Sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)

Bug #562261 reported by Sam Hartman on 2010-04-13
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
High
Unassigned
Lucid
High
Unassigned

Bug Description

Please sync krb5 1.8.1+dfsg-2 (main) from Debian unstable (main)
(My interest here is that I'm the Debian maintainer of krb5 and I'd like to help out the Ubuntu release process with this package.)

The 1.8.1 upstream release is entirely a bug-fix release. I have
reviewed all the changes from 1.8+dfsg~alpha1-7ubuntu1 through
1.8.1+dfsg-2 and they are all bug fixes. Several of them are quite
critical to Kerberos working well in lucid. Because there is a new
upstream release involved, I've included all the upstream changes
below the Debian changelog.

If you have any questions about this don't hesitate to contact me via
e-mail, IRC or phone; similarly if you have any concerns about
Kerberos throughout the rest of the lucid release process, fell free
to contact me over any of these channels.

Explanation of the Ubuntu delta and why it can be dropped:
The ubuntu delta is a security fix that has been incorperated into the Debian package.

The changelog below calls out specific bug fixes that I think are most
critical both to Debian and Ubuntu.
Appended below the changelog are all the upstream changes; I have looked over them and you really do want them all even at this point in the process.

Changelog entries since current lucid version 1.8+dfsg~alpha1-7ubuntu1:

krb5 (1.8.1+dfsg-2) unstable; urgency=high

  * Fix crash in renewal and validation, Thanks Joel Johnson for such a
    prompt bug report, Closes: #577490

 -- Sam Hartman <email address hidden> Mon, 12 Apr 2010 13:08:35 -0400

krb5 (1.8.1+dfsg-1) unstable; urgency=high

  * New upstream release
  * Fixes significant ABI incompatibility between Heimdal and MIT in the
    init_creds_step API; backward incompatible change in the meaning of
    the flags API. Since this was introduced in 1.8 and since no better
    solution was found, it's felt that getting 1.8.1 out everywhere that
    had 1.8 very promptly is the right approach. Otherwise software build
    against 1.8 will be broken in the future.
  * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
    Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
    result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
    produce undesirable results for constrained delegation. Again,
    another reason to replace 1.8 with 1.8.1 as soon as possible.
  * Acknowledge security team upload, thanks for picking up the slack and
    sorry it was necessary

 -- Sam Hartman <email address hidden> Sun, 11 Apr 2010 10:12:59 -0400

krb5 (1.8+dfsg-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
    via an invalid packet that triggers incorrect preparation of an error
    token. (Closes: 575740)
  * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)

 -- Giuseppe Iuculano <email address hidden> Fri, 09 Apr 2010 19:11:50 +0200

krb5 (1.8+dfsg-1) unstable; urgency=low

  * New upstream version
  * Include new upstream notice file in docs
  * Update symbols files
  * Include upstream ticket 6676: fix handling of cross-realm tickets
    issued by W2K8R2
  * Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
  * New Brazilian Portuguese translations, Thanks Eder L. Marques,
    Closes: #574149

 -- Sam Hartman <email address hidden> Wed, 17 Mar 2010 15:51:54 -0400

commit c113f7f7f47967f472d1573eb06efa4daa4ff260
Author: Sam Hartman <email address hidden>
Date: Mon Apr 12 13:04:08 2010 -0400

    Renewals and Validation fail authorization_data memory management

    In renewals and validation, the enc_tkt_reply.authorization_data
    pointer aliases header_ticket->enc_part2.authorization_data. However
    in handle_authdata, the tgt authorization_data is copied to the output
    authorization data. That fails if they alias.

commit 33a393d4a01db63ee8843e823854995d9892ea32
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:27:18 2010 -0400

    oops [in merge to patchlevel.h to update version number to 1.8.1]

commit b74b0301be2c040053b79a2399d4ef3b8b689d49
Merge: 91fb542 817defa
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:04:03 2010 -0400

    Merge commit 'upstream/1.8.1+dfsg'

    Conflicts:
     src/patchlevel.h

commit 91fb542d48f01ef785fac2ea70d976e3d4695a58
Merge: 2310d83 d808a31
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:02:06 2010 -0400

    Merge branch 'debian_kprop_ipv6'

commit d808a31081e23c0a9db5dbb3f7d7fbd9d7e230ab
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 10:01:28 2010 -0400

