Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: krb5-devel | Distribution: openSUSE:Factory:zSystems |
Version: 1.21.2 | Vendor: openSUSE |
Release: 1.1 | Build date: Fri Dec 22 00:25:14 2023 |
Group: Unspecified | Build host: s390zl26 |
Size: 724438 | Source RPM: krb5-1.21.2-1.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://kerberos.org/dist/ | |
Summary: Development files for MIT Kerberos5 |
Kerberos V5 is a trusted-third-party network authentication system, which can improve network security by eliminating the insecure practice of cleartext passwords. This package includes Libraries and Include Files for Development
MIT
* Wed Dec 20 2023 Dirk Müller <dmueller@suse.com> - update to 1.21.2 (bsc#1218211, CVE-2023-39975): * Fix double-free in KDC TGS processing [CVE-2023-39975]. * Sat Jul 15 2023 Dirk Müller <dmueller@suse.com> - update to 1.21.1 (CVE-2023-36054): * Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054]. * Added a credential cache type providing compatibility with the macOS 11 native credential cache. * libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. * Added an interface to retrieve the ticket session key from a GSS context. * The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. * Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. * The PKINIT client will advertise a more modern set of supported CMS algorithms. * Removed unused code in libkrb5, libkrb5support, and the PKINIT module. * Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. * Improved the test framework's detection of memory errors in daemon processes when used with asan. * Thu May 04 2023 Frederic Crozat <fcrozat@suse.com> - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. * Fri Mar 03 2023 Samuel Cabrero <scabrero@suse.de> - Update 0007-SELinux-integration.patch for SELinux 3.5; (bsc#1208887); * Tue Dec 27 2022 Stefan Schubert <schubi@suse.com> - Migration of PAM settings to /usr/lib/pam.d * Tue Dec 13 2022 Samuel Cabrero <scabrero@suse.de> - Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, already fixed in release 1.20.0 * Wed Nov 16 2022 Samuel Cabrero <scabrero@suse.de> - Update to 1.20.1; (bsc#1205126); (CVE-2022-42898); * Fix integer overflows in PAC parsing [CVE-2022-42898]. * Fix null deref in KDC when decoding invalid NDR. * Fix memory leak in OTP kdcpreauth module. * Fix PKCS11 module path search. * Sun May 29 2022 Dirk Müller <dmueller@suse.com> - update to 1.20.0: * Added a "disable_pac" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests. * Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab. * kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded. * kprop can now work over NATs that change the destination IP address, if the client is upgraded. * Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC. * Host-based initiator names are better supported in the GSS krb5 mechanism. * Replaced AD-SIGNEDPATH authdata with minimal PACs. * To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails. * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. * Updated all code using OpenSSL to be compatible with OpenSSL 3. * Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version. * Simplified the PRNG logic to always use the platform PRNG. * Converted the remaining Tcl tests to Python. * Sat Apr 09 2022 Dirk Müller <dmueller@suse.com> - update to 1.19.3 (bsc#1189929, CVE-2021-37750): * Fix a denial of service attack against the KDC [CVE-2021-37750]. * Fix KDC null deref on TGS inner body null server * Fix conformance issue in GSSAPI tests * Thu Jan 27 2022 David Mulder <dmulder@suse.com> - Resolve "Credential cache directory /run/user/0/krb5cc does not exist while opening default credentials cache" by using a kernel keyring instead of a dir cache; (bsc#1109830); * Thu Sep 30 2021 Johannes Segitz <jsegitz@suse.com> - Added hardening to systemd services; (bsc#1181400); * Mon Aug 30 2021 Samuel Cabrero <scabrero@suse.de> - Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929); - Added patches: * 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch * Mon Aug 02 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19.2 * Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222); * Fix a memory leak when gss_inquire_cred() is called without a credential handle. * Mon May 03 2021 Rodrigo Lourenço <rzl@rzl.ooo> - Build with full Cyrus SASL support * Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working. * Thu Apr 22 2021 Samuel Cabrero <scabrero@suse.de> - Use /run instead of /var/run for daemon PID files; (bsc#1185163); * Wed Apr 07 2021 Dirk Müller <dmueller@suse.com> - do not own %sbindir, it comes from filesystem package * Fri Feb 19 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19.1 * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. * Fri Feb 05 2021 Samuel Cabrero <scabrero@suse.de> - Update to 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). * Thu Nov 19 2020 Samuel Cabrero <scabrero@suse.de> - Update to 1.18.3 * Fix a denial of service vulnerability when decoding Kerberos protocol messages; (CVE-2020-28196); (bsc#1178512); * Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database. * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded. * Tue