@ -1,27 +1,3 @@
%bcond_without check
%if %{without check}
%global skipcheck 1
%endif
# COPR doesn't work right with the tests. I suspect keyring issues,
# but can't actually debug, so...
%if 0%{?copr_username:1}
%global skipcheck 1
%endif
# There are 0 test machines for this architecture, very few builders, and
# they're not very well provisioned / maintained. I can't support it.
# Patches welcome, but there's nothing I can do - it fails more than half the
# for "infrastructure issues" that I can't hope to debug.
%ifarch s390x
%global skipcheck 1
%endif
# RHEL runs upstream's test suite in a separate pass after build.
%if 0%{?rhel}
%global skipcheck 1
%endif
# Set this so that find-lang.sh will recognize the .po files.
%global gettext_domain mit-krb5
# Guess where the -libs subpackage's docs are going to go.
@ -34,7 +10,7 @@
#
# baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle.
%global baserelease 4
%global baserelease 5
# This should be e.g. beta1 or %%nil
%global pre_release %nil
@ -48,7 +24,7 @@
%global krb5_version_major 1
%global krb5_version_minor 21
# For a release without a patch number set to %%nil
%global krb5_version_patch 1
%global krb5_version_patch 3
%global krb5_version_major_minor %{krb5_version_major}.%{krb5_version_minor}
%global krb5_version %{krb5_version_major_minor}
@ -68,7 +44,6 @@ Release: %{krb5_release}%{?dist}
Source0: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/%{krb5_version_major_minor}/krb5-%{krb5_version}%{?krb5_pre_release}.tar.gz.asc
# Numbering is a relic of old init systems etc. It's easiest to just leave.
Source2: kprop.service
Source3: kadmin.service
Source4: krb5kdc.service
@ -82,6 +57,7 @@ Source11: ksu.pamd
Source12: krb5kdc.logrotate
Source13: kadmind.logrotate
Source14: krb5-krb5kdc.conf
Source15: %{name}-tests
Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
Patch0002: 0002-downstream-ksu-pam-integration.patch
@ -97,20 +73,19 @@ Patch0011: 0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
Patch0012: 0012-downstream-Allow-to-set-PAC-ticket-signature-as-opti.patch
Patch0013: 0013-downstream-Make-PKINIT-CMS-SHA-1-signature-verificat.patch
Patch0014: 0014-Enable-PKINIT-if-at-least-one-group-is-available.patch
Patch0015: 0015-Fix-double-free-in-KDC-TGS-processing .patch
Patch0016: 0016-Eliminate-old-style-function-declaration s.patch
Patch0017: 0017-End-connection-on-KDC_ERR_SVC_UNAVAILABLE .patch
Patch0018: 0018-Add-request_timeout-configuration-parameter .patch
Patch0019: 0019-Wait-indefinitely-on-KDC-TCP-connections .patch
Patch0020: 0020-Avoid-strict-prototype-compiler-error s.patch
Patch0021: 0021-Fix-leak-in-KDC-NDR-encoding .patch
Patch0015: 0015-Eliminate-old-style-function-declarations .patch
Patch0016: 0016-Replace-ssl.wrap_socket-for-test s.patch
Patch0017: 0017-Fix-unimportant-memory-leaks .patch
Patch0018: 0018-End-connection-on-KDC_ERR_SVC_UNAVAILABLE .patch
Patch0019: 0019-Add-request_timeout-configuration-parameter .patch