    Fix placement of declaration

commit 817defae2331911393ccc11a7f00b922c0f816c9
Merge: 2e6dbfa 856d98a
Author: Sam Hartman <email address hidden>
Date: Sun Apr 11 09:51:50 2010 -0400

    Merge in krb5/1.8.1 to upstream by unpacking krb5-1.8.1.tar.gz.

commit 0aa62e71985b6598d0bd5064f0428217726645ee
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Apr 8 20:33:32 2010 +0000

    README and patchlevel.h for krb5-1.8.1 final

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23878 dc483132-0cff-0310-8789-dd5450dbe970

commit f1efaf20b739e542dba2cdef308a0bb4d92596d5
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:54:21 2010 +0000

    krb5-1.8.1-beta2-postrelease

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23849 dc483132-0cff-0310-8789-dd5450dbe970

commit 3ddcd96f230039c8976eb00204573a6746efb221
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:52:51 2010 +0000

    README and patchlevel for krb5-1.8.1-beta2

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23847 dc483132-0cff-0310-8789-dd5450dbe970

commit f6ab9426fb953d37ee6a3a475c74d34e89f29a1a
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:51:11 2010 +0000

    make depend

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23846 dc483132-0cff-0310-8789-dd5450dbe970

commit d3674ebece848ed636f156a6a30e008d343f6b12
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 30 01:51:04 2010 +0000

    ticket: 6693
    version_fixed: 1.8.1
    status: resolved

    pull up r23844 from trunk

     ------------------------------------------------------------------------
     r23844 | ghudson | 2010-03-29 18:08:21 -0400 (Mon, 29 Mar 2010) | 9 lines

     ticket: 6693
     subject: Fix backwards flag output in krb5_init_creds_step()
     tags: pullup
     target_version: 1.8.1

     krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
     for "continue" and 0 for "stop". Unfortunately, we got it backwards
     in 1.8; fix it for 1.8.1.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23845 dc483132-0cff-0310-8789-dd5450dbe970

commit be3bcaeb2538e4a58f2c02d8b0d3621a4fdd9def
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Sun Mar 28 23:00:08 2010 +0000

    krb5-1.8.1-beta1-postrelease

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23841 dc483132-0cff-0310-8789-dd5450dbe970

commit c14067f0e25e4ab77af3d82bd8a2d006cff5c995
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Sun Mar 28 22:47:01 2010 +0000

    README and patchlevel for krb5-1.8.1-beta1

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23839 dc483132-0cff-0310-8789-dd5450dbe970

commit b62c23b2590aa23ce55bf5910fcf993c3074f814
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 22:31:00 2010 +0000

    ticket: 6678
    version_fixed: 1.8.1
    status: resolved

    pull up r23834 from trunk

     ------------------------------------------------------------------------
     r23834 | tlyu | 2010-03-23 15:00:13 -0700 (Tue, 23 Mar 2010) | 7 lines

     ticket: 6678
     target_version: 1.8.1
     tags: pullup

     Apply patch from Arlene Berry to not use freed memory in
     gss_import_sec_context in some error paths.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23835 dc483132-0cff-0310-8789-dd5450dbe970

commit 043adec2095d55c3e7b743980737e8efc2d9b31e
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 19:08:53 2010 +0000

    ticket: 6690
    version_fixed: 1.8.1
    status: resolved

    pull up r23832 from trunk

     ------------------------------------------------------------------------
     r23832 | tlyu | 2010-03-23 11:53:52 -0700 (Tue, 23 Mar 2010) | 8 lines

     ticket: 6690
     target_version: 1.8.1
     tags: pullup
     subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO

     The SPNEGO implementation in krb5-1.7 and later could crash due to
     assertion failure when receiving some sorts of invalid GSS-API tokens.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23833 dc483132-0cff-0310-8789-dd5450dbe970

commit 192a8d37ccd77028580a3019c010831a3b4e2b97
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 07:21:04 2010 +0000

    ticket: 6689
    version_fixed: 1.8.1
    status: resolved

    pull up r23829 from trunk

     ------------------------------------------------------------------------
     r23829 | tlyu | 2010-03-22 23:09:02 -0700 (Mon, 22 Mar 2010) | 10 lines

     ticket: 6689
     target_version: 1.8.1
     tags: pullup
     subject: krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSX

     Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
     krb5int_fast_process_error was assuming that it was safe to cast it to
     krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
     krb5.hin uses #pragma pack on that platform.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23830 dc483132-0cff-0310-8789-dd5450dbe970

commit 4a56afad855bfecb91b48f5cc48410aca32cc29f
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:29 2010 +0000

    ticket: 6687
    version_fixed: 1.8.1

    pull up r23821 from trunk

     ------------------------------------------------------------------------
     r23821 | ghudson | 2010-03-19 20:50:06 -0700 (Fri, 19 Mar 2010) | 17 lines

     ticket: 6687
     subject: Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
     target_version: 1.8.1
     tags: pullup

     KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
     type, was used to implement PAC-less constrained delegation in krb5
     1.8. Unfortunately, it was found that Microsoft was using 142 for
     other purposes, which could result in a ticket issued by an MIT or
     Heimdal KDC being rejected by a Windows Server 2008 R2 application
     server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
     among a realm's KDCs, it is relatively easy to change the number, so
     MIT and Heimdal are both migrating to a new number. This change will
     cause a transitional interoperability issue when a realm mixes MIT
     krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
     1.3.2) KDCs, but only for constrained delegation evidence tickets.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23828 dc483132-0cff-0310-8789-dd5450dbe970

commit b75309d22577062e20be1848d40b49fb6df8850d
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:22 2010 +0000

    ticket: 6680
    version_fixed: 1.8.1
    status: resolved

    pull up r23820 from trunk

     ------------------------------------------------------------------------
     r23820 | ghudson | 2010-03-19 09:17:05 -0700 (Fri, 19 Mar 2010) | 7 lines

     ticket: 6680
     target_version: 1.8.1
     tags: pullup

     Document the ticket_lifetime libdefaults setting (which was added in
     r16656, #2656). Based on a patch from <email address hidden>.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23827 dc483132-0cff-0310-8789-dd5450dbe970

commit 8e62d04c2c6e95bdf3de4e96a56b7abc0aa5da5a
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:15 2010 +0000

    ticket: 6683
    version_fixed: 1.8.1
    status: resolved

    pull up r23819 from trunk

     ------------------------------------------------------------------------
     r23819 | ghudson | 2010-03-18 10:37:31 -0700 (Thu, 18 Mar 2010) | 7 lines

     ticket: 6683
     target_version: 1.8.1
     tags: pullup

     Fix the kpasswd fallback from the ccache principal name to the
     username in the case where the ccache doesn't exist.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23826 dc483132-0cff-0310-8789-dd5450dbe970

commit 3db96234875a827de3b20b798d8a54b1c8da9744
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:07 2010 +0000

    ticket: 6681
    version_fixed: 1.8.1
    status: resolved

    pull up r23815 from trunk

     ------------------------------------------------------------------------
     r23815 | ghudson | 2010-03-17 14:10:10 -0700 (Wed, 17 Mar 2010) | 7 lines

     ticket: 6681
     target_version: 1.8.1
     tags: pullup

     When checking for KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT, don't
     dereference options if it's NULL.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23825 dc483132-0cff-0310-8789-dd5450dbe970

commit 23291346668b2939feefb345698c4b9ae1f3477b
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 23 01:58:00 2010 +0000

    ticket: 6685
    version_fixed: 1.8.1
    status: resolved

    pull up r23810 from trunk

     ------------------------------------------------------------------------
     r23810 | tlyu | 2010-03-16 12:14:33 -0700 (Tue, 16 Mar 2010) | 8 lines

     ticket: 6685
     target_version: 1.8.1
     subject: handle NT_SRV_INST in service principal referrals

     Handle NT_SRV_INST in service principal cross-realm referrals, as
     Windows apparently uses that instead of NT_SRV_HST for at least some
     service principals.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23824 dc483132-0cff-0310-8789-dd5450dbe970

commit 4bf2aea673665cb5e162802803c4482b4456d7be
Merge: 7196944 e75295c
Author: Sam Hartman <email address hidden>
Date: Wed Mar 17 15:46:20 2010 -0400

    Merge branch 'debian_kprop_ipv6'

commit e75295c10cded12bd340b30dbbe57aba9c233a4a
Author: Sam Hartman <email address hidden>
Date: Wed Mar 17 15:40:36 2010 -0400

