Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

krb5-1.21.2-1.1 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: krb5 Distribution: openSUSE:Factory:zSystems
Version: 1.21.2 Vendor: openSUSE
Release: 1.1 Build date: Fri Dec 22 00:25:14 2023
Group: Unspecified Build host: s390zl26
Size: 2394626 Source RPM: krb5-1.21.2-1.1.src.rpm
Summary: MIT Kerberos5 implementation
Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of clear text passwords.






* Wed Dec 20 2023 Dirk Müller <>
  - update to 1.21.2 (bsc#1218211, CVE-2023-39975):
    * Fix double-free in KDC TGS processing [CVE-2023-39975].
* Sat Jul 15 2023 Dirk Müller <>
  - update to 1.21.1 (CVE-2023-36054):
    * Fix potential uninitialized pointer free in kadm5 XDR parsing
    * Added a credential cache type providing compatibility with
      the macOS 11 native credential cache.
    * libkadm5 will use the provided krb5_context object to read
      configuration values, instead of creating its own.
    * Added an interface to retrieve the ticket session key
      from a GSS context.
    * The KDC will no longer issue tickets with RC4 or triple-DES
      session keys unless explicitly configured with the new
      allow_rc4 or allow_des3 variables respectively.
    * The KDC will assume that all services can handle aes256-sha1
      session keys unless the service principal has a
      session_enctypes string attribute.
    * Support for PAC full KDC checksums has been added to
      mitigate an S4U2Proxy privilege escalation attack.
    * The PKINIT client will advertise a more modern set
      of supported CMS algorithms.
    * Removed unused code in libkrb5, libkrb5support,
      and the PKINIT module.
    * Modernized the KDC code for processing TGS requests,
      the code for encrypting and decrypting key data,
      the PAC handling code, and the GSS library packet
      parsing and composition code.
    * Improved the test framework's detection of memory
      errors in daemon processes when used with asan.
* Thu May 04 2023 Frederic Crozat <>
  - Add _multibuild to define additional spec files as additional
    Eliminates the need for source package links in OBS.
* Fri Mar 03 2023 Samuel Cabrero <>
  - Update 0007-SELinux-integration.patch for SELinux 3.5;
* Tue Dec 27 2022 Stefan Schubert <>
  - Migration of PAM settings to /usr/lib/pam.d
* Tue Dec 13 2022 Samuel Cabrero <>
  - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch,
    already fixed in release 1.20.0
* Wed Nov 16 2022 Samuel Cabrero <>
  - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898);
    * Fix integer overflows in PAC parsing [CVE-2022-42898].
    * Fix null deref in KDC when decoding invalid NDR.
    * Fix memory leak in OTP kdcpreauth module.
    * Fix PKCS11 module path search.
* Sun May 29 2022 Dirk Müller <>
  - update to 1.20.0:
    * Added a "disable_pac" realm relation to suppress adding PAC authdata
      to tickets, for realms which do not need to support S4U requests.
    * Most credential cache types will use atomic replacement when a cache
      is reinitialized using kinit or refreshed from the client keytab.
    * kprop can now propagate databases with a dump size larger than 4GB,
      if both the client and server are upgraded.
    * kprop can now work over NATs that change the destination IP address,
      if the client is upgraded.
    * Updated the KDB interface.  The sign_authdata() method is replaced
      with the issue_pac() method, allowing KDB modules to add logon info
      and other buffers to the PAC issued by the KDC.
    * Host-based initiator names are better supported in the GSS krb5
    * Replaced AD-SIGNEDPATH authdata with minimal PACs.
    * To avoid spurious replay errors, password change requests will not
      be attempted over UDP until the attempt over TCP fails.
    * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.
    * Updated all code using OpenSSL to be compatible with OpenSSL 3.
    * Reorganized the libk5crypto build system to allow the OpenSSL
      back-end to pull in material from the builtin back-end depending on
      the OpenSSL version.
    * Simplified the PRNG logic to always use the platform PRNG.
    * Converted the remaining Tcl tests to Python.
* Sat Apr 09 2022 Dirk Müller <>
  - update to 1.19.3 (bsc#1189929, CVE-2021-37750):
    * Fix a denial of service attack against the KDC [CVE-2021-37750].
    * Fix KDC null deref on TGS inner body null server
    * Fix conformance issue in GSSAPI tests
* Thu Jan 27 2022 David Mulder <>
  - Resolve "Credential cache directory /run/user/0/krb5cc does not
    exist while opening default credentials cache" by using a kernel
    keyring instead of a dir cache; (bsc#1109830);
* Thu Sep 30 2021 Johannes Segitz <>
  - Added hardening to systemd services; (bsc#1181400);
* Mon Aug 30 2021 Samuel Cabrero <>
  - Fix KDC null pointer dereference via a FAST inner body that
    lacks a server field; (CVE-2021-37750); (bsc#1189929);
  - Added patches:
    * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
* Mon Aug 02 2021 Samuel Cabrero <>
  - Update to 1.19.2
    * Fix a denial of service attack against the KDC encrypted challenge
      code; (CVE-2021-36222);
    * Fix a memory leak when gss_inquire_cred() is called without a
      credential handle.
* Mon May 03 2021 Rodrigo Lourenço <>