Patch0020: 0020-Wait-indefinitely-on-KDC-TCP-connection s.patch
Patch0021: 0021-Remove-klist-s-defname-global-variable .patch
Patch0022: 0022-Fix-two-unlikely-memory-leaks.patch
Patch0023: 0023-Fix-vulnerabilities-in-GSS-message-token-handling.patch
Patch0024: 0024-Remove-PKINIT-RSA-support.patch
Patch0025: 0025-Fix-various-issues-detected-by-static-analysis.patch
Patch0026: 0026-Generate-and-verify-message-MACs-in-libkrad.patch
Patch0023: 0023-Remove-PKINIT-RSA-support.patch
Patch0024: 0024-Fix-various-issues-detected-by-static-analysis.patch
Patch0025: 0025-Generate-and-verify-message-MACs-in-libkrad.patch
License: MIT
License: Brian-Gladman-2-Clause AND BSD-2-Clause AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-first-lines AND BSD-3-Clause AND BSD-4-Clause AND CMU-Mach-nodoc AND FSFULLRWD AND HPND AND HPND-export2-US AND HPND-export-US AND HPND-export-US-acknowledgement AND HPND-export-US-modify AND ISC AND MIT AND MIT-CMU AND OLDAP-2.8 AND OpenVision
URL: https://web.mit.edu/kerberos/www/
BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed
BuildRequires: gcc, gcc-c++
@ -130,17 +105,18 @@ BuildRequires: perl-interpreter
# For autosetup
BuildRequires: git
%if 0%{?skipcheck}
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9
# Need KDFs. This is the "real" version
BuildRequires: openssl-devel >= 1:3.0.0
%else
BuildRequires: dejagnu
BuildRequires: net-tools, rpcbind
BuildRequires: hostname
BuildRequires: iproute
BuildRequires: python3-pyrad
# Need KDFs. This is the backported version
BuildRequires: openssl-devel >= 1:1.1.1d-4
BuildRequires: openssl-devel < 1:3.0.0
%endif
# Need KDFs. This is the "real" version
BuildRequires: openssl-devel >= 1:3.0.0
# Enable compilation of optional tests
BuildRequires: resolv_wrapper
BuildRequires: libcmocka-devel
%description
Kerberos V5 is a trusted-third-party network authentication system,
@ -166,8 +142,13 @@ to install this package.
%package libs
Summary: The non-admin shared libraries used by Kerberos 5
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9
Requires: openssl-libs >= 1:3.0.0
Requires: coreutils, gawk, grep, sed
%else
Requires: openssl-libs >= 1:1.1.1d-4
Requires: openssl-libs < 1:3.0.0
%endif
Requires: coreutils, gawk, sed
Requires: keyutils-libs >= 1.5.8
Requires: /etc/crypto-policies/back-ends/krb5.config
@ -185,8 +166,8 @@ Requires(preun): systemd-units
Requires(postun): systemd-units
# we drop files in its directory, but we don't want to own that directory
Requires: logrotate
# we specify /usr/share/dict/words as the default dict_file in kdc.conf
Requires: /usr/share/dict/ words
# we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf
Requires: words
# for run-time, and for parts of the test suite
BuildRequires: libverto-module-base
Requires: libverto-module-base
@ -246,6 +227,51 @@ Kerberos is a network authentication system. The libkadm5 package
contains only the libkadm5clnt and libkadm5serv shared objects. This
interface is not considered stable.