    Use AI_ADDRCONFIG flag for getaddrinfo

    Use the AI_ADDRCONFIG flag for getaddrinfo to confirm that only
    addresses supported by the local system are used in ipv6 support for kprop.

commit fb1312ce0ea22c87a09e860d5369f1c76256aae3
Author: Michael Stapelberg <email address hidden>
Date: Tue Mar 16 23:39:38 2010 +0100

    Implement IPv6 support (kpropd)

commit 29291a21d9cc3b29e981c7c0bdbb3bf3621bae38
Author: Michael Stapelberg <email address hidden>
Date: Tue Mar 16 22:39:55 2010 +0100

    Implement support for IPv6 (kprop)

commit 0dc8542064195bcf7e64085524c951827a6be057
Merge: af6a551 68aa065
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 15:06:16 2010 -0400

    Merge branch 'upstream_6676'

commit 68aa0650e00101a6f417fc463d39f352900723a6
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Mar 5 17:45:46 2010 +0000

    ticket: 6676
    subject: Ignore improperly encoded signedpath AD elements
    target_version: 1.8.1
    tags: pullup

    We have some reason to believe Microsoft and Heimdal are both using
    the authdata value 142 for different purposes, leading to failures in
    verify_ad_signedpath(). For better interoperability, treat such
    tickets as unsigned, rather than invalid.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@23766 dc483132-0cff-0310-8789-dd5450dbe970
    (cherry picked from commit 3e10309a12cafa40efac3cfe0439e4e21c261c8c)

commit e548979023d17ade1ce3c207f4ea8871e7b364e6
Merge: 1f64c6c 2e6dbfa
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 14:42:04 2010 -0400

    Merge commit 'upstream/1.8+dfsg'

    Conflicts:
     src/patchlevel.h

commit 2e6dbfa87d8ed5bebd0a29af464a08ab752fafa6
Merge: 1dc6981 82924a4
Author: Sam Hartman <email address hidden>
Date: Tue Mar 16 14:39:37 2010 -0400

    Merge in krb5/1.8 to upstream by unpacking krb5-1.8.tar.gz.

commit 7420ea9128df358cb8d3a49a1f1540827a3ca147
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:52 2010 +0000

    ticket: 6676
    version_fixed: 1.8.1
    status: resolved

    pull up r23766 from trunk

     ------------------------------------------------------------------------
     r23766 | ghudson | 2010-03-05 12:45:46 -0500 (Fri, 05 Mar 2010) | 10 lines

     ticket: 6676
     subject: Ignore improperly encoded signedpath AD elements
     target_version: 1.8.1
     tags: pullup

     We have some reason to believe Microsoft and Heimdal are both using
     the authdata value 142 for different purposes, leading to failures in
     verify_ad_signedpath(). For better interoperability, treat such
     tickets as unsigned, rather than invalid.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23809 dc483132-0cff-0310-8789-dd5450dbe970

commit 68f573d23ade8caec311cc985f557371afb59d44
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:49 2010 +0000

    ticket: 6674
    status: resolved
    version_fixed: 1.8.1

    pull up r23772 from trunk

     ------------------------------------------------------------------------
     r23772 | ghudson | 2010-03-05 15:35:26 -0500 (Fri, 05 Mar 2010) | 7 lines

     ticket: 6674
     target_version: 1.8.1
     tags: pullup

     Release the internal_name field of a SPNEGO context if it has not been
     claimed for a caller argument.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23808 dc483132-0cff-0310-8789-dd5450dbe970

commit c96841266da9385a84819788f9a66fa5fa154d5d
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:46 2010 +0000

    ticket: 6668
    version_fixed: 1.8.1
    status: resolved

    pull up r23749 from trunk

     ------------------------------------------------------------------------
     r23749 | ghudson | 2010-02-24 13:57:08 -0500 (Wed, 24 Feb 2010) | 9 lines

     ticket: 6668
     subject: Two problems in kadm5_get_principal mask handling
     target_version: 1.8
     tags: pullup

