Up to [cvs.NetBSD.org] / pkgsrc / security / heimdal
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
*: recursive bump for icu 76 shlib major version bump
*: revbump for icu downgrade
*: recursive bump for icu 76.1 shlib bump
heimdal: add -Wno-error=implicit-function-declaration Several of the configure tests are broken with GCC 14. In this case it is easier to just let it do it's broken thing.
revbump after icu and protobuf updates
*: recursive bump for icu 74.1
*: bump for openssl 3
*: recursive bump for Python 3.11 as new default
Pullup ticket #6762 - requested by riastradh security/heimdal: security fix Revisions pulled up: - security/heimdal/Makefile 1.160 - security/heimdal/distinfo 1.57 - security/heimdal/patches/patch-lib_krb5_store-int.c 1.1 --- Module Name: pkgsrc Committed By: riastradh Date: Mon Jun 19 19:13:03 UTC 2023 Modified Files: pkgsrc/security/heimdal: Makefile distinfo Added Files: pkgsrc/security/heimdal/patches: patch-lib_krb5_store-int.c Log Message: security/heimdal: Patch CVE-2022-42898 away.
security/heimdal: Patch CVE-2022-42898 away.
Mass-change BUILD_DEPENDS to TOOL_DEPENDS outside mk/. Almost all uses, if not all of them, are wrong, according to the semantics of BUILD_DEPENDS (packages built for target available for use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for host available for use _as_ tools at build-time). No change to BUILD_DEPENDS as used correctly inside buildlink3. As proposed on tech-pkg: https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
revbump after textproc/icu update
heimdal: add patch against CVE-2022-45142 Bump PKGREVISION.
massive revision bump after textproc/icu update
heimdal: updated to 7.8 Heimdal 7.8 Latest This release includes both the Heimdal 7.7.1 Security Vulnerability fixes and non-Security bug fixes/improvements. Security Vulnerabilities: CVE-2022-42898 PAC parse integer overflows CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of array CVE-2021-44758 A null pointer de-reference DoS in SPNEGO acceptors CVE-2021-3671 A null pointer de-reference when handling missing sname in TGS-REQ CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3, as we believe it should be possible to get an RCE on a KDC, which means that credentials can be compromised that can be used to impersonate anyone in a realm or forest of realms. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all extensible CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal's ASN.1 compiler since 2005, but it may only affect Heimdal 1.6 and up. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. CVE-2019-14870: Validate client attributes in protocol-transition CVE-2019-14870: Apply forwardable policy in protocol-transition CVE-2019-14870: Always lookup impersonate client in DB Other changes: Bugs found by UBSAN (including the incorrect encoding of unconstrained INTEGER value -1). Errors found by the LLVM scan-build static analyzer. Errors found by the valgrind memory debugger. Work around GCC Bug 95189 (memcmp wrongly stripped like strcmp). Correct ASN.1 OID typo for SHA-384 Fix a deadlock in in the MEMORY ccache type. TGS: strip forwardable and proxiable flags if the server is disallowed. CVE-2019-14870: Validate client attributes in protocol-transition CVE-2019-14870: Apply forwardable policy in protocol-transition CVE-2019-14870: Always lookup impersonate client in DB Incremental HDB propagation improvements Refactor send_diffs making it progressive Handle partial writes on non-blocking sockets Disable Nagle in iprop master and slave Use async I/O Don't send I_HAVE in response to AYT Do not recover log in kadm5_get_principal() Don't send diffs to slaves with not yet known version Don't stutter in send_diffs Optional backwards-compatible anon-pkinit behavior
*: recursive bump for perl 5.36
revbump for textproc/icu update
revbump for icu and libffi
heimdal: Fix CVE-2021-3671 Patch from samba Bump PKGREVISION.
heimdal: fix su -> ksu name change with kerberos-prefix-cmds option Bump PKGREVISION, since it's on by default.
heimdal: fix fetch stage
heimdal: remove hcrypto PLIST_VAR It was always set to yes.