%package tests
Summary: Test sources for krb5 build
# Build dependencies
Requires: coreutils, gawk, sed
Requires: gcc-c++
Requires: gettext
Requires: libcom_err-devel
Requires: libselinux-devel
Requires: libss-devel
Requires: libverto-devel
Requires: lmdb-devel
Requires: openldap-devel
Requires: pam-devel
Requires: redhat-rpm-config
%if 0%{?fedora} > 35 || 0%{?rhel} >= 9
Requires: openssl-devel >= 1:3.0.0
%else
Requires: openssl-devel >= 1:1.1.1d-4
Requires: openssl-devel < 1:3.0.0
%endif
# Test dependencies
Requires: dejagnu
Requires: hostname
Requires: iproute
Requires: keyutils, keyutils-libs-devel >= 1.5.8
Requires: libcmocka-devel
Requires: libverto-module-base
Requires: logrotate
Requires: net-tools, rpcbind
Requires: perl-interpreter
Requires: procps-ng
Requires: python3-kdcproxy
Requires: resolv_wrapper
Requires: /etc/crypto-policies/back-ends/krb5.config
Requires: words
Recommends: python3-pyrad
Recommends: openldap-servers
Recommends: openldap-clients
%description tests
FOR TESTING PURPOSE ONLY
Test sources for krb5 build, with pre-defined compilation parameters
%prep
%autosetup -S git_am -n %{name}-%{version}%{?dashpre}
ln NOTICE LICENSE
@ -288,6 +314,7 @@ sed -i -e \
"s,params.kadmind_port = 61001;,params.kadmind_port = $((PORT + 1));," \
src/lib/kadm5/t_kadm5.c
%build
# Go ahead and supply tcl info, because configure doesn't know how to find it.
source %{_libdir}/tclConfig.sh
@ -355,17 +382,6 @@ sphinx-build -a -b man -t pathsubs doc build-man
sphinx-build -a -b html -t pathsubs doc build-html
rm -fr build-html/_sources
%if 0%{?skipcheck}
%else
%check
pushd src
# The build system may give us a revoked session keyring, so run affected
# tests with a new one.
keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
popd
%endif
%install
[ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
@ -454,9 +470,10 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Workaround for krb5-config reading too much from LDFLAGS.
# Workaround krb5-config reading too much from LDFLAGS.
# https://bugzilla.redhat.com/show_bug.cgi?id=1997021
sed -r -i -e "s/-specs=[^ ]*//g" $RPM_BUILD_ROOT%{_bindir}/krb5-config
# https://bugzilla.redhat.com/show_bug.cgi?id=2048909
sed -i -r -e 's/^(LDFLAGS=).*/\1/' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Install processed man pages.
for section in 1 5 8 ; do
@ -481,16 +498,43 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
# This is only needed for tests
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
# Generate tests launching script
sed -e 's/{{ name }}/%{name}/g' \
-e 's/{{ version }}/%{krb5_version}/g' \
-e 's/{{ release }}/%{krb5_release}/g' \
-e 's/{{ arch }}/%{_arch}/g' \
-i %{SOURCE15}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tests-%{_arch}
# Copy source files from build folder to system data folder
install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}
pushd src
cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" \
$(find . -type f -exec file -i "{}" + \
| sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p' | grep -Ev '~$')
popd
# Copy binary test files
install -pm 644 src/tests/pkinit-certs/*.p12 \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/pkinit-certs/"
install -pm 644 src/tests/au_dict.json \
"$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/"
# Unset executable bit if no shebang in script
for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" -type f -executable)
do
head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f"
done
# Remove broken shebang Perl scripts
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/config/wconfig.pl"
rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/kadmin/kdbkeys/do-test.pl"
%find_lang %{gettext_domain}
%ldconfig_scriptlets libs
%triggerun libs -- krb5-libs < 1.15.1-5
if ! grep -q 'includedir /etc/krb5.conf.d' /etc/krb5.conf ; then
sed -i '1i # To opt out of the system crypto-policies configuration of krb5, remove the\n# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.\nincludedir /etc/krb5.conf.d/\n' /etc/krb5.conf
fi
exit 0
%ldconfig_scriptlets server-ldap
%post server
@ -672,166 +716,235 @@ exit 0
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%files tests
%{_libexecdir}/%{name}-tests-%{_arch}
%{_datarootdir}/%{name}-tests/%{_arch}
%changelog
* Thu Oct 17 2024 Julien Rische <jrische@redhat.com> - 1.21.1-4