Jul 07 2020 Andreas Schwab <schwab@suse.de> - Don't fail if %{_lto_cflags} is empty * Fri Jun 12 2020 Dominique Leuenberger <dimstar@opensuse.org> - Do not mangle libexecdir, bindir, sbindir and datadir: there is no reasonable justification to step out of the defaults. + No longer install csh/sh profiles into /etc/profiles.d: as we not install to default paths, there is no need to further inject paths into $PATH; also, now sbin binaries are only in path for admin users. * Fri May 29 2020 Samuel Cabrero <scabrero@suse.de> - Update to 1.18.2 * Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure. * Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype. * Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5. * Fix a NegoEx bug where the client name and delegated credential might not be reported. * Thu May 28 2020 Samuel Cabrero <scabrero@suse.de> - Update logrotate script, call systemd to reload the services instead of init-scripts. (boo#1169357) * Tue May 26 2020 Christophe Giboudeaux <christophe@krop.fr> - Don't add the lto flags to the public link options. (boo#1172038) * Mon May 04 2020 Samuel Cabrero <scabrero@suse.de> - Upgrade to 1.18.1 * Fix a crash when qualifying short hostnames when the system has no primary DNS domain. * Fix a regression when an application imports "service@" as a GSS host-based name for its acceptor credential handle. * Fix KDC enforcement of auth indicators when they are modified by the KDB module. * Fix removal of require_auth string attributes when the LDAP KDB module is used. * Fix a compile error when building with musl libc on Linux. * Fix a compile error when building with gcc 4.x. * Change the KDC constrained delegation precedence order for consistency with Windows KDCs. - Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch * Wed Apr 29 2020 Dominique Leuenberger <dimstar@opensuse.org> - Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d notation: libexecdir is likely changing away from /usr/lib to /usr/libexec. * Wed Mar 25 2020 Samuel Cabrero <scabrero@suse.de> - Fix segfault in k5_primary_domain; (bsc#1167620); - Added patches: * 0009-Fix-null-dereference-qualifying-short-hostnames.patch * Tue Feb 25 2020 Tomáš Chvátal <tchvatal@suse.com> - Remove cruft to support distributions older than SLE 12 - Use macros where applicable - Switch to pkgconfig style dependencies * Mon Feb 17 2020 Samuel Cabrero <scabrero@suse.de> - Upgrade to 1.18 Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ("draft 9") variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience: * Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion. * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. - Updated patches: * 0002-krb5-1.9-manpaths.patch * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * 0005-krb5-1.6.3-ktutil-manpage.patch * 0006-krb5-1.12-api.patch - Renamed patches: * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch - Deleted patches: * 0007-krb5-1.12-ksu-path.patch
/usr/bin/krb5-config /usr/include/gssapi /usr/include/gssapi.h /usr/include/gssapi/gssapi.h /usr/include/gssapi/gssapi_alloc.h /usr/include/gssapi/gssapi_ext.h /usr/include/gssapi/gssapi_generic.h /usr/include/gssapi/gssapi_krb5.h /usr/include/gssapi/mechglue.h /usr/include/gssrpc /usr/include/gssrpc/auth.h /usr/include/gssrpc/auth_gss.h /usr/include/gssrpc/auth_gssapi.h /usr/include/gssrpc/auth_unix.h /usr/include/gssrpc/clnt.h /usr/include/gssrpc/netdb.h /usr/include/gssrpc/pmap_clnt.h /usr/include/gssrpc/pmap_prot.h /usr/include/gssrpc/pmap_rmt.h /usr/include/gssrpc/rename.h /usr/include/gssrpc/rpc.h /usr/include/gssrpc/rpc_msg.h /usr/include/gssrpc/svc.h /usr/include/gssrpc/svc_auth.h /usr/include/gssrpc/types.h /usr/include/gssrpc/xdr.h /usr/include/kadm5 /usr/include/kadm5/admin.h /usr/include/kadm5/chpass_util_strings.h /usr/include/kadm5/kadm_err.h /usr/include/kdb.h /usr/include/krad.h /usr/include/krb5 /usr/include/krb5.h /usr/include/krb5/ccselect_plugin.h /usr/include/krb5/certauth_plugin.h /usr/include/krb5/clpreauth_plugin.h /usr/include/krb5/hostrealm_plugin.h /usr/include/krb5/kadm5_auth_plugin.h /usr/include/krb5/kadm5_hook_plugin.h /usr/include/krb5/kdcpolicy_plugin.h /usr/include/krb5/kdcpreauth_plugin.h /usr/include/krb5/krb5.h /usr/include/krb5/localauth_plugin.h /usr/include/krb5/locate_plugin.h /usr/include/krb5/plugin.h /usr/include/krb5/preauth_plugin.h /usr/include/krb5/pwqual_plugin.h /usr/include/profile.h /usr/lib64/libgssrpc.so /usr/lib64/libk5crypto.so /usr/lib64/libkadm5clnt.so /usr/lib64/libkadm5clnt_mit.so /usr/lib64/libkadm5srv.so /usr/lib64/libkadm5srv_mit.so /usr/lib64/libkdb5.so /usr/lib64/libkrad.so /usr/lib64/libkrb5.so /usr/lib64/libkrb5support.so /usr/lib64/pkgconfig/gssrpc.pc /usr/lib64/pkgconfig/kadm-client.pc /usr/lib64/pkgconfig/kadm-server.pc /usr/lib64/pkgconfig/kdb.pc /usr/lib64/pkgconfig/krb5-gssapi.pc /usr/lib64/pkgconfig/krb5.pc /usr/lib64/pkgconfig/mit-krb5-gssapi.pc /usr/lib64/pkgconfig/mit-krb5.pc /usr/sbin/krb5-send-pr /usr/share/aclocal /usr/share/aclocal/ac_check_krb5.m4 /usr/share/man/man1/krb5-config.1.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Mar 9 12:50:11 2024