     KADM5_MOD_NAME was being applied to entry->principal instead of
     entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno.
     Patch from Marcus Watts <email address hidden>.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23807 dc483132-0cff-0310-8789-dd5450dbe970

commit d83f81e50e8b8d2c09d7a825cb20bb36d04d65f0
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Mon Mar 15 23:50:40 2010 +0000

    ticket: 6661
    version_fixed: 1.8.1
    status: resolved

    pull up r23767 from trunk

     ------------------------------------------------------------------------
     r23767 | ghudson | 2010-03-05 14:19:42 -0500 (Fri, 05 Mar 2010) | 7 lines

     ticket: 6661
     target_version: 1.8.1
     tags: pullup

     Add IPv6 support to changepw.c (reverting r21004 since it is no longer
     necessary). Patch from Submit Bose <email address hidden>.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23806 dc483132-0cff-0310-8789-dd5450dbe970

commit 90dab53b5c1adca0eeea358333d6aa82df003dc1
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Mar 10 20:33:05 2010 +0000

    Revert KRB5_CONF_ macro change intended for trunk.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23797 dc483132-0cff-0310-8789-dd5450dbe970

commit 866aafcfabc469722e4f390a45718059607a1ff9
Author: tsitkova <tsitkova@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Mar 10 15:59:30 2010 +0000

    Use KRB5_CONF_ macros instead of strings in source for profile config arguments "default" and "logging"

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23795 dc483132-0cff-0310-8789-dd5450dbe970

commit 851eb39f7295c103c2496e5eb9805e5de017ac56
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 2 18:21:06 2010 +0000

    krb5-1.8-postrelease

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23762 dc483132-0cff-0310-8789-dd5450dbe970

commit 53ab53f9b8b6763b3e7234e3dddff52135edd1f7
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Mar 2 18:13:43 2010 +0000

    README and patchlevel.h for krb5-1.8 final

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23760 dc483132-0cff-0310-8789-dd5450dbe970

commit 5d00126bbfd9ee32511c622257b2b4015d52824f
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 21:28:29 2010 +0000

    krb5-1.8-beta2-postrelease

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23755 dc483132-0cff-0310-8789-dd5450dbe970

commit 7c0e650f48d4b05d5310fd6b158aadd1ddf6a4a4
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 21:28:22 2010 +0000

    README and patchlevel.h for krb5-1.8-beta2

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23754 dc483132-0cff-0310-8789-dd5450dbe970

commit 858af88676384125b589642a76652af826914485
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Feb 25 20:14:21 2010 +0000

    ticket: 6669
    version_fixed: 1.8
    status: resolved

    pull up r23750 from trunk

     ------------------------------------------------------------------------
     r23750 | tlyu | 2010-02-25 15:09:45 -0500 (Thu, 25 Feb 2010) | 7 lines

     ticket: 6669
     target_version: 1.8
     tags: pullup
     subject: doc updates for allow_weak_crypto

     Update documentation to be more helpful about allow_weak_crypto.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23751 dc483132-0cff-0310-8789-dd5450dbe970

commit e45ecfb716e24d449a171aa69b33a2f8fa206a9f
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:58 2010 +0000

    ticket: 6603
    version_fixed: 1.8
    status: resolved

    pull up r23742 from trunk

     ------------------------------------------------------------------------
     r23742 | ghudson | 2010-02-21 23:52:30 -0500 (Sun, 21 Feb 2010) | 24 lines

     ticket: 6603
     target_version: 1.8
     tags: pullup

     Fix two unrelated problems in SPNEGO which don't crop up with the krb5
     mechanism.

     1. The third call to spnego_init_accept_context uses faulty logic to
     determine if the exchange is complete, preventing a third mech token
     from being sent to the acceptor if no MIC exchange is required.
     Follow the logic used in the second call (in init_ctx_nego), which is
     correct.

     2. If the acceptor selects a mech other than the optimistic mech, it
     sets sc->mic_reqd to 1 whether or not the selected mech supports MICs
     (which isn't known until the mech completes). Most code outside of
     handle_mic checks sc->mic_reqd along with (sc->ctx_flags &
     GSS_C_INTEG_FLAG), but the code in acc_ctx_call_acc neglected to do
     so, so it could improperly delegate responsibility for deciding when
     the negotiation was finished to handle_mic--which never gets called if
     (sc->ctx_flags & GSS_C_INTEG_FLAG) is false. Fix acc_ctx_call_acc to
     check sc->ctx_flags so that mechs which don't support integrity
     protection can complete if they are selected non-optimistically.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23748 dc483132-0cff-0310-8789-dd5450dbe970