* Mon Nov 04 2024 Julien Rische <jrische@redhat.com> - 1.21.3-5
- Make test dependencies optional if not part of CentOS/RHEL 10
Resolves: RHEL-65724
* Wed Oct 30 2024 Julien Rische <jrische@redhat.com> - 1.21.3-4
- libkrad: implement support for Message-Authenticator (CVE-2024-3596)
Resolves: RHEL-55423
Resolves: RHEL-55427
- Fix various issues detected by static analysis
Resolves: RHEL-58216
Resolves: RHEL-4 5165
- Remove RSA protocol for PKINIT
Resolves: RHEL-15323
Resolves: RHEL-56070
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.21.3-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.21.3-2
- Rebuilt for MSVSphere 10
* Fri Jul 05 2024 Julien Rische <jrische@redhat.com> - 1.21.1-3
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-2
- Do not include files with "~" termination in krb5-tests
Resolves: RHEL-45995
* Fri Jul 12 2024 Julien Rische <jrische@redhat.com> - 1.21.3-1
- New upstream version (1.21.3)
- CVE-2024-37370 CVE-2024-37371
Fix vulnerabilities in GSS message token handling
Resolves: RHEL-45402 RHEL-45392
* Wed Mar 20 2024 Julien Rische <jrische@redhat.com> - 1.21.1-2
Resolves: RHEL-45387 RHEL-45378
- Fix memory leak in GSSAPI interface
Resolves: RHEL-27251
Resolves: RHEL-47284
- Fix memory leak in PMAP RPC interface
Resolves: RHEL-27245
Resolves: RHEL-47287
- Fix memory leak in failing UTF-8 to UTF-16 re-encoding for PAC
Resolves: RHEL-27253
Resolves: RHEL-47285
- Make TCP waiting time configurable
Resolves: RHEL-17132
Resolves: RHEL-47278
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.21.2-7
- Bump release for June 2024 mass rebuild
* Wed Jun 19 2024 Julien Rische <jrische@redhat.com> - 1.21.2-6
- Add missing SPDX license identifiers
Resolves: RHEL-44383
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.21.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.21.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jan 17 2024 Julien Rische <jrische@redhat.com> - 1.21.2-3
- Fix double free in klist's show_ccache()
Resolves: rhbz#2257301
- Store krb5-tests files in architecture-specific directories
Resolves: rhbz#2244601
* Tue Oct 10 2023 Julien Rische <jrische@redhat.com> - 1.21.2-2
- Use SPDX expression for license tag
- Fix unimportant memory leaks
Resolves: rhbz#2223274
* Tue Aug 08 2023 Julien Rische <jrische@redhat.com> - 1.21.1-1
- New upstream version (1.21.1)
* Wed Aug 16 2023 Julien Rische <jrische@redhat.com> - 1.21.2 -1
- New upstream version (1.21.2 )
- Fix double-free in KDC TGS processing (CVE-2023-39975)
- Add support for "pac_privsvr_enctype" KDB string attribute
Resolves: rhbz#2060421
Resolves: rhbz#2229113
- Make tests compatible with Python 3.12
Resolves: rhbz#2224013
* Thu Jun 08 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.21-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 29 2023 Marek Blaha <mblaha@redhat.com> - 1.21-2
- Replace file dependency with package name
Resolves: rhbz#2216903
* Mon Jun 12 2023 Julien Rische <jrische@redhat.com> - 1.21-1
- New upstream version (1.21)
- Do not disable PKINIT if some of the well-known DH groups are unavailable
Resolves: rhbz#2187722
Resolves: rhbz#2214 297
- Make PKINIT CMS SHA-1 signature verification available in FIPS mode
Resolves: rhbz#2155607
Resolves: rhbz#2214300
- Allow to set PAC ticket signature as optional
Resolves: rhbz#2178298
* Wed Feb 22 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8
- Fix datetime parsing in kadmin on s390x
Resolves: rhbz#2169985
* Tue Feb 14 2023 Julien Rische <jrische@redhat.com> - 1.20.1-7
- Fix double free on kdb5_util key creation failure
Resolves: rhbz#2166603
Resolves: rhbz#2181311
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2166001
- Fix syntax error in aclocal.m4
Resolves: rhbz#2143306
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-9
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
Resolves: rhbz#2165827
Resolves: rhbz#2166001
* Thu Jan 19 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
* Mon Jan 30 2023 Julien Rische <jrische@redhat.com> - 1.20.1-8
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode
Resolves: rhbz#2162461
* Thu Jan 12 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 18 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
Resolves: rhbz#2068535
Resolves: rhbz#2114771
* Tue Jan 10 2023 Julien Rische <jrische@redhat.com> - 1.20.1-2
