Public bug reported:
Please sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)
(My interest here is that I'm the Debian maintainer of krb5 and I'd like to
help out the Ubuntu release process with this package.)
The 1.8.1 upstream release is entirely a bug-fix release. I have
reviewed all the changes from 1.8+dfsg~alpha1-7ubuntu1 through
1.8.1+dfsg-2 and they are all bug fixes. Several of them are quite
critical to Kerberos working well in lucid. Because there is a new
upstream release involved, I've included all the upstream changes
below the Debian changelog.
If you have any questions about this don't hesitate to contact me via
e-mail, IRC or phone; similarly if you have any concerns about
Kerberos throughout the rest of the lucid release process, fell free
to contact me over any of these channels.
Explanation of the Ubuntu delta and why it can be dropped:
The ubuntu delta is a security fix that has been incorperated into the Debian
package.
The changelog below calls out specific bug fixes that I think are most
critical both to Debian and Ubuntu.
Appended below the changelog are all the upstream changes; I have looked over
them and you really do want them all even at this point in the process.
Changelog entries since current lucid version 1.8+dfsg~alpha1-7ubuntu1:
krb5 (1.8.1+dfsg-2) unstable; urgency=high
* Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490
-- Sam Hartman <hartm...@debian.org> Mon, 12 Apr 2010 13:08:35 -0400
krb5 (1.8.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes significant ABI incompatibility between Heimdal and MIT in the
init_creds_step API; backward incompatible change in the meaning of
the flags API. Since this was introduced in 1.8 and since no better
solution was found, it's felt that getting 1.8.1 out everywhere that
had 1.8 very promptly is the right approach. Otherwise software build
against 1.8 will be broken in the future.
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
* Acknowledge security team upload, thanks for picking up the slack and
sorry it was necessary
-- Sam Hartman <hartm...@debian.org> Sun, 11 Apr 2010 10:12:59 -0400
krb5 (1.8+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
via an invalid packet that triggers incorrect preparation of an error
token. (Closes: 575740)
* Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
-- Giuseppe Iuculano <iucul...@debian.org> Fri, 09 Apr 2010 19:11:50
+0200
krb5 (1.8+dfsg-1) unstable; urgency=low
* New upstream version
* Include new upstream notice file in docs
* Update symbols files
* Include upstream ticket 6676: fix handling of cross-realm tickets
issued by W2K8R2
* Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
* New Brazilian Portuguese translations, Thanks Eder L. Marques,
Closes: #574149
-- Sam Hartman <hartm...@debian.org> Wed, 17 Mar 2010 15:51:54 -0400
commit c113f7f7f47967f472d1573eb06efa4daa4ff260
Author: Sam Hartman <hartm...@debian.org>
Date: Mon Apr 12 13:04:08 2010 -0400
Renewals and Validation fail authorization_data memory management
In renewals and validation, the enc_tkt_reply.authorization_data
pointer aliases header_ticket->enc_part2.authorization_data. However
in handle_authdata, the tgt authorization_data is copied to the output
authorization data. That fails if they alias.
commit 33a393d4a01db63ee8843e823854995d9892ea32
Author: Sam Hartman <hartm...@debian.org>
Date: Sun Apr 11 10:27:18 2010 -0400
oops [in merge to patchlevel.h to update version number to 1.8.1]
commit b74b0301be2c040053b79a2399d4ef3b8b689d49
Merge: 91fb542 817defa
Author: Sam Hartman <hartm...@debian.org>
Date: Sun Apr 11 10:04:03 2010 -0400
Merge commit 'upstream/1.8.1+dfsg'
Conflicts:
src/patchlevel.h
commit 91fb542d48f01ef785fac2ea70d976e3d4695a58
Merge: 2310d83 d808a31
Author: Sam Hartman <hartm...@debian.org>
Date: Sun Apr 11 10:02:06 2010 -0400
Merge branch 'debian_kprop_ipv6'
commit d808a31081e23c0a9db5dbb3f7d7fbd9d7e230ab
Author: Sam Hartman <hartm...@debian.org>
Date: Sun Apr 11 10:01:28 2010 -0400
Fix placement of declaration
commit 817defae2331911393ccc11a7f00b922c0f816c9
Merge: 2e6dbfa 856d98a
Author: Sam Hartman <hartm...@debian.org>
Date: Sun Apr 11 09:51:50 2010 -0400
Merge in krb5/1.8.1 to upstream by unpacking krb5-1.8.1.tar.gz.