commit 34415c494daff8b566f8922b0f73fb62a916575a
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:54 2010 +0000

    ticket: 6659
    version_fixed: 1.8
    status: resolved

    pull up r23735 from trunk

     ------------------------------------------------------------------------
     r23735 | ghudson | 2010-02-18 13:49:11 -0500 (Thu, 18 Feb 2010) | 8 lines

     ticket: 6659
     target_version: 1.8
     tags: pullup

     The TGS code was not freeing authdata. This is an old leak which was
     made more evident in 1.8 by the addition of ad-signedpath authdata
     appearing in most tickets issued through the TGS path.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23747 dc483132-0cff-0310-8789-dd5450dbe970

commit 917ad5b39d5c6ce68ceb13b2dba1eec4a8e947fa
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 23 00:25:51 2010 +0000

    ticket: 6665
    version_fixed: 1.8
    status: resolved

    pull up r23734 from trunk

     ------------------------------------------------------------------------
     r23734 | ghudson | 2010-02-18 13:04:47 -0500 (Thu, 18 Feb 2010) | 17 lines

     ticket: 6665
     subject: Fix cipher state chaining in OpenSSL back end
     target_version: 1.8
     tags: pullup

     Make cipher state chaining work in the OpenSSL back end for des, des3,
     and arcfour enc providers. Subtleties:

     * DES and DES3 have checks to avoid clobbering ivec with uninitialized
       data if there is no data to encrypt.
     * Arcfour saves the OpenSSL cipher context across calls. To protect
       against a caller improperly copying the state (which happens to work
       with other enc providers), a loopback pointer is used, as in GSSAPI.
     * EVP_EncryptFinal_ex is unnecessary with stream ciphers and would
       interfere with cipher state chaining if it did anything, so just
       remove it.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23746 dc483132-0cff-0310-8789-dd5450dbe970

commit e3f6f0ef1d7257318c57815a545427a5e682d75d
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Feb 17 03:41:03 2010 +0000

    krb5-1.8-beta1-postrelease

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23730 dc483132-0cff-0310-8789-dd5450dbe970

commit cf889804873ae865cd562438ab4ceb680c8397f1
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Feb 17 03:13:29 2010 +0000

    README and patchlevel.h for krb5-1.8-beta1

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23728 dc483132-0cff-0310-8789-dd5450dbe970

commit a464c8f0b72b8915d52d918e0a90205aa848f473
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 16 23:01:30 2010 +0000

    ticket: 6663
    version_fixed: 1.8
    status: resolved

    pull up r23726 from trunk

     ------------------------------------------------------------------------
     r23726 | tlyu | 2010-02-16 17:41:27 -0500 (Tue, 16 Feb 2010) | 8 lines

     ticket: 6663
     subject: update mkrel to deal with changed source layout
     target_version: 1.8
     tags: pullup

     Update mkrel so it deals somewhat better with removed src/lib/des425,
     NOTICES, etc.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23727 dc483132-0cff-0310-8789-dd5450dbe970

commit 0ceaf686ad893a728571659bab1d38bece27521c
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue Feb 16 22:21:08 2010 +0000

    ticket: 6662
    version_fixed: 1.8
    status: resolved

    pull up r23724 from trunk

     ------------------------------------------------------------------------
     r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines

     ticket: 6662
     subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
     tags: pullup
     target_version: 1.8

     Code introduced in krb5-1.7 can cause an assertion failure if a
     KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
     doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
     C3 Agency) for discovering and reporting this vulnerability.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23725 dc483132-0cff-0310-8789-dd5450dbe970

commit 89aef1ceb9b1390ee33657dabc8a9b853ca98ac4
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:51 2010 +0000

    ticket: 6660
    version_fixed: 1.8
    status: resolved

    pull up r23716 from trunk

     ------------------------------------------------------------------------
     r23716 | ghudson | 2010-02-11 11:07:08 -0500 (Thu, 11 Feb 2010) | 15 lines

     ticket: 6660
     subject: Minimal support for updating history key
     target_version: 1.8
     tags: pullup

     Add minimal support for re-randomizing the history key:

     * cpw -randkey kadmin/history now works, but creates only one key.
     * cpw -randkey -keepold kadmin/history still fails.
     * libkadm5 no longer caches the history key. Performance impact
       is minimal since password changes are not common.
     * randkey no longer checks the newly randomized key against old keys,
       and the disabled code to do so in setkey/setv4key is gone, so now
       only kadm5_chpass_principal_3 accesses the password history.