* Mon Jan 09 2023 Julien Rische <jrische@redhat.com> - 1.20.1-5
- Strip debugging data from ksu executable file
Resolves: rhbz#2159643
* Wed Dec 07 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
- Make tests compatible with sssd-client
Resolves: rhbz#2151513
- Remove invalid password expiry warning
Resolves: rhbz#2121099
- Update error checking for OpenSSL CMS_verify
Resolves: rhbz#2063838
- New upstream version (1.20.1)
Resolves: rhbz#2016312
- Fix integer overflows in PAC parsing (CVE-2022-42898)
Resolves: rhbz#2140971
* Thu Jan 05 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4
- Include missing OpenSSL FIPS header
- Make tests compatible with sssd_krb5_locator_plugin.so
* Tue Dec 06 2022 Julien Rische <jrische@redhat.com> - 1.20.1-3
- Enable TMT integration with Fedora CI
* Tue Oct 18 2022 Julien Rische <jrische@redhat.com> - 1.19.1-23
- Fix kprop for propagating dump files larger than 4GB
Resolves: rhbz#2133014
* Thu Dec 1 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.20.1-2
- Bump KDB ABI version provide to 9.0
* Fri Jul 08 2022 Julien Rische <jrische@redhat.com> - 1.19.1-22
* Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
- New upstream version (1.20.1)
Resolves: rhbz#2124463
- Restore "supportedCMSTypes" attribute in PKINIT preauth requests
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
Resolves: rhbz#2068935
Resolves: rhbz#2114766
- Update error checking for OpenSSL CMS_verify
Resolves: rhbz#2119704
- Remove invalid password expiry warning
Resolves: rhbz#2129113
* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
- Fix libkrad client cleanup
- Allow use of larger RADIUS attributes in krad library
Resolves: rhbz#2100351
* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13
- Fix integer overflows in PAC parsing (CVE-2022-42898)
Resolves: rhbz#2143011
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
- Fix OpenSSL 3 MD5 encyption in FIPS mode
* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12
- Use baserelease to set the release number
- Do not define netlib, but use autoconf detection for res_* functions
- Add missing BR for resolv_wrapper to run t_discover_uri.py
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-11.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 15 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
Resolves: rhbz#2068458
Resolves: rhbz#2082189
- Read GSS configuration files with mtime 0
* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10
- Use p11-kit as default PKCS11 module
Resolves: rhbz#2030981
* Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
Resolves: rhbz#2073274
- Try harder to avoid password change replay errors
Resolves: rhbz#2075186
Resolves: rhbz#2072059
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9
- Fix libkrad client cleanup
- Fixes rhbz#2072059
* Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-8
- Allow use of larger RADIUS attributes in krad library
* Wed Mar 23 2022 Julien Rische <jrische@redhat.com> - 1.19.2-7
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest
* Thu Feb 24 2022 Julien Rische <jrische@redhat.com> - 1.19.1-14
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode
* Tue Feb 8 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.2-6
- Drop old trigger scriplet
- Reenable package notes and strip LDFLAGS from krb5-config (rhbz#2048909)
* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-5
- Temporarily remove package note to unblock krb5-dependent packages
Resolves: rhbz#2048909
* Fri Dec 17 2021 Antonio Torres <antorres@redhat.com> - 1.19.1-13
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.2-4.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Dec 3 2021 Antonio Torres <antorres@redhat.com> - 1.19.2-4
- Add patches to support OpenSLL 3.0.0
- Remove TCL-based libkadm5 API tests
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.19.2-3.1
- Rebuilt with OpenSSL 3.0.0
* Tue Aug 24 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-3
- Remove -specs= from krb5-config output
- Resolves rhbz#1997021
* Wed Oct 20 2021 Antonio Torres <antorres@redhat.com> - 1.19.1-12
* Thu Aug 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2- 2
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
Resolves: rhbz#1997602
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-11.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jul 26 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.2-1
