c krb5-1.9/src/slave/kpropd.c --- krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:24.020999947 -0400 +++ krb5-1.9/src/slave/kpropd.c 2011-03-18 13:14:34.159999947 -0400 @@ -993,7 +993,7 @@ unsigned int backoff_from_master(int *cn btime = (unsigned int)(2<<(*cnt)); if (btime > MAX_BACKOFF) { btime = MAX_BACKOFF; - *cnt--; + (*cnt)--; } return (btime); ++++++ krb5-1.9-selinux-label.patch ++++++ ++++ 919 lines (skipped) ++++++ krb5-1.9.1-ai_addrconfig.patch ++++++
From RT#6922. When we're converting a host/service pair into a principal name, specify AF_UNSPEC instead of AF_INET4 and then maybe AF_INET6 to try to avoid libc having doing a PTR lookup because we also specify AI_CANONNAME. Add AI_ADDRCONFIG because it's usually the right idea.
Index: src/lib/krb5/os/sn2princ.c
===================================================================
--- src/lib/krb5/os/sn2princ.c.orig
+++ src/lib/krb5/os/sn2princ.c
@@ -107,19 +107,12 @@ krb5_sname_to_principal(krb5_context con
hostnames associated. */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
- try_getaddrinfo_again:
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
- if (hints.ai_family == AF_INET) {
- /* Just in case it's an IPv6-only name. */
- hints.ai_family = 0;
- goto try_getaddrinfo_again;
- }
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
++++++ krb5-1.9.1-ai_addrconfig2.patch ++++++
Most of RT#6923, except for the part that depends on the sendto_kdc rewrite
(it's still in locate_kdc in this version): pass AI_ADDRCONFIG whenever we
specify hints to getaddrinfo() to get the address of a server.
Index: src/plugins/locate/python/py-locate.c
===================================================================
--- src/plugins/locate/python/py-locate.c.orig
+++ src/plugins/locate/python/py-locate.c
@@ -303,6 +303,7 @@ lookup(void *blob, enum locate_service_t
return -1;
}
aihints.ai_socktype = thissocktype;
+ aihints.ai_flags = AI_ADDRCONFIG;
x = getaddrinfo (hoststr, portstr, &aihints, &airesult);
if (x != 0)
continue;
Index: src/appl/sample/sclient/sclient.c
===================================================================
--- src/appl/sample/sclient/sclient.c.orig
+++ src/appl/sample/sclient/sclient.c
@@ -124,6 +124,7 @@ main(int argc, char *argv[])
memset(&aihints, 0, sizeof(aihints));
aihints.ai_socktype = SOCK_STREAM;
+ aihints.ai_flags = AI_ADDRCONFIG;
aierr = getaddrinfo(argv[1], portstr, &aihints, &ap);
if (aierr) {
fprintf(stderr, "%s: error looking up host '%s' port '%s'/tcp: %s\n",
Index: src/kadmin/dbutil/kadm5_create.c
===================================================================
--- src/kadmin/dbutil/kadm5_create.c.orig
+++ src/kadmin/dbutil/kadm5_create.c
@@ -182,7 +182,7 @@ static int add_admin_princs(void *handle
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
- ai_hints.ai_flags = AI_CANONNAME;
+ ai_hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
Index: src/lib/kadm5/alt_prof.c
===================================================================
--- src/lib/kadm5/alt_prof.c.orig
+++ src/lib/kadm5/alt_prof.c
@@ -901,7 +901,7 @@ kadm5_get_admin_service_name(krb5_contex
}
memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
if (err != 0) {
ret = KADM5_CANT_RESOLVE;
Index: src/lib/kadm5/clnt/client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c.orig
+++ src/lib/kadm5/clnt/client_init.c
@@ -563,8 +563,9 @@ connect_to_server(const char *hostname,
(void) snprintf(portbuf, sizeof(portbuf), "%d", port);
memset(&hint, 0, sizeof(hint));
hint.ai_socktype = SOCK_STREAM;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
err = getaddrinfo(hostname, portbuf, &hint, &addrs);
if (err != 0)
Index: src/lib/krb5/os/hostaddr.c
===================================================================
--- src/lib/krb5/os/hostaddr.c.orig
+++ src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST | AI_ADDRCONFIG;
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: src/lib/krb5/os/hst_realm.c
===================================================================
--- src/lib/krb5/os/hst_realm.c.orig
+++ src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -325,6 +325,7 @@ open_connection(krb5_context context, ch
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_ADDRCONFIG;
error = getaddrinfo(host, port, &hints, &answers);
if (error != 0) {
com_err(progname, 0, "%s: %s", host, gai_strerror(error));
Index: src/lib/krb5/os/locate_kdc.c
===================================================================
--- src/lib/krb5/os/locate_kdc.c.orig
+++ src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
+ hint.ai_flags = AI_ADDRCONFIG;
#ifdef AI_NUMERICSERV
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
++++++ krb5-1.9.1-sendto_poll.patch ++++++
++++ 624 lines (skipped)
++++++ krb5-1.8.3.tar.bz2 -> krb5-1.9.1.tar.bz2 ++++++
krb5/krb5-1.8.3.tar.bz2 /mounts/work_src_done/STABLE/krb5/krb5-1.9.1.tar.bz2 differ: char 11, line 1
++++++ krb5-doc-rpmlintrc ++++++
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
++++++ krb5-klist_s.patch ++++++
Don't trip over referral entries. RT#6915
Index: krb5-1.9.1/src/clients/klist/klist.c
===================================================================
--- krb5-1.9.1.orig/src/clients/klist/klist.c
+++ krb5-1.9.1/src/clients/klist/klist.c
@@ -28,7 +28,7 @@
* List out the contents of your credential cache or keytab.
*/
-#include "autoconf.h"
+#include "k5-int.h"
#include