    ------------------------------------------------------------------------

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23721 dc483132-0cff-0310-8789-dd5450dbe970

commit 761346f5710fa8b647281e1187a33e9924ac908f
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:47 2010 +0000

    ticket: 6658
    version_fixed: 1.8
    status: resolved

    pull up r23715 from trunk

     ------------------------------------------------------------------------
     r23715 | ghudson | 2010-02-10 18:44:18 -0500 (Wed, 10 Feb 2010) | 14 lines

     ticket: 6658
     subject: Implement gss_set_neg_mechs
     target_version: 1.8
     tags: pullup

     Implement gss_set_neg_mechs in SPNEGO by intersecting the provided
     mech set with the mechanisms available in the union credential. As
     we now need space to hold the mech set, the SPNEGO credential is now
     a structure and not just a mechglue credential.

     t_spnego.c is a test program which exercises the new logic. Like the
     other GSSAPI tests, it is not run as part of "make check" at this
     time.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23720 dc483132-0cff-0310-8789-dd5450dbe970

commit 1b35d22c8cd24c2d205250270834798a2e07da8b
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:43 2010 +0000

    ticket: 6657
    version_fixed: 1.8
    status: resolved

    pull up r23713 from trunk

     ------------------------------------------------------------------------
     r23713 | hartmans | 2010-02-09 14:15:12 -0500 (Tue, 09 Feb 2010) | 10 lines

     subject: krb5int_fast_free_state segfaults if state is null
     ticket: 6657
     target_version: 1.8
     tags: pullup

     krb5int_fast_free_state fails if state is null. INstead it should
     simply return Reorganization of the get_init_creds logic has created
     situations where the init_creds loop can fail between the time when
     the context is initialized and the fast state is initialized.

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23719 dc483132-0cff-0310-8789-dd5450dbe970

commit 28f345bf7364a01e9b25f693c65820ff06abd0aa
Author: tlyu <tlyu@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Feb 12 20:28:39 2010 +0000

    ticket: 6656
    version_fixed: 1.8
    status: resolved

    pull up r23712, r23714 from trunk

     ------------------------------------------------------------------------
     r23714 | ghudson | 2010-02-09 20:55:36 -0500 (Tue, 09 Feb 2010) | 13 lines

     ticket: 6656

     Followon fixes to r23712:
     * A few formatting fixes.
     * Fix unlikely leak in kdc_handle_protected_negotiation: if
       add_pa_data_element with copy == FALSE fails, it's still the
       caller's responsibility to free pa.contents.
     * Fix pre-existing (since r23465) leak of reply_encpart.enc_padata in
       process_as_req.
     * Call add_pa_data_element with copy == TRUE in
       return_referral_enc_padata since we are passing memory owned by the
       database entry.

     ------------------------------------------------------------------------
     r23712 | hartmans | 2010-02-09 14:15:07 -0500 (Tue, 09 Feb 2010) | 14 lines

     subject: enc_padata can include empty sequence
     ticket: 6656
     target_version: 1.8
     tags: pullup

     There are two issues with return_enc_padata.
     1) It often will return an empty sequence of enc_padata rather than not including the field
     2) FAST negotiation is double supported in the referral tgs path and not supported in the non-referral path

     Rewrite the return_enc_padata logic to:

     * Split out referral interactions with kdb into its own function
     * Use add_pa_data_element

    git-svn-id: svn://anonsvn.mit.edu/svn/krb5/branches/krb5-1-8@23718 dc483132-0cff-0310-8789-dd5450dbe970

On Tue, Apr 13, 2010 at 12:56:09PM -0000, Sam Hartman wrote:
>
> Changelog entries since current lucid version 1.8+dfsg~alpha1-7ubuntu1:
>
> krb5 (1.8.1+dfsg-1) unstable; urgency=high
>
> * New upstream release
> * Fixes significant ABI incompatibility between Heimdal and MIT in the
> init_creds_step API; backward incompatible change in the meaning of
> the flags API. Since this was introduced in 1.8 and since no better
> solution was found, it's felt that getting 1.8.1 out everywhere that
> had 1.8 very promptly is the right approach. Otherwise software build
> against 1.8 will be broken in the future.