- New upstream version (1.19.2)
* Tue Jul 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-11
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15
- Fix defcred leak in krb5 gss_inquire_cred()
* Mon Jul 12 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-14
- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
Resolves: rhbz#1983733
* Wed Jul 14 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
- Update OpenSSL 3 provider handling to clean up properly
Resolves: rhbz#1955873
* Thu Jul 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-13
- Fix use-after-free during krad remote_shutdown()
* Mon Jun 28 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-12
- MEMORY locking fix and static analysis pullup
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
- Sync openssl3 patches with upstream
Resolves: rhbz#1955873
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-11
- Add the backward-compatible parts of openssl3 support
* Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-8
- Rebuild for rpminspect and mass rebuild cleanup; no code changes
Resolves: rhbz#1967505
* Wed Jun 09 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
- Fix three canonicalization cases for fallback
* Thu Jun 17 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
- Fix several fallback canonicalization problems
Resolves: rhbz#1967505
* Wed Jun 02 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
- Fix doc build for Sphinx 4.0
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-6.1
- Rebuilt for RHEL 9 BETA for openssl 3.0
Resolves: rhbz#1971065
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-8
- Add all the sssd-kcm workarounds
* Thu Jun 10 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-6
- Backport KCM retrieval fixes
Resolves: rhbz#1956403
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
- Fix context for previous backport
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5
- Fix DES3 mention in KDFs
Resolves: rhbz#1955873
* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-6
- Add KCM_OP_GET_CRED_LIST and KCM_OP_RETRIEVE support
* Wed May 19 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-4
- Port to OpenSSL 3 (alpha 15)
Resolves: rhbz#1955873
* Tue May 04 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-5
- Suppress static analyzer warning in FIPS override
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.19.1-3.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.1-3.1
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Mon Mar 01 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-3
- Further test dependency fixes; no code changes
@ -1799,8 +1912,8 @@ exit 0
* Thu Jun 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-5
- Remove Zanata test glue and related workarounds
- Bug rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
- Bug rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh")
- rhbz#1234292 ("IPA server cannot be run in container due to incorrect /usr/sbin/_kadmind")
- rhbz#1234326 ("krb5-server introduces new rpm dependency on ksh")
* Thu Jun 18 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-4
- Fix dependicy on binfmt.service
@ -1809,12 +1922,12 @@ exit 0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
- Add patch to fix Redhat Bug rhbz#1227542 ("[SELinux] AVC denials may appear
- Add patch to fix Redhat rhbz#1227542 ("[SELinux] AVC denials may appear
when kadmind starts"). The issue was caused by an unneeded |htons()|
which triggered SELinux AVC denials due to the "random" port usage.
* Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
- Add fix for RedHat Bug rhbz#1164304 ("Upstream unit tests loads
- Add fix for RedHat rhbz#1164304 ("Upstream unit tests loads
the installed shared libraries instead the ones from the build")
* Thu May 14 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-0
@ -1835,7 +1948,7 @@ exit 0
dictionary attack against the user's password.
* Wed Mar 25 2015 Roland Mainz <rmainz@redhat.com> - 1.13.1-3
- Add temporay workaround for RH bug rhbz#1204646 ("krb5-config
- Add temporay workaround for RH rhbz#1204646 ("krb5-config
returns wrong -specs path") which modifies krb5-config post
build so that development of krb5 dependicies gets unstuck.
This MUST be removed before rawhide becomes F23 ...