heimdal: update to 7.7.0. This version supports openssl 1.1, so re-enable it. Release Notes - Heimdal - Version Heimdal 7.7 Bug fixes - PKCS#11 hcrypto back-end . initialize the p11_module_load function list . verify that not only is a mechanism present but that its mechanism info states that it offers the required encryption, decryption or digest services - krb5: . Starting with 7.6, Heimdal permitted requesting authenticated anonymous tickets. However, it did not verify that a KDC in fact returned an anonymous ticket when one was requested. - Cease setting the KDCOption reaquest_anonymous flag when issuing S4UProxy (constrained delegation) TGS requests. . when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. . set PKINIT_BTMM flag per Apple implementation . use memset_s() instead of memset() - kdc: . When generating KRB5SignedPath in the AS, use the reply client name rather than the one from the request, so validation will work correctly in the TGS. . allow checksum of PA-FOR-USER to be HMAC_MD5. Even if tgt used an enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that's what Windows and MIT clients send. In heimdal both the client and kdc use instead the checksum of the tgt, and therefore work with each other but Windows and MIT clients fail against heimdal KDC. Both Windows and MIT KDCs would allow any keyed checksum to be used so Heimdal client interoperates with them. Change Heimdal KDC to allow HMAC_MD5 even for non RC4 based tgt in order to support per-spec clients. . use memset_s() instead of memset(). - Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy (constrained delegation) TGS Requests with the request anonymous flag set. These requests will be treated as S4UProxy requests and not anonymous requests. - HDB: . Set SQLite3 backend default page size to 8KB. . Add hdb_set_sync() method - kadmind: . disable HDB sync during database load avoiding unnecessary disk i/o. - ipropd: . disable HDB sync during receive_everything. Doing an fsync per-record when receiving the complete HDB is a performance disaster. Among other things, if the HDB is very large, then one slave receving a full HDB can cause other slaves to timeout and, if HDB write activity is high enough to cause iprop log truncation, then also need full syncs, which leads to a cycle of full syncs for all slaves until HDB write activity drops. Allowing the iprop log to be larger helps, but improving receive_everything() performance helps even more. - kinit: . Anonymous PKINIT tickets discard the realm information used to locate the issuing AS. Store the issuing realm in the credentials cache in order to locate a KDC which can renew them. . Do not leak the result of krb5_cc_get_config() when determining anonymous PKINIT start realm. - klist: . Show transited-policy-checked, ok-as-delegate and anonymous flags when listing credentials. - tests: . Regenerate certs so that they expire before the 2038 armageddon so the test suite will pass on 32-bit operating systems until the underlying issues can be resolved. - Solaris: . Define _STDC_C11_BCI for memset_s prototype - build tooling: . Convert from python 2 to python 3 - documentation . rename verify-password to verify-password-quality . hprop default mode is encrypt . kadmind "all" permission does not include "get-keys" . verify-password-quality might not be stateless Release Notes - Heimdal - Version Heimdal 7.6 Security - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum When the Heimdal KDC checks the checksum that is placed on the S4U2Self packet by the server to protect the requested principal against modification, it does not confirm that the checksum algorithm that protects the user name (principal) in the request is keyed. This allows a man-in-the-middle attacker who can intercept the request to the KDC to modify the packet by replacing the user name (principal) in the request with any desired user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32 checksum (which requires no prior knowledge to compute). This would allow a S4U2Self ticket requested on behalf of user name (principal) user@EXAMPLE.COM to any service to be changed to a S4U2Self ticket with a user name (principal) of Administrator@EXAMPLE.COM. This ticket would then contain the PAC of the modified user name (principal). - CVE-2019-12098, client-only: RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge when anonymous PKINIT is used. Failure to do so can permit an active attacker to become a man-in-the-middle. Bug fixes - Happy eyeballs: Don't wait for responses from known-unreachable KDCs. - kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey - kinit: . cleanup temporary ccaches . see man page for "kinit --anonymous" command line syntax change - kdc: Make anonymous AS-requests more RFC8062-compliant. - Updated expired test certificates - Solaris: . PKCS#11 hcrypto backend broken since 7.0.1 . Building with Sun Pro C Features - kuser: support authenticated anonymous AS-REQs in kinit - kdc: support for anonymous TGS-REQs - kgetcred support for anonymous service tickets - Support builds with OpenSSL 1.1.1 Release Notes - Heimdal - Version Heimdal 7.5 Security - Fix CVE-2017-17439, which is a remote denial of service vulnerability: In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. Bug fixes - Handle long input lines when reloading database dumps. - In pre-forked mode (default on Unix), correctly clear the