Does this mean that some packages will have to be rebuilt against 1.8.1? When
was the change introduced (considering that the current version in Ubuntu is
1.8+dfsg~alpha1-7ubuntu1)?

Could you outline (provide a diff) of what was changed exactly?

Thanks,

  status incomplete
  importance high

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in krb5 (Ubuntu):
importance: Undecided → High
status: New → Incomplete
Anders Kaseorg (andersk) wrote :

The init_creds_step API in question was introduced between 1.7.x and 1.8-alpha1 (so, during the Lucid development cycle):
  http://git.debian.org/?p=pkg-k5-afs/debian-krb5.git;a=commitdiff;h=64d0958
and fixed between 1.8.1-beta1 and 1.8.1-beta2:
  http://git.debian.org/?p=pkg-k5-afs/debian-krb5.git;a=commitdiff;h=d3674eb

It doesn’t look like any other packages need to get rebuilt; it’s a change in semantics, not signatures. (But yeah, we should get this fixed before new users of the API start depending on the incompatible semantics.)

Changed in krb5 (Ubuntu):
status: Incomplete → New

I't my strong guess that no packages in debian outside of krb5 itself
depend on the init_creds_step API, and that is very probably true for
Ubuntu as well. That's one of the main reasons upstream wants to fix it
now: we believe we can do it painlessly if we act before Debian, Ubuntu,
Redhat or Solaris release with the incorrect API.

Kees Cook (kees) wrote :

While I'm not ubuntu-release or ubuntu-archive, I vote +1 for this into Lucid :)

Mathias Gug (mathiaz) wrote :

To really make sure things are not broken, we'd have to look at packages started to use krb5_init_creds_step in lucid and make sure they're using the flags in the correct order.

Steve Langasek (vorlon) wrote :

FFe approved, please upload.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Kees Cook (kees) wrote :

I have confirmed that nothing in main uses krb5_init_creds_step() besides krb5 itself.

Sam Hartman (hartmans) wrote :

>>>>> "Mathias" == Mathias Gug <email address hidden> writes:

    Mathias> To really make sure things are not broken, we'd have to
    Mathias> look at packages started to use krb5_init_creds_step in
    Mathias> lucid and make sure they're using the flags in the correct
    Mathias> order.

Yes, but I think there are going to be no such packages at this point.
Obviously, if you can run that check, then do so, but I would not punt
the sync request simply because you cannot run the check. It's an API
we mainly expect to be used by a GSS-API mechanism being introduced in
1.9 and possibly by a future version of Samba, although definitely not
aything currently in Debian.

Jamie Strandboge (jdstrand) wrote :

[Updating] krb5 (1.8+dfsg~alpha1-7ubuntu1 [Ubuntu] < 1.8.1+dfsg-2 [Debian])
 * Trying to add krb5...
2010-04-14 20:36:53 INFO - <krb5_1.8.1+dfsg.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-04-14 20:37:00 INFO - <krb5_1.8.1+dfsg-2.diff.gz: downloading from http://ftp.debian.org/debian/>
2010-04-14 20:37:00 INFO - <krb5_1.8.1+dfsg-2.dsc: downloading from http://ftp.debian.org/debian/>
I: krb5 [main] -> krb5-user_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> krb5-kdc_1.8+dfsg~alpha1-7ubuntu1 [universe].
I: krb5 [main] -> krb5-kdc-ldap_1.8+dfsg~alpha1-7ubuntu1 [universe].
I: krb5 [main] -> krb5-admin-server_1.8+dfsg~alpha1-7ubuntu1 [universe].
I: krb5 [main] -> krb5-multidev_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkrb5-dev_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkrb5-dbg_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> krb5-pkinit_1.8+dfsg~alpha1-7ubuntu1 [universe].
I: krb5 [main] -> krb5-doc_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkrb5-3_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libgssapi-krb5-2_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libgssrpc4_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkadm5srv-mit7_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkadm5clnt-mit7_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libk5crypto3_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkdb5-4_1.8+dfsg~alpha1-7ubuntu1 [main].
I: krb5 [main] -> libkrb5support0_1.8+dfsg~alpha1-7ubuntu1 [main].

Changed in krb5 (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers