|Index||index by Group||index by Distribution||index by Vendor||index by creation date||index by Name||Mirrors||Help||Search|
|Name: krb5-64bit||Distribution: openSUSE Leap 42.3|
|Version: 1.12.5||Vendor: openSUSE|
|Release: 9.1||Build date: Mon Oct 9 10:54:57 2017|
|Group: Productivity/Networking/Security||Build host: obs-arm-3|
|Size: 2074680||Source RPM: krb5-1.12.5-9.1.src.rpm|
|Summary: MIT Kerberos5 Implementation--Libraries|
Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of clear text passwords.
* Tue Sep 05 2017 firstname.lastname@example.org - Introduce patch 0109-Preserve-GSS-context-on-init-accept-failure.patch to fix CVE-2017-11462 of bsc#1056995. * Thu Aug 17 2017 email@example.com - Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) * Fri Aug 11 2017 firstname.lastname@example.org - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) * Wed May 31 2017 email@example.com - Remove main package's dependency on systemd. (bsc#1032680) * Mon Aug 15 2016 firstname.lastname@example.org - Remove unneeded prerequisites from spec file. (bsc#992853) * Fri Jul 29 2016 email@example.com - Fix CVE-2016-3120 (bsc#991088) with patch: 0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch * Sat Jul 02 2016 firstname.lastname@example.org - Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch from rev128 of network/krb5 (bsc#982313#c2) * Mon Jun 13 2016 email@example.com - Remove source file ccapi/common/win/OldCC/autolock.hxx that is not needed and does not carry an acceptable license. (bsc#968111) * Wed Mar 23 2016 firstname.lastname@example.org - Introduce patch 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch to fix CVE-2016-3119 (bsc#971942) * Thu Feb 11 2016 email@example.com - Upgrade from version 1.12.1 to 1.12.5. The new maintenance release brings accumulated defect fixes. - The following patches are now present in the source bundle, thus removed from build individual patch files: * 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch * 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch * 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch * 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch * 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch * 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch * bnc#912002.diff * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch * krb5-1.12.2-CVE-2014-5353.patch * krb5-1.12.2-CVE-2014-5354.patch * krb5-master-keyring-kdcsync.patch - Line numbers in the following patches are slightly adjusted to fit into this new source version: * krb5-1.6.3-ktutil-manpage.dif * krb5-1.7-doublelog.patch - Remove krb5-mini pieces from spec file. Thus removing pre_checkin.sh - Remove expired macros and other minor clean-ups in spec file. - Use system libverto to substitute built-in libverto. Implement fate#320326 * Thu Jan 28 2016 firstname.lastname@example.org - Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character (bsc#963968) with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request (bsc#963975) with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask (bsc#963964) with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch * Tue Nov 10 2015 email@example.com - Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch to fix a memory corruption regression introduced by resolution of CVE-2015-2698. bsc#954204 * Wed Oct 28 2015 firstname.lastname@example.org - Make kadmin.local man page available without having to install krb5-client. bsc#948011 - Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch to fix build_principal memory bug [CVE-2015-2697] bsc#952190 - Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 - Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 - Fix patch content of bnc#912002.diff that was missing a diff header. * Mon Jul 13 2015 email@example.com - bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass patches: 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch * Wed Mar 11 2015 firstname.lastname@example.org - bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message patches: 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch * Wed Mar 11 2015 email@example.com - bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries patches: krb5-1.12.2-CVE-2014-5353.patch krb5-1.12.2-CVE-2014-5354.patch * Wed Jan 07 2015 firstname.lastname@example.org - bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423: krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token - added patches: * bnc#912002.diff * Thu Sep 25 2014 email@example.com - Work around replay cache creation race; (bnc#898439). krb5-1.13-work-around-replay-cache-creation-race.patch * Tue Sep 23 2014 firstname.lastname@example.org - bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff * Fri Aug 08 2014 email@example.com - buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch * Mon Jul 28 2014 firstname.lastname@example.org - Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch Fix null deref in SPNEGO acceptor [CVE-2014-4344] krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch * Thu Jul 10 2014 email@example.com - denial of service flaws when handling RFC 1964 tokens (bnc#886016) krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch - start krb5kdc after slapd (bnc#886102) * Fri Jun 06 2014 firstname.lastname@example.org - obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) similar functionality is provided by krb5-plugin-preauth-pkinit * Tue Feb 18 2014 email@example.com - don't deliver SysV init files to systemd distributions * Tue Jan 21 2014 firstname.lastname@example.org - update to version 1.12.1 * Make KDC log service principal names more consistently during some error conditions, instead of "<unknown server>" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch krb5-master-gss_oid_leak.patch krb5-master-keytab_close.patch krb5-master-spnego_error_messages.patch - Fix Get time offsets for all keyring ccaches krb5-master-keyring-kdcsync.patch (RT#7820) * Mon Jan 13 2014 email@example.com - update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * The AES-based encryption types will use AES-NI instructions when possible for improved performance. - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch * krb5-1.11-pam.patch -> krb5-1.12-pam.patch * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch * krb5-1.8-api.patch -> krb5-1.12-api.patch * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch * krb5-1.9-debuginfo.patch * krb5-1.9-kprop-mktemp.patch * krb5-kvno-230379.patch - added upstream patches - Fix krb5_copy_context * krb5-1.12-copy_context.patch - Mark AESNI files as not needing executable stacks * krb5-1.12-enable-NX.patch * krb5-1.12-pic-aes-ni.patch - Fix memory leak in SPNEGO initiator * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch - Test SPNEGO error message in t_s4u.py * krb5-master-spnego_error_messages.patch * Tue Dec 10 2013 firstname.lastname@example.org - Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct. * Fri Nov 15 2013 email@example.com - update to version 1.11.4 - Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration. - Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms. - Fix a number of bugs related to KDC master key rollover. * Mon Jun 24 2013 firstname.lastname@example.org - install and enable systemd service files also in -mini package * Fri Jun 21 2013 email@example.com - remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs. * Sun Jun 09 2013 firstname.lastname@example.org - update to version 1.11.3 - Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] - Improve interoperability with some Windows native PKINIT clients. - install translation files - remove outdated configure options * Tue May 28 2013 email@example.com - cleanup systemd files (remove syslog.target) * Fri May 03 2013 firstname.lastname@example.org - let krb5-mini conflict with all main packages * Thu May 02 2013 email@example.com - add conflicts between krb5-mini and krb5-server * Sun Apr 28 2013 firstname.lastname@example.org - update to version 1.11.2 * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch * Thu Apr 04 2013 email@example.com - add conflicts between krb5-mini-devel and krb5-devel * Tue Apr 02 2013 firstname.lastname@example.org - add conflicts between krb5-mini and krb5 and krb5-client * Wed Mar 27 2013 email@example.com - enable selinux and set openssl as crypto implementation * Fri Mar 22 2013 firstname.lastname@example.org - fix path to executables in service files (bnc#810926) * Fri Mar 15 2013 email@example.com - update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - changes of patches: * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: upstream * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: upstream * krb5-1.10-gcc47.patch: upstream * krb5-1.10-selinux-label.patch replaced by krb5-1.11-selinux-label.patch * krb5-1.10-spin-loop.patch: upstream * krb5-1.3.5-perlfix.dif: the tool was removed from upstream * krb5-1.8-pam.patch replaced by krb5-1.11-pam.patch * Wed Mar 06 2013 firstname.lastname@example.org - fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif * Mon Mar 04 2013 email@example.com - fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif * Fri Jan 25 2013 firstname.lastname@example.org - package missing file (bnc#794784) * Tue Jan 22 2013 email@example.com - krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc (bnc#793336) * Tue Oct 16 2012 firstname.lastname@example.org - revert the -p usage in %postun to fix SLE build * Tue Oct 16 2012 email@example.com - buildrequire systemd by pkgconfig provide to get systemd-mini * Sat Oct 13 2012 firstname.lastname@example.org - do not require systemd in krb5-mini * Fri Oct 05 2012 email@example.com - add systemd service files for kadmind, krb5kdc and kpropd - add sysconfig templates for kadmind and krb5kdc * Wed Jun 13 2012 firstname.lastname@example.org - fix %files section for krb5-mini * Thu Jun 07 2012 