  - Build with full Cyrus SASL support
    * Negotiating SASL credentials with an EXTERNAL bind mechanism requires
      interaction. Kerberos provides its own interaction function that skips
      all interaction, thus preventing the mechanism from working.
* Thu Apr 22 2021 Samuel Cabrero <>
  - Use /run instead of /var/run for daemon PID files; (bsc#1185163);
* Wed Apr 07 2021 Dirk Müller <>
  - do not own %sbindir, it comes from filesystem package
* Fri Feb 19 2021 Samuel Cabrero <>
  - Update to 1.19.1
    * Fix a linking issue with Samba.
    * Better support multiple pkinit_identities values by checking whether
      certificates can be loaded for each value.
* Fri Feb 05 2021 Samuel Cabrero <>
  - Update to 1.19
    Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
    Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
    Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.
    * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
      extension, which causes channel bindings to be required for the
      initiator if the acceptor provided them. The client will send this
      option if the client_aware_gss_bindings profile option is set.
    User experience
    * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
      used in the reply. This encryption type will be deprecated and removed
      in future releases.
    * Added kvno flags --out-cache, --no-store, and --cached-only
      (inspired by Heimdal's kgetcred).
* Thu Nov 19 2020 Samuel Cabrero <>
  - Update to 1.18.3
    * Fix a denial of service vulnerability when decoding Kerberos
      protocol messages; (CVE-2020-28196); (bsc#1178512);
    * Fix a locking issue with the LMDB KDB module which could cause
      KDC and kadmind processes to lose access to the database.
    * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
      and unloaded while libkrb5support remains loaded.
* Tue Jul 07 2020 Andreas Schwab <>
  - Don't fail if %{_lto_cflags} is empty
* Fri Jun 12 2020 Dominique Leuenberger <>
  - Do not mangle libexecdir, bindir, sbindir and datadir: there is
    no reasonable justification to step out of the defaults.
    + No longer install csh/sh profiles into /etc/profiles.d: as we
      not install to default paths, there is no need to further
      inject paths into $PATH; also, now sbin binaries are only in
      path for admin users.
* Fri May 29 2020 Samuel Cabrero <>
  - Update to 1.18.2
    * Fix a SPNEGO regression where an acceptor using the default credential
      would improperly filter mechanisms, causing a negotiation failure.
    * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
      principal's first key has a single-DES enctype.
    * Add stub functions to allow old versions of OpenSSL libcrypto to link
      against libkrb5.
    * Fix a NegoEx bug where the client name and delegated credential might
      not be reported.
* Thu May 28 2020 Samuel Cabrero <>
  - Update logrotate script, call systemd to reload the services
    instead of init-scripts. (boo#1169357)
* Tue May 26 2020 Christophe Giboudeaux <>
  - Don't add the lto flags to the public link options. (boo#1172038)
* Mon May 04 2020 Samuel Cabrero <>
  - Upgrade to 1.18.1
    * Fix a crash when qualifying short hostnames when the system has
      no primary DNS domain.
    * Fix a regression when an application imports "service@" as a GSS
      host-based name for its acceptor credential handle.
    * Fix KDC enforcement of auth indicators when they are modified by
      the KDB module.
    * Fix removal of require_auth string attributes when the LDAP KDB
      module is used.
    * Fix a compile error when building with musl libc on Linux.
    * Fix a compile error when building with gcc 4.x.
    * Change the KDC constrained delegation precedence order for consistency
      with Windows KDCs.
  - Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Wed Apr 29 2020 Dominique Leuenberger <>
  - Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
    notation: libexecdir is likely changing away from /usr/lib to
* Wed Mar 25 2020 Samuel Cabrero <>
  - Fix segfault in k5_primary_domain; (bsc#1167620);
  - Added patches:
    * 0009-Fix-null-dereference-qualifying-short-hostnames.patch
* Tue Feb 25 2020 Tomáš Chvátal <>
  - Remove cruft to support distributions older than SLE 12
  - Use macros where applicable
  - Switch to pkgconfig style dependencies
* Mon Feb 17 2020 Samuel Cabrero <>
  - Upgrade to 1.18
    Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
    Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
    Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
    User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
    Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
  - Updated patches:
    * 0002-krb5-1.9-manpaths.patch
    * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
    * 0005-krb5-1.6.3-ktutil-manpage.patch
    * 0006-krb5-1.12-api.patch
  - Renamed patches:
    * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
    * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
    * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
    * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
  - Deleted patches:
    * 0007-krb5-1.12-ksu-path.patch



Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Mar 9 12:50:11 2024