Sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
Please sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)
(My interest here is that I'm the Debian maintainer of krb5 and I'd like to help out the Ubuntu release process with this package.)
The 1.8.1 upstream release is entirely a bug-fix release. I have
reviewed all the changes from 1.8+dfsg~
1.8.1+dfsg-2 and they are all bug fixes. Several of them are quite
critical to Kerberos working well in lucid. Because there is a new
upstream release involved, I've included all the upstream changes
below the Debian changelog.
If you have any questions about this don't hesitate to contact me via
e-mail, IRC or phone; similarly if you have any concerns about
Kerberos throughout the rest of the lucid release process, fell free
to contact me over any of these channels.
Explanation of the Ubuntu delta and why it can be dropped:
The ubuntu delta is a security fix that has been incorperated into the Debian package.
The changelog below calls out specific bug fixes that I think are most
critical both to Debian and Ubuntu.
Appended below the changelog are all the upstream changes; I have looked over them and you really do want them all even at this point in the process.
Changelog entries since current lucid version 1.8+dfsg~
krb5 (1.8.1+dfsg-2) unstable; urgency=high
* Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490
-- Sam Hartman <email address hidden> Mon, 12 Apr 2010 13:08:35 -0400
krb5 (1.8.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes significant ABI incompatibility between Heimdal and MIT in the
init_creds_step API; backward incompatible change in the meaning of
the flags API. Since this was introduced in 1.8 and since no better
solution was found, it's felt that getting 1.8.1 out everywhere that
had 1.8 very promptly is the right approach. Otherwise software build
against 1.8 will be broken in the future.
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
* Acknowledge security team upload, thanks for picking up the slack and
sorry it was necessary
-- Sam Hartman <email address hidden> Sun, 11 Apr 2010 10:12:59 -0400
krb5 (1.8+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
via an invalid packet that triggers incorrect preparation of an error
token. (Closes: 575740)
* Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
-- Giuseppe Iuculano <email address hidden> Fri, 09 Apr 2010 19:11:50 +0200
krb5 (1.8+dfsg-1) unstable; urgency=low
* New upstream version
* Include new upstream notice file in docs
* Update symbols files
* Include upstream ticket 6676: fix handling of cross-realm tickets
issued by W2K8R2
* Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
* New Brazilian Portuguese translations, Thanks Eder L. Marques,
Closes: #574149
-- Sam Hartman <email address hidden> Wed, 17 Mar 2010 15:51:54 -0400
commit c113f7f7f47967f
Author: Sam Hartman <email address hidden>
Date: Mon Apr 12 13:04:08 2010 -0400
Renewals and Validation fail authorization_data memory management
In renewals and validation, the enc_tkt_
pointer aliases header_
in handle_authdata, the tgt authorization_data is copied to the output
authorization data. That fails if they alias.
commit 33a393d4a01db63
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:27:18 2010 -0400
oops [in merge to patchlevel.h to update version number to 1.8.1]
commit b74b0301be2c040
Merge: 91fb542 817defa
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:04:03 2010 -0400
Merge commit 'upstream/
Conflicts:
src/
commit 91fb542d48f01ef
Merge: 2310d83 d808a31
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:02:06 2010 -0400
Merge branch 'debian_kprop_ipv6'
commit d808a31081e23c0
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:01:28 2010 -0400
Fix placement of declaration
commit 817defae2331911
Merge: 2e6dbfa 856d98a
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 09:51:50 2010 -0400
Merge in krb5/1.8.1 to upstream by unpacking krb5-1.8.1.tar.gz.
commit 0aa62e71985b659
Author: tlyu <tlyu@dc483132-
Date: Thu Apr 8 20:33:32 2010 +0000
README and patchlevel.h for krb5-1.8.1 final
git-svn-id: svn://anonsvn.
commit f1efaf20b739e54
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 30 01:54:21 2010 +0000
krb5-
git-svn-id: svn://anonsvn.
commit 3ddcd96f230039c
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 30 01:52:51 2010 +0000
README and patchlevel for krb5-1.8.1-beta2
git-svn-id: svn://anonsvn.
commit f6ab9426fb953d3
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 30 01:51:11 2010 +0000
make depend
git-svn-id: svn://anonsvn.
commit d3674ebece848ed
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 30 01:51:04 2010 +0000
ticket: 6693
version_fixed: 1.8.1
status: resolved
pull up r23844 from trunk
--
r23844 | ghudson | 2010-03-29 18:08:21 -0400 (Mon, 29 Mar 2010) | 9 lines
ticket: 6693
subject: Fix backwards flag output in krb5_init_
tags: pullup
target_
krb5_
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
git-svn-id: svn://anonsvn.