@ -1994,7 +2107,7 @@ exit 0
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-2
- pull in multiple changes to allow replay caches to be added to a GSS
credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
credential store as "rcache"-type credentials (RT#7818/rhbz #7819/rhbz #7836,
rhbz#1056078/rhbz#1056080)
* Fri Jan 17 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-1
@ -2397,9 +2510,9 @@ exit 0
* Thu Nov 15 2012 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.11 alpha 1
- drop backported patch for RT #7406
- drop backported patch for RT #7407
- drop backported patch for RT #7408
- drop backported patch for RT rhbz #7406
- drop backported patch for RT rhbz #7407
- drop backported patch for RT rhbz #7408
- the new docs system generates PDFs, so stop including them as sources
- drop backported patch to allow deltat.y to build with the usual
warning flags and the current gcc
@ -2589,7 +2702,7 @@ exit 0
should be able to run inside of the build system without issue
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.1-19
- Rebuilt for glibc bug rhbz#747377
- Rebuilt for glibc rhbz#747377
* Tue Oct 18 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-18
- apply upstream patch to fix a null pointer dereference with the LDAP kdb
@ -2782,7 +2895,7 @@ exit 0
k5login_directory settings for krb5.conf (rhbz#539423)
* Wed Sep 29 2010 jkeating - 1.8.3-5
- Rebuilt for gcc bug 634757
- Rebuilt for gcc rhbz# 634757
* Wed Sep 15 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.3-4
- fix reading of keyUsage extensions when attempting to select pkinit client
@ -2802,20 +2915,20 @@ exit 0
- update to 1.8.3
- drop backports of fixes for gss context expiration and error table
registration/deregistration mismatch
- drop patch for upstream #6750
- drop patch for upstream rhbz #6750
* Wed Jul 7 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-3
- tell krb5kdc and kadmind to create pid files, since they can
- add logrotate configuration files for krb5kdc and kadmind (rhbz#462658)
- fix parsing of the pidfile option in the KDC (upstream #6750)
- fix parsing of the pidfile option in the KDC (upstream rhbz #6750)
* Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-2
- libgssapi: pull in patch from svn to stop returning context-expired errors
when the ticket which was used to set up the context expires (rhbz#605366,
upstream #6739)
upstream rhbz #6739)
* Mon Jun 21 2010 Nalin Dahyabhai <nalin@redhat.com>
- pull up fix for upstream #6745, in which the gssapi library would add the
- pull up fix for upstream rhbz #6745, in which the gssapi library would add the
wrong error table but subsequently attempt to unload the right one
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.2-1
@ -3407,7 +3520,7 @@ exit 0
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com>
- initial update to 1.6, pre-package-reorg
- move workstation daemons to a new subpackage (#81836, rhbz#216356, rhbz#217301), and
- move workstation daemons to a new subpackage (rhbz #81836, rhbz#216356, rhbz#217301), and
make the new subpackage require xinetd (rhbz#211885)
* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.5-18
@ -3441,7 +3554,7 @@ exit 0
* Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-10
- rename krb5.sh and krb5.csh so that they don't overlap (rhbz#210623)
- way-late application of added error info in kadmind.init (#65853)
- way-late application of added error info in kadmind.init (rhbz #65853)
* Wed Oct 18 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.5-9.pal_18695
- add backport of in-development preauth module interface (rhbz#208643)
@ -3543,7 +3656,7 @@ exit 0
* Wed Aug 31 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-2
- change the default configured encryption type for KDC databases to the
compiled-in default of des3-hmac-sha1 (#57847)
compiled-in default of des3-hmac-sha1 (rhbz #57847)
* Thu Aug 11 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
- update to 1.4.2, incorporating the fixes for MIT-KRB5-SA-2005-002 and
@ -4105,7 +4218,7 @@ exit 0
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
- use %%{_infodir} to better comply with FHS
- move .so files to -devel subpackage
- tweak xinetd config files (bugs #11833, #11835, #11836, #11840)
- tweak xinetd config files (bugs rhbz #11833, rhbz #11835, rhbz #11836, rhbz #11840)
- fix package descriptions again
* Wed May 24 2000 Nalin Dahyabhai <nalin@redhat.com>
@ -4142,7 +4255,7 @@ exit 0
- fix configure stuff for ia64
* Mon Apr 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- add LDCOMBINE=-lc to configure invocation to use libc versioning (bug #10653)
- add LDCOMBINE=-lc to configure invocation to use libc versioning (rhbz #10653)
- change Requires: for/in subpackages to include %%{version}
* Wed Apr 05 2000 Nalin Dahyabhai <nalin@redhat.com>