commit 0aa62e71985b6598d0bd5064f0428217726645ee
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Apr 8 20:33:32 2010 +0000
README and patchlevel.h for krb5-1.8.1 final
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23878
dc483132-0cff-0310-8789-dd5450dbe970
commit f1efaf20b739e542dba2cdef308a0bb4d92596d5
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:54:21 2010 +0000
krb5-1.8.1-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23849
dc483132-0cff-0310-8789-dd5450dbe970
commit 3ddcd96f230039c8976eb00204573a6746efb221
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:52:51 2010 +0000
README and patchlevel for krb5-1.8.1-beta2
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23847
dc483132-0cff-0310-8789-dd5450dbe970
commit f6ab9426fb953d37ee6a3a475c74d34e89f29a1a
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:51:11 2010 +0000
make depend
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23846
dc483132-0cff-0310-8789-dd5450dbe970
commit d3674ebece848ed636f156a6a30e008d343f6b12
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:51:04 2010 +0000
ticket: 6693
version_fixed: 1.8.1
status: resolved
pull up r23844 from trunk
------------------------------------------------------------------------
r23844 | ghudson | 2010-03-29 18:08:21 -0400 (Mon, 29 Mar 2010) | 9 lines
ticket: 6693
subject: Fix backwards flag output in krb5_init_creds_step()
tags: pullup
target_version: 1.8.1
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23845
dc483132-0cff-0310-8789-dd5450dbe970
commit be3bcaeb2538e4a58f2c02d8b0d3621a4fdd9def
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Sun Mar 28 23:00:08 2010 +0000
krb5-1.8.1-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23841
dc483132-0cff-0310-8789-dd5450dbe970
commit c14067f0e25e4ab77af3d82bd8a2d006cff5c995
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Sun Mar 28 22:47:01 2010 +0000
README and patchlevel for krb5-1.8.1-beta1
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23839
dc483132-0cff-0310-8789-dd5450dbe970
commit b62c23b2590aa23ce55bf5910fcf993c3074f814
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 22:31:00 2010 +0000
ticket: 6678
version_fixed: 1.8.1
status: resolved
pull up r23834 from trunk
------------------------------------------------------------------------
r23834 | tlyu | 2010-03-23 15:00:13 -0700 (Tue, 23 Mar 2010) | 7 lines
ticket: 6678
target_version: 1.8.1
tags: pullup
Apply patch from Arlene Berry to not use freed memory in
gss_import_sec_context in some error paths.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23835
dc483132-0cff-0310-8789-dd5450dbe970
commit 043adec2095d55c3e7b743980737e8efc2d9b31e
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 19:08:53 2010 +0000
ticket: 6690
version_fixed: 1.8.1
status: resolved
pull up r23832 from trunk
------------------------------------------------------------------------
r23832 | tlyu | 2010-03-23 11:53:52 -0700 (Tue, 23 Mar 2010) | 8 lines
ticket: 6690
target_version: 1.8.1
tags: pullup
subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23833
dc483132-0cff-0310-8789-dd5450dbe970
commit 192a8d37ccd77028580a3019c010831a3b4e2b97
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 07:21:04 2010 +0000
ticket: 6689
version_fixed: 1.8.1
status: resolved
pull up r23829 from trunk
------------------------------------------------------------------------
r23829 | tlyu | 2010-03-22 23:09:02 -0700 (Mon, 22 Mar 2010) | 10 lines
ticket: 6689
target_version: 1.8.1
tags: pullup
subject: krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23830
dc483132-0cff-0310-8789-dd5450dbe970
commit 4a56afad855bfecb91b48f5cc48410aca32cc29f
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:29 2010 +0000
ticket: 6687
version_fixed: 1.8.1
pull up r23821 from trunk
------------------------------------------------------------------------
r23821 | ghudson | 2010-03-19 20:50:06 -0700 (Fri, 19 Mar 2010) | 17 lines
ticket: 6687
subject: Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
target_version: 1.8.1
tags: pullup
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23828
dc483132-0cff-0310-8789-dd5450dbe970
commit b75309d22577062e20be1848d40b49fb6df8850d
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:22 2010 +0000
ticket: 6680
version_fixed: 1.8.1
status: resolved
pull up r23820 from trunk
------------------------------------------------------------------------
r23820 | ghudson | 2010-03-19 09:17:05 -0700 (Fri, 19 Mar 2010) | 7 lines
ticket: 6680
target_version: 1.8.1
tags: pullup
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656). Based on a patch from na...@redhat.com.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23827
dc483132-0cff-0310-8789-dd5450dbe970
commit 8e62d04c2c6e95bdf3de4e96a56b7abc0aa5da5a
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:15 2010 +0000
ticket: 6683
version_fixed: 1.8.1
status: resolved
pull up r23819 from trunk
------------------------------------------------------------------------
r23819 | ghudson | 2010-03-18 10:37:31 -0700 (Thu, 18 Mar 2010) | 7 lines
ticket: 6683
target_version: 1.8.1
tags: pullup
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23826
dc483132-0cff-0310-8789-dd5450dbe970
commit 3db96234875a827de3b20b798d8a54b1c8da9744
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:07 2010 +0000
ticket: 6681
version_fixed: 1.8.1
status: resolved
pull up r23815 from trunk
------------------------------------------------------------------------
r23815 | ghudson | 2010-03-17 14:10:10 -0700 (Wed, 17 Mar 2010) | 7 lines
ticket: 6681
target_version: 1.8.1
tags: pullup
When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
dereference options if it's NULL.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23825
dc483132-0cff-0310-8789-dd5450dbe970
commit 23291346668b2939feefb345698c4b9ae1f3477b
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:00 2010 +0000
ticket: 6685
version_fixed: 1.8.1
status: resolved
pull up r23810 from trunk
------------------------------------------------------------------------
r23810 | tlyu | 2010-03-16 12:14:33 -0700 (Tue, 16 Mar 2010) | 8 lines
ticket: 6685
target_version: 1.8.1
subject: handle NT_SRV_INST in service principal referrals
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23824
dc483132-0cff-0310-8789-dd5450dbe970
commit 4bf2aea673665cb5e162802803c4482b4456d7be
Merge: 7196944 e75295c
Author: Sam Hartman <hartm...@debian.org>
Date: Wed Mar 17 15:46:20 2010 -0400
Merge branch 'debian_kprop_ipv6'
commit e75295c10cded12bd340b30dbbe57aba9c233a4a
Author: Sam Hartman <hartm...@debian.org>
Date: Wed Mar 17 15:40:36 2010 -0400
Use AI_ADDRCONFIG flag for getaddrinfo
Use the AI_ADDRCONFIG flag for getaddrinfo to confirm that only
addresses supported by the local system are used in ipv6 support for kprop.
commit fb1312ce0ea22c87a09e860d5369f1c76256aae3
Author: Michael Stapelberg <mich...@stapelberg.de>
Date: Tue Mar 16 23:39:38 2010 +0100
Implement IPv6 support (kpropd)
commit 29291a21d9cc3b29e981c7c0bdbb3bf3621bae38
Author: Michael Stapelberg <mich...@stapelberg.de>
Date: Tue Mar 16 22:39:55 2010 +0100
Implement support for IPv6 (kprop)
commit 0dc8542064195bcf7e64085524c951827a6be057
Merge: af6a551 68aa065
Author: Sam Hartman <hartm...@debian.org>
Date: Tue Mar 16 15:06:16 2010 -0400
Merge branch 'upstream_6676'
commit 68aa0650e00101a6f417fc463d39f352900723a6
Author: ghudson <ghud...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Mar 5 17:45:46 2010 +0000
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/tr...@23766
dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit 3e10309a12cafa40efac3cfe0439e4e21c261c8c)
commit e548979023d17ade1ce3c207f4ea8871e7b364e6
Merge: 1f64c6c 2e6dbfa
Author: Sam Hartman <hartm...@debian.org>
Date: Tue Mar 16 14:42:04 2010 -0400
Merge commit 'upstream/1.8+dfsg'
Conflicts:
src/patchlevel.h
commit 2e6dbfa87d8ed5bebd0a29af464a08ab752fafa6
Merge: 1dc6981 82924a4
Author: Sam Hartman <hartm...@debian.org>
Date: Tue Mar 16 14:39:37 2010 -0400
Merge in krb5/1.8 to upstream by unpacking krb5-1.8.tar.gz.
commit 7420ea9128df358cb8d3a49a1f1540827a3ca147
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:52 2010 +0000
ticket: 6676
version_fixed: 1.8.1
status: resolved
pull up r23766 from trunk
------------------------------------------------------------------------
r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_ad_signedpath(). For better interoperability, treat such
tickets as unsigned, rather than invalid.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23809
dc483132-0cff-0310-8789-dd5450dbe970
commit 68f573d23ade8caec311cc985f557371afb59d44
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:49 2010 +0000
ticket: 6674
status: resolved
version_fixed: 1.8.1
pull up r23772 from trunk
------------------------------------------------------------------------
r23772 | ghudson | 2010-03-05 15:35:26 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6674
target_version: 1.8.1
tags: pullup
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23808
dc483132-0cff-0310-8789-dd5450dbe970
commit c96841266da9385a84819788f9a66fa5fa154d5d
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:46 2010 +0000
ticket: 6668
version_fixed: 1.8.1
status: resolved
pull up r23749 from trunk
------------------------------------------------------------------------
r23749 | ghudson | 2010-02-24 13:57:08 -0500 (Wed, 24 Feb 2010) | 9 lines
ticket: 6668
subject: Two problems in kadm5_get_principal mask handling
target_version: 1.8
tags: pullup
KADM5_MOD_NAME was being applied to entry->principal instead of
entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno.
Patch from Marcus Watts <m...@umich.edu>.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23807
dc483132-0cff-0310-8789-dd5450dbe970
commit d83f81e50e8b8d2c09d7a825cb20bb36d04d65f0
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:40 2010 +0000
ticket: 6661
version_fixed: 1.8.1
status: resolved
pull up r23767 from trunk
------------------------------------------------------------------------
r23767 | ghudson | 2010-03-05 14:19:42 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6661
target_version: 1.8.1
tags: pullup
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary). Patch from Submit Bose <sb...@redhat.com>.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23806
dc483132-0cff-0310-8789-dd5450dbe970
commit 90dab53b5c1adca0eeea358333d6aa82df003dc1
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Mar 10 20:33:05 2010 +0000
Revert KRB5_CONF_ macro change intended for trunk.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23797
dc483132-0cff-0310-8789-dd5450dbe970
commit 866aafcfabc469722e4f390a45718059607a1ff9
Author: tsitkova <tsitk...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Mar 10 15:59:30 2010 +0000
Use KRB5_CONF_ macros instead of strings in source for profile config
arguments "default" and "logging"
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23795
dc483132-0cff-0310-8789-dd5450dbe970
commit 851eb39f7295c103c2496e5eb9805e5de017ac56
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 2 18:21:06 2010 +0000
krb5-1.8-postrelease
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23762
dc483132-0cff-0310-8789-dd5450dbe970
commit 53ab53f9b8b6763b3e7234e3dddff52135edd1f7
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 2 18:13:43 2010 +0000
README and patchlevel.h for krb5-1.8 final
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23760
dc483132-0cff-0310-8789-dd5450dbe970
commit 5d00126bbfd9ee32511c622257b2b4015d52824f
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 21:28:29 2010 +0000
krb5-1.8-beta2-postrelease
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23755
dc483132-0cff-0310-8789-dd5450dbe970
commit 7c0e650f48d4b05d5310fd6b158aadd1ddf6a4a4
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 21:28:22 2010 +0000
README and patchlevel.h for krb5-1.8-beta2
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23754
dc483132-0cff-0310-8789-dd5450dbe970
commit 858af88676384125b589642a76652af826914485
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 20:14:21 2010 +0000
ticket: 6669
version_fixed: 1.8
status: resolved
pull up r23750 from trunk
------------------------------------------------------------------------
r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
ticket: 6669
target_version: 1.8
tags: pullup
subject: doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23751
dc483132-0cff-0310-8789-dd5450dbe970
commit e45ecfb716e24d449a171aa69b33a2f8fa206a9f
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:58 2010 +0000
ticket: 6603
version_fixed: 1.8
status: resolved
pull up r23742 from trunk
------------------------------------------------------------------------
r23742 | ghudson | 2010-02-21 23:52:30 -0500 (Sun, 21 Feb 2010) | 24 lines
ticket: 6603
target_version: 1.8
tags: pullup
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.
1. The third call to spnego_init_accept_context uses faulty logic to
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.
2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes). Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23748
dc483132-0cff-0310-8789-dd5450dbe970
commit 34415c494daff8b566f8922b0f73fb62a916575a
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:54 2010 +0000
ticket: 6659
version_fixed: 1.8
status: resolved
pull up r23735 from trunk
------------------------------------------------------------------------
r23735 | ghudson | 2010-02-18 13:49:11 -0500 (Thu, 18 Feb 2010) | 8 lines
ticket: 6659
target_version: 1.8
tags: pullup
The TGS code was not freeing authdata. This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23747
dc483132-0cff-0310-8789-dd5450dbe970
commit 917ad5b39d5c6ce68ceb13b2dba1eec4a8e947fa
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:51 2010 +0000
ticket: 6665
version_fixed: 1.8
status: resolved
pull up r23734 from trunk
------------------------------------------------------------------------
r23734 | ghudson | 2010-02-18 13:04:47 -0500 (Thu, 18 Feb 2010) | 17 lines
ticket: 6665
subject: Fix cipher state chaining in OpenSSL back end
target_version: 1.8
tags: pullup
Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers. Subtleties:
* DES and DES3 have checks to avoid clobbering ivec with uninitialized
data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls. To protect
against a caller improperly copying the state (which happens to work
with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
interfere with cipher state chaining if it did anything, so just
remove it.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23746
dc483132-0cff-0310-8789-dd5450dbe970
commit e3f6f0ef1d7257318c57815a545427a5e682d75d
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Feb 17 03:41:03 2010 +0000
krb5-1.8-beta1-postrelease
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23730
dc483132-0cff-0310-8789-dd5450dbe970
commit cf889804873ae865cd562438ab4ceb680c8397f1
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Feb 17 03:13:29 2010 +0000
README and patchlevel.h for krb5-1.8-beta1
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23728
dc483132-0cff-0310-8789-dd5450dbe970
commit a464c8f0b72b8915d52d918e0a90205aa848f473
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 16 23:01:30 2010 +0000
ticket: 6663
version_fixed: 1.8
status: resolved
pull up r23726 from trunk
------------------------------------------------------------------------
r23726 | tlyu | 2010-02-16 17:41:27 -0500 (Tue, 16 Feb 2010) | 8 lines
ticket: 6663
subject: update mkrel to deal with changed source layout
target_version: 1.8
tags: pullup
Update mkrel so it deals somewhat better with removed src/lib/des425,
NOTICES, etc.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23727
dc483132-0cff-0310-8789-dd5450dbe970
commit 0ceaf686ad893a728571659bab1d38bece27521c
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 16 22:21:08 2010 +0000
ticket: 6662
version_fixed: 1.8
status: resolved
pull up r23724 from trunk
------------------------------------------------------------------------
r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
ticket: 6662
subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
tags: pullup
target_version: 1.8
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23725
dc483132-0cff-0310-8789-dd5450dbe970
commit 89aef1ceb9b1390ee33657dabc8a9b853ca98ac4
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:51 2010 +0000
ticket: 6660
version_fixed: 1.8
status: resolved
pull up r23716 from trunk
------------------------------------------------------------------------
r23716 | ghudson | 2010-02-11 11:07:08 -0500 (Thu, 11 Feb 2010) | 15 lines
ticket: 6660
subject: Minimal support for updating history key
target_version: 1.8
tags: pullup
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_principal_3 accesses the password history.
------------------------------------------------------------------------
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23721
dc483132-0cff-0310-8789-dd5450dbe970
commit 761346f5710fa8b647281e1187a33e9924ac908f
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:47 2010 +0000
ticket: 6658
version_fixed: 1.8
status: resolved
pull up r23715 from trunk
------------------------------------------------------------------------
r23715 | ghudson | 2010-02-10 18:44:18 -0500 (Wed, 10 Feb 2010) | 14 lines
ticket: 6658
subject: Implement gss_set_neg_mechs
target_version: 1.8
tags: pullup
Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential. As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.
t_spnego.c is a test program which exercises the new logic. Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23720
dc483132-0cff-0310-8789-dd5450dbe970
commit 1b35d22c8cd24c2d205250270834798a2e07da8b
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:43 2010 +0000
ticket: 6657
version_fixed: 1.8
status: resolved
pull up r23713 from trunk
------------------------------------------------------------------------
r23713 | hartmans | 2010-02-09 14:15:12 -0500 (Tue, 09 Feb 2010) | 10 lines
subject: krb5int_fast_free_state segfaults if state is null
ticket: 6657
target_version: 1.8
tags: pullup
krb5int_fast_free_state fails if state is null. INstead it should
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23719
dc483132-0cff-0310-8789-dd5450dbe970
commit 28f345bf7364a01e9b25f693c65820ff06abd0aa
Author: tlyu <t...@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:39 2010 +0000
ticket: 6656
version_fixed: 1.8
status: resolved
pull up r23712, r23714 from trunk
------------------------------------------------------------------------
r23714 | ghudson | 2010-02-09 20:55:36 -0500 (Tue, 09 Feb 2010) | 13 lines
ticket: 6656
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_protected_negotiation: if
add_pa_data_element with copy == FALSE fails, it's still the
caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
process_as_req.
* Call add_pa_data_element with copy == TRUE in
return_referral_enc_padata since we are passing memory owned by the
database entry.
------------------------------------------------------------------------
r23712 | hartmans | 2010-02-09 14:15:07 -0500 (Tue, 09 Feb 2010) | 14 lines
subject: enc_padata can include empty sequence
ticket: 6656
target_version: 1.8
tags: pullup
There are two issues with return_enc_padata.
1) It often will return an empty sequence of enc_padata rather than not
including the field
2) FAST negotiation is double supported in the referral tgs path and not
supported in the non-referral path
Rewrite the return_enc_padata logic to:
* Split out referral interactions with kdb into its own function
* Use add_pa_data_element
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-...@23718
dc483132-0cff-0310-8789-dd5450dbe970
** Affects: krb5 (Ubuntu)
Importance: Undecided
Status: New
--
Sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/562261
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