email@example.com - fix gcc47 issues * Wed Jun 06 2012 firstname.lastname@example.org - update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time - Make PKINIT work with FAST in the client library. - Add the DIR credential cache type, which can hold a collection of credential caches. - Enhance kinit, klist, and kdestroy to support credential cache collections if the cache type supports it. - Add the kswitch command, which changes the selected default cache within a collection. - Add heuristic support for choosing client credentials based on the service realm. - Add support for $HOME/.k5identity, which allows credential choice based on configured rules. * Sun Feb 26 2012 email@example.com - add autoconf macro to devel subpackage * Tue Jan 31 2012 firstname.lastname@example.org - fix license in krb5-mini * Tue Dec 20 2011 email@example.com - add autoconf as buildrequire to avoid implicit dependency * Tue Dec 20 2011 firstname.lastname@example.org - remove call to suse_update_config, very old work around * Mon Nov 21 2011 email@example.com - fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530 * Mon Nov 21 2011 firstname.lastname@example.org - fix KDC HA feature introduced with implementing KDC poll (RT#6951, bnc#731648) * Fri Nov 18 2011 email@example.com - fix minor error messages for the IAKERB GSSAPI mechanism (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) * Mon Oct 17 2011 firstname.lastname@example.org - fix kdc remote denial of service (MITKRB5-SA-2011-006, bnc#719393) CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 * Tue Aug 23 2011 email@example.com - use --without-pam to build krb5-mini * Sun Aug 21 2011 firstname.lastname@example.org - add patches from Fedora and upstream - fix init scripts (bnc#689006) * Fri Aug 19 2011 email@example.com - update to version 1.9.1 * obsolete patches: MITKRB5-SA-2010-007-1.8.dif krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.4.3-enospc.dif * replace krb5-1.6.1-compile_pie.dif * Thu Apr 14 2011 firstname.lastname@example.org - fix kadmind invalid pointer free() (MITKRB5-SA-2011-004, bnc#687469) CVE-2011-0285 * Tue Mar 01 2011 email@example.com - Fix vulnerability to a double-free condition in KDC daemon (MITKRB5-SA-2011-003, bnc#671717) CVE-2011-0284 * Wed Jan 19 2011 firstname.lastname@example.org - Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282 * Wed Dec 01 2010 email@example.com - Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery * Thu Oct 28 2010 firstname.lastname@example.org - fix csh profile (bnc#649856) * Fri Oct 22 2010 email@example.com - update to krb5-1.8.3 * remove patches which are now upstrem - krb5-1.7-MITKRB5-SA-2010-004.dif - krb5-1.8.1-gssapi-error-table.dif - krb5-MITKRB5-SA-2010-005.dif * Fri Oct 22 2010 firstname.lastname@example.org - change environment variable PATH directly for csh (bnc#642080) * Mon Sep 27 2010 email@example.com - fix a dereference of an uninitialized pointer while processing authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) * Mon Jun 21 2010 firstname.lastname@example.org - add correct error table when initializing gss-krb5 (bnc#606584, bnc#608295) * Wed May 19 2010 email@example.com - fix GSS-API library null pointer dereference CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) * Wed Apr 14 2010 firstname.lastname@example.org - fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) * Fri Apr 09 2010 email@example.com - update to version 1.8.1 * include krb5-1.8-POST.dif * include MITKRB5-SA-2010-002 * Tue Apr 06 2010 firstname.lastname@example.org - update krb5-1.8-POST.dif * Tue Mar 23 2010 email@example.com - fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) * Tue Mar 23 2010 firstname.lastname@example.org - add post 1.8 fixes * Add IPv6 support to changepw.c * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 * Thu Mar 04 2010 email@example.com - update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl * Mon Dec 14 2009 firstname.lastname@example.org - add baselibs.conf as a source * Fri Nov 13 2009 email@example.com - enhance '$PATH' only if the directories are available and not empty (bnc#544949) * Sun Jul 12 2009 firstname.lastname@example.org - readd lost baselibs.conf * Wed Jun 03 2009 email@example.com - update to final 1.7 release * Wed May 13 2009 firstname.lastname@example.org - update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code.
/usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/libgssrpc.so.4 /usr/lib64/libgssrpc.so.4.2 /usr/lib64/libk5crypto.so.3 /usr/lib64/libk5crypto.so.3.1 /usr/lib64/libkadm5clnt_mit.so.9 /usr/lib64/libkadm5clnt_mit.so.9.0 /usr/lib64/libkadm5srv_mit.so.9 /usr/lib64/libkadm5srv_mit.so.9.0 /usr/lib64/libkdb5.so.7 /usr/lib64/libkdb5.so.7.0 /usr/lib64/libkrad.so.0 /usr/lib64/libkrad.so.0.0 /usr/lib64/libkrb5.so.3 /usr/lib64/libkrb5.so.3.3 /usr/lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so.0.1
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Oct 21 00:13:49 2019