process ids of exited children, allowing new child processes to replace the old. - Fixed incorrect KDC response when no-cross realm TGT exists, allowing client requests to fail quickly rather than time out after trying to get a correct answer from each KDC. Release Notes - Heimdal - Version Heimdal 7.4 Security - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. See https://www.orpheus-lyre.info/ for more details. Release Notes - Heimdal - Version Heimdal 7.3 Security - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (CVE-2017-6594) Release Notes - Heimdal - Version Heimdal 7.2 Bug fixes - Portability improvements - More strict parsing of encoded URI components in HTTP KDC - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism - Avoid overly specific CPU info in krb5-config in aid of reproducible builds - Don't do AFS string-to-key tests when feature is disabled - Skip mdb_stat test when the command is not available - Windows: update SHA2 timestamp server - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple - Fix signature of hdb_generate_key_set_password() - Windows: enable KX509 support in the KDC - kdc: fix kx509 service principal match - iprop: handle case where master sends nothing new - ipropd-slave: fix incorrect error codes - Allow choice of sqlite for HDB pref - check-iprop: don't fail to kill daemons - roken: pidfile -> rk_pidfile - kdc: _kdc_do_kx509 fix use after free error - Do not detect x32 as 64-bit platform. - No sys/ttydefaults.h on CYGWIN - Fix check-iprop races - roken_detach_prep() close pipe Release Notes - Heimdal - Version Heimdal 7.1 Security - kx509 realm-chopping security bug - non-authorization of alias additions/removals in kadmind (CVE-2016-2400) Feature - iprop has been revamped to fix a number of race conditions that could lead to inconsistent replication - Hierarchical capath support - AES Encryption with HMAC-SHA2 for Kerberos 5 draft-ietf-kitten-aes-cts-hmac-sha2-11 - hcrypto is now thread safe on all platforms - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by backend - HDB now supports LMDB - Thread support on Windows - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) - New GSS APIs: . gss_localname - Allow setting what encryption types a principal should have with [kadmin] default_key_rules, see krb5.conf manpage for more info - Unify libhcrypto with LTC (libtomcrypto) - asn1_compile 64-bit INTEGER functionality - HDB key history support including --keepold kadmin password option - Improved cross-realm key rollover safety - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces - Improved MIT compatibility . kadm5 API . Migration from MIT KDB via "mitdb" HDB backend . Capable of writing the HDB in MIT dump format - Improved Active Directory interoperability . Enctype selection issues for PAC and other authz-data signatures . Cross realm key rollover (kvno 0) - New [kdc] enctype negotiation configuration: . tgt-use-strongest-session-key . svc-use-strongest-session-key . preauth-use-strongest-session-key . use-strongest-server-key - The KDC process now uses a multi-process model improving resiliency and performance - Allow batch-mode kinit with password file - SIGINFO support added to kinit cmd - New kx509 configuration options: . kx509_ca . kca_service . kx509_include_pkinit_san . kx509_template - Improved Heimdal library/plugin version safety - Name canonicalization . DNS resolver searchlist . Improved referral support . Support host:port host-based services - Pluggable libheimbase interface for DBs - Improve IPv6 Support - LDAP . Bind DN and password . Start TLS - klist --json - DIR credential cache type - Updated upstream SQLite and libedit - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, telnet, xnlock - Completely remove RAND_egd support - Moved kadmin and ktutil to /usr/bin - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) . use O_NOFOLLOW . don't follow symlinks . require cache files to be owned by the user . require sensible permissions (not group/other readable) - Implemented gss_store_cred() - Many more Bug fixes - iprop has been revamped to fix a number of race conditions that could lead to data loss - Include non-loopback addresses assigned to loopback interfaces when requesting tickets with addresses - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) - Keytab file descriptor and lock leak - Credential cache corruption bugs (NOTE: The FILE ccache is still not entirely safe due to the fundamentally unsafe design of POSIX file locking) - gss_pseudo_random() interop bug - Plugins are now preferentially loaded from the run-time install tree - Reauthentication after password change in init_creds_password - Memory leak in the client kadmin library - TGS client requests renewable/forwardable/proxiable when possible - Locking issues in DB1 and DB3 HDB backends - Master HDB can remain locked while waiting for network I/O - Renewal/refresh logic when kinit is provided with a command - KDC handling of enterprise principals - Use correct bit for anon-pkinit - Many more
security/heimdal: provide krb5-gssapi.pc as symlink This is needed for example for qt5-qtbase to pick up a pkgsrc-installed heimdal instead of possibly a mix of system mit-krb5 libs with pkgsrc headers, for its network auth that recently got GSSAPI. It makes sense to provide the same pkg-config package name if heimdal and mit-krb5 should be transparently compatible at that front.