commit be3bcaeb2538e4a
Author: tlyu <tlyu@dc483132-
Date: Sun Mar 28 23:00:08 2010 +0000
krb5-
git-svn-id: svn://anonsvn.
commit c14067f0e25e4ab
Author: tlyu <tlyu@dc483132-
Date: Sun Mar 28 22:47:01 2010 +0000
README and patchlevel for krb5-1.8.1-beta1
git-svn-id: svn://anonsvn.
commit b62c23b2590aa23
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 22:31:00 2010 +0000
ticket: 6678
version_fixed: 1.8.1
status: resolved
pull up r23834 from trunk
--
r23834 | tlyu | 2010-03-23 15:00:13 -0700 (Tue, 23 Mar 2010) | 7 lines
ticket: 6678
target_
tags: pullup
Apply patch from Arlene Berry to not use freed memory in
gss_
git-svn-id: svn://anonsvn.
commit 043adec2095d55c
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 19:08:53 2010 +0000
ticket: 6690
version_fixed: 1.8.1
status: resolved
pull up r23832 from trunk
--
r23832 | tlyu | 2010-03-23 11:53:52 -0700 (Tue, 23 Mar 2010) | 8 lines
ticket: 6690
target_
tags: pullup
subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
git-svn-id: svn://anonsvn.
commit 192a8d37ccd7702
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 07:21:04 2010 +0000
ticket: 6689
version_fixed: 1.8.1
status: resolved
pull up r23829 from trunk
--
r23829 | tlyu | 2010-03-22 23:09:02 -0700 (Mon, 22 Mar 2010) | 10 lines
ticket: 6689
target_
tags: pullup
subject: krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
git-svn-id: svn://anonsvn.
commit 4a56afad855bfec
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 01:58:29 2010 +0000
ticket: 6687
version_fixed: 1.8.1
pull up r23821 from trunk
--
r23821 | ghudson | 2010-03-19 20:50:06 -0700 (Fri, 19 Mar 2010) | 17 lines
ticket: 6687
subject: Change KRB5_AUTHDATA_
target_
tags: pullup
KRB5_
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
git-svn-id: svn://anonsvn.
commit b75309d22577062
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 01:58:22 2010 +0000
ticket: 6680
version_fixed: 1.8.1
status: resolved
pull up r23820 from trunk
--
r23820 | ghudson | 2010-03-19 09:17:05 -0700 (Fri, 19 Mar 2010) | 7 lines
ticket: 6680
target_
tags: pullup
Document the ticket_lifetime libdefaults setting (which was added in
r16656, #2656). Based on a patch from <email address hidden>.
git-svn-id: svn://anonsvn.
commit 8e62d04c2c6e95b
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 01:58:15 2010 +0000
ticket: 6683
version_fixed: 1.8.1
status: resolved
pull up r23819 from trunk
--
r23819 | ghudson | 2010-03-18 10:37:31 -0700 (Thu, 18 Mar 2010) | 7 lines
ticket: 6683
target_
tags: pullup
Fix the kpasswd fallback from the ccache principal name to the
username in the case where the ccache doesn't exist.
git-svn-id: svn://anonsvn.
commit 3db96234875a827
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 01:58:07 2010 +0000
ticket: 6681
version_fixed: 1.8.1
status: resolved
pull up r23815 from trunk
--
r23815 | ghudson | 2010-03-17 14:10:10 -0700 (Wed, 17 Mar 2010) | 7 lines
ticket: 6681
target_
tags: pullup
When checking for KRB5_GET_
dereference options if it's NULL.
git-svn-id: svn://anonsvn.
commit 23291346668b293
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 23 01:58:00 2010 +0000
ticket: 6685
version_fixed: 1.8.1
status: resolved
pull up r23810 from trunk
--
r23810 | tlyu | 2010-03-16 12:14:33 -0700 (Tue, 16 Mar 2010) | 8 lines
ticket: 6685
target_
subject: handle NT_SRV_INST in service principal referrals
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
git-svn-id: svn://anonsvn.
commit 4bf2aea673665cb
Merge: 7196944 e75295c
Author: Sam Hartman <email address hidden>
Date: Wed Mar 17 15:46:20 2010 -0400
Merge branch 'debian_kprop_ipv6'
commit e75295c10cded12
Author: Sam Hartman <email address hidden>
Date: Wed Mar 17 15:40:36 2010 -0400
Use AI_ADDRCONFIG flag for getaddrinfo
Use the AI_ADDRCONFIG flag for getaddrinfo to confirm that only
addresses supported by the local system are used in ipv6 support for kprop.
commit fb1312ce0ea22c8
Author: Michael Stapelberg <email address hidden>
Date: Tue Mar 16 23:39:38 2010 +0100
Implement IPv6 support (kpropd)
commit 29291a21d9cc3b2
Author: Michael Stapelberg <email address hidden>
Date: Tue Mar 16 22:39:55 2010 +0100
Implement support for IPv6 (kprop)
commit 0dc8542064195bc
Merge: af6a551 68aa065
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 15:06:16 2010 -0400
Merge branch 'upstream_6676'
commit 68aa0650e00101a
Author: ghudson <ghudson@
Date: Fri Mar 5 17:45:46 2010 +0000
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_version: 1.8.1
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_
tickets as unsigned, rather than invalid.
git-svn-id: svn://anonsvn.
(cherry picked from commit 3e10309a12cafa4
commit e548979023d17ad
Merge: 1f64c6c 2e6dbfa
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 14:42:04 2010 -0400
Merge commit 'upstream/1.8+dfsg'
Conflicts:
src/
commit 2e6dbfa87d8ed5b
Merge: 1dc6981 82924a4
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 14:39:37 2010 -0400
Merge in krb5/1.8 to upstream by unpacking krb5-1.8.tar.gz.
commit 7420ea9128df358
Author: tlyu <tlyu@dc483132-
Date: Mon Mar 15 23:50:52 2010 +0000
ticket: 6676
version_fixed: 1.8.1
status: resolved
pull up r23766 from trunk
--
r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines
ticket: 6676
subject: Ignore improperly encoded signedpath AD elements
target_
tags: pullup
We have some reason to believe Microsoft and Heimdal are both using
the authdata value 142 for different purposes, leading to failures in
verify_
tickets as unsigned, rather than invalid.
git-svn-id: svn://anonsvn.
commit 68f573d23ade8ca
Author: tlyu <tlyu@dc483132-
Date: Mon Mar 15 23:50:49 2010 +0000
ticket: 6674
status: resolved
version_fixed: 1.8.1
pull up r23772 from trunk
--
r23772 | ghudson | 2010-03-05 15:35:26 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6674
target_
tags: pullup
Release the internal_name field of a SPNEGO context if it has not been
claimed for a caller argument.
git-svn-id: svn://anonsvn.
commit c96841266da9385
Author: tlyu <tlyu@dc483132-
Date: Mon Mar 15 23:50:46 2010 +0000
ticket: 6668
version_fixed: 1.8.1
status: resolved
pull up r23749 from trunk
--
r23749 | ghudson | 2010-02-24 13:57:08 -0500 (Wed, 24 Feb 2010) | 9 lines
ticket: 6668
subject: Two problems in kadm5_get_principal mask handling
target_
tags: pullup
KADM5_MOD_NAME was being applied to entry->principal instead of
entry-
Patch from Marcus Watts <email address hidden>.
git-svn-id: svn://anonsvn.
commit d83f81e50e8b8d2
Author: tlyu <tlyu@dc483132-
Date: Mon Mar 15 23:50:40 2010 +0000
ticket: 6661
version_fixed: 1.8.1
status: resolved
pull up r23767 from trunk
--
r23767 | ghudson | 2010-03-05 14:19:42 -0500 (Fri, 05 Mar 2010) | 7 lines
ticket: 6661
target_
tags: pullup
Add IPv6 support to changepw.c (reverting r21004 since it is no longer
necessary). Patch from Submit Bose <email address hidden>.
git-svn-id: svn://anonsvn.
commit 90dab53b5c1adca
Author: tlyu <tlyu@dc483132-
Date: Wed Mar 10 20:33:05 2010 +0000
Revert KRB5_CONF_ macro change intended for trunk.
git-svn-id: svn://anonsvn.
commit 866aafcfabc4697
Author: tsitkova <tsitkova@
Date: Wed Mar 10 15:59:30 2010 +0000
Use KRB5_CONF_ macros instead of strings in source for profile config arguments "default" and "logging"
git-svn-id: svn://anonsvn.
commit 851eb39f7295c10
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 2 18:21:06 2010 +0000
krb5-
git-svn-id: svn://anonsvn.
commit 53ab53f9b8b6763
Author: tlyu <tlyu@dc483132-
Date: Tue Mar 2 18:13:43 2010 +0000
README and patchlevel.h for krb5-1.8 final
git-svn-id: svn://anonsvn.
commit 5d00126bbfd9ee3
Author: tlyu <tlyu@dc483132-
Date: Thu Feb 25 21:28:29 2010 +0000
krb5-
git-svn-id: svn://anonsvn.
commit 7c0e650f48d4b05
Author: tlyu <tlyu@dc483132-
Date: Thu Feb 25 21:28:22 2010 +0000
README and patchlevel.h for krb5-1.8-beta2
git-svn-id: svn://anonsvn.
commit 858af8867638412
Author: tlyu <tlyu@dc483132-
Date: Thu Feb 25 20:14:21 2010 +0000
ticket: 6669
version_fixed: 1.8
status: resolved
pull up r23750 from trunk
--
r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines
ticket: 6669
target_
tags: pullup
subject: doc updates for allow_weak_crypto
Update documentation to be more helpful about allow_weak_crypto.
git-svn-id: svn://anonsvn.
commit e45ecfb716e24d4
Author: tlyu <tlyu@dc483132-
Date: Tue Feb 23 00:25:58 2010 +0000
ticket: 6603
version_fixed: 1.8
status: resolved
pull up r23742 from trunk
--
r23742 | ghudson | 2010-02-21 23:52:30 -0500 (Sun, 21 Feb 2010) | 24 lines
ticket: 6603
target_
tags: pullup
Fix two unrelated problems in SPNEGO which don't crop up with the krb5
mechanism.
1. The third call to spnego_
determine if the exchange is complete, preventing a third mech token
from being sent to the acceptor if no MIC exchange is required.
Follow the logic used in the second call (in init_ctx_nego), which is
correct.
2. If the acceptor selects a mech other than the optimistic mech, it
sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
(which isn't known until the mech completes). Most code outside of
handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
GSS_
so, so it could improperly delegate responsibility for deciding when
the negotiation was finished to handle_mic--which never gets called if
(sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to
check sc->ctx_flags so that mechs which don't support integrity
protection can complete if they are selected non-optimistically.
git-svn-id: svn://anonsvn.
commit 34415c494daff8b
Author: tlyu <tlyu@dc483132-
Date: Tue Feb 23 00:25:54 2010 +0000
ticket: 6659
version_fixed: 1.8
status: resolved
pull up r23735 from trunk
--
r23735 | ghudson | 2010-02-18 13:49:11 -0500 (Thu, 18 Feb 2010) | 8 lines
ticket: 6659
target_
tags: pullup
The TGS code was not freeing authdata. This is an old leak which was
made more evident in 1.8 by the addition of ad-signedpath authdata
appearing in most tickets issued through the TGS path.
git-svn-id: svn://anonsvn.
commit 917ad5b39d5c6ce
Author: tlyu <tlyu@dc483132-
Date: Tue Feb 23 00:25:51 2010 +0000
ticket: 6665
version_fixed: 1.8
status: resolved
pull up r23734 from trunk
--
r23734 | ghudson | 2010-02-18 13:04:47 -0500 (Thu, 18 Feb 2010) | 17 lines
ticket: 6665
subject: Fix cipher state chaining in OpenSSL back end
target_
tags: pullup
Make cipher state chaining work in the OpenSSL back end for des, des3,
and arcfour enc providers. Subtleties:
* DES and DES3 have checks to avoid clobbering ivec with uninitialized
data if there is no data to encrypt.
* Arcfour saves the OpenSSL cipher context across calls. To protect
against a caller improperly copying the state (which happens to work
with other enc providers), a loopback pointer is used, as in GSSAPI.
* EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
interfere with cipher state chaining if it did anything, so just
remove it.
git-svn-id: svn://anonsvn.
commit e3f6f0ef1d72573
Author: tlyu <tlyu@dc483132-
Date: Wed Feb 17 03:41:03 2010 +0000
krb5-
git-svn-id: svn://anonsvn.
commit cf889804873ae86
Author: tlyu <tlyu@dc483132-
Date: Wed Feb 17 03:13:29 2010 +0000
README and patchlevel.h for krb5-1.8-beta1
git-svn-id: svn://anonsvn.
commit a464c8f0b72b891
Author: tlyu <tlyu@dc483132-
Date: Tue Feb 16 23:01:30 2010 +0000
ticket: 6663
version_fixed: 1.8
status: resolved
pull up r23726 from trunk
--
r23726 | tlyu | 2010-02-16 17:41:27 -0500 (Tue, 16 Feb 2010) | 8 lines
ticket: 6663
subject: update mkrel to deal with changed source layout
target_
tags: pullup
Update mkrel so it deals somewhat better with removed src/lib/des425,
NOTICES, etc.
git-svn-id: svn://anonsvn.
commit 0ceaf686ad893a7
Author: tlyu <tlyu@dc483132-
Date: Tue Feb 16 22:21:08 2010 +0000
ticket: 6662
version_fixed: 1.8
status: resolved
pull up r23724 from trunk
--
r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
ticket: 6662
subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
tags: pullup
target_
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
git-svn-id: svn://anonsvn.
commit 89aef1ceb9b1390
Author: tlyu <tlyu@dc483132-
Date: Fri Feb 12 20:28:51 2010 +0000
ticket: 6660
version_fixed: 1.8
status: resolved
pull up r23716 from trunk
--
r23716 | ghudson | 2010-02-11 11:07:08 -0500 (Thu, 11 Feb 2010) | 15 lines
ticket: 6660
subject: Minimal support for updating history key
target_
tags: pullup
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_
---
git-svn-id: svn://anonsvn.
commit 761346f5710fa8b
Author: tlyu <tlyu@dc483132-
Date: Fri Feb 12 20:28:47 2010 +0000
ticket: 6658
version_fixed: 1.8
status: resolved
pull up r23715 from trunk
--
r23715 | ghudson | 2010-02-10 18:44:18 -0500 (Wed, 10 Feb 2010) | 14 lines
ticket: 6658
subject: Implement gss_set_neg_mechs
target_
tags: pullup
Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
mech set with the mechanisms available in the union credential. As
we now need space to hold the mech set, the SPNEGO credential is now
a structure and not just a mechglue credential.
t_spnego.c is a test program which exercises the new logic. Like the
other GSSAPI tests, it is not run as part of "make check" at this
time.
git-svn-id: svn://anonsvn.
commit 1b35d22c8cd24c2
Author: tlyu <tlyu@dc483132-
Date: Fri Feb 12 20:28:43 2010 +0000
ticket: 6657
version_fixed: 1.8
status: resolved
pull up r23713 from trunk
--
r23713 | hartmans | 2010-02-09 14:15:12 -0500 (Tue, 09 Feb 2010) | 10 lines
subject: krb5int_
ticket: 6657
target_
tags: pullup
krb5int_
simply return Reorganization of the get_init_creds logic has created
situations where the init_creds loop can fail between the time when
the context is initialized and the fast state is initialized.
git-svn-id: svn://anonsvn.
commit 28f345bf7364a01
Author: tlyu <tlyu@dc483132-
Date: Fri Feb 12 20:28:39 2010 +0000
ticket: 6656
version_fixed: 1.8
status: resolved
pull up r23712, r23714 from trunk
--
r23714 | ghudson | 2010-02-09 20:55:36 -0500 (Tue, 09 Feb 2010) | 13 lines
ticket: 6656
Followon fixes to r23712:
* A few formatting fixes.
* Fix unlikely leak in kdc_handle_
caller's responsibility to free pa.contents.
* Fix pre-existing (since r23465) leak of reply_encpart.
* Call add_pa_data_element with copy == TRUE in
database entry.
--
r23712 | hartmans | 2010-02-09 14:15:07 -0500 (Tue, 09 Feb 2010) | 14 lines
subject: enc_padata can include empty sequence
ticket: 6656
target_
tags: pullup
There are two issues with return_enc_padata.
1) It often will return an empty sequence of enc_padata rather than not including the field
2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path
Rewrite the return_enc_padata logic to:
* Split out referral interactions with kdb into its own function
* Use add_pa_data_element
git-svn-id: svn://anonsvn.
On Tue, Apr 13, 2010 at 12:56:09PM -0000, Sam Hartman wrote: alpha1- 7ubuntu1:
>
> Changelog entries since current lucid version 1.8+dfsg~
>
> krb5 (1.8.1+dfsg-1) unstable; urgency=high
>
> * New upstream release
> * Fixes significant ABI incompatibility between Heimdal and MIT in the
> init_creds_step API; backward incompatible change in the meaning of
> the flags API. Since this was introduced in 1.8 and since no better
> solution was found, it's felt that getting 1.8.1 out everywhere that
> had 1.8 very promptly is the right approach. Otherwise software build
> against 1.8 will be broken in the future.
Does this mean that some packages will have to be rebuilt against 1.8.1? When alpha1- 7ubuntu1) ?
was the change introduced (considering that the current version in Ubuntu is
1.8+dfsg~
Could you outline (provide a diff) of what was changed exactly?
Thanks,
status incomplete
importance high
-- www.ubuntu. com
Mathias Gug
Ubuntu Developer http://