revbump for textproc/icu
*: Recursive revbump from textproc/icu-68.1
heimdal: Update MASTER_SITES. The original master site is gone. The new one redirects to Github but for the ancient release we package (1.5.3, newest is 7.x), it does not have the distfile. Update NetBSD/pkgsrc#68
Revbump for icu
Recursive revision bump after textproc/icu update
heimdal: fix runpath setting in krb5-config
security/heimdal: Prefix kerberos commands by default It has long been an issue that heimdal installs "su" which shadows system su and behaves differently. Now, with openssl 1.1, many people are getting heimdal installed that did not expect it or ask for it. (Really, heimdal should be split into libraries and apps, so that programs can have kerberos support without adding commands to the user's namespace, but this is vastly easier.) (In response to on-list complaints, and believing this will not be contoversial.)
security/heimdal: add back MAKE_JOBS_SAFE=no
security/heimdal: remove MAKE_JOBS_SAFE=no Heimdal built fine on NetBSD-8.0-x86_64 with MAKE_JOBS=7.
security/heimdal: disable check for unknown GNU configure options Heimdal has bundled libreadline, which has its own configure file with completely different options.
*: Recursive revision bump for openssl 1.1.1.
security: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
heimdal: fix build on OpenSSL 1.1 systems by disabling OpenSSL. heimdal includes a copy of the relevant functions itself. Add a comment that the dependency should be re-enabled when updating this package. Bump PKGREVISION.
Recursive revbump from textproc/icu
heimdal: fix Linux PLIST.hcrypto issue in a more generic way Tested under Debian unstable. PR pkg/53806
heimdal: Fix compilation under WSL This sets the "hcrypto" PLIST variable correct when pkgsrc is used under WSL (Windows Services for Linux). From David Weller-Fahy via PR pkg/53806.
revbump after updating textproc/icu
Support Minix.
Recursive revbump from textproc/icu-62.1
revbump after icu update
Revbump after textproc/icu update
revbump for requiring ICU 59.x
Revbump after icu update
Recursive revbump from textproc/icu 58.1
Explicitly disable extended glob(3C) support on SunOS, despite it being available on newer illumos, as it simplifies PLIST.glob.
Recursive revbump from textproc/icu 57.1
fix build on Linux
Bump PKGREVISION for security/openssl ABI bump.
Remove manual OPSYSVARS additions which are now part of the default set.
Recursive revbump from textproc/icu
Revbump after updating textproc/icu
Revbump after updating libwebp and icu
Add runtime dependency on flex (in bin/compile_et). Bump PKGREVISION.
recursive bump from icu shlib major bump.
The MirBSD stanza was wrong. Moved it below the builtin.mk inclusion and made the conditional more robust. Fixes at least "make describe", let's see if it helps for the bulk build.
Only build hcrypto on MirBSD if using the builtin OpenSSL. Fixes build now that we have OpenSSL from pkgsrc.
Move check of builtin openssl below to buildlink with openssl and exactly set as checking builtin before including openssl/builtin.mk, so that wanted openssl will be picked up (formerly, BUILTINK_API_DEPENDS.openssl is ignored). Bump PKGREVISION.
Recursive PKGREVISION bump for OpenSSL API version bump.
Fix heimdal build under MirBSD. The three tommath patches (which patch the files into existence) have been included in the source code since heimdal 1.5, so remove them. Compile errors due to missing -pthread in MirBSD were fixed by adding PTHREAD_AUTO_VARS.
Revbump after updating textproc/icu
Fix pakaging on Linux. vis.h and glob.h are installed on Linux (Debian GNU/Linux 7.1 and CentOS 6.4 at least) * Makefile of Rev 1.100 removes vis.h and glob.h hack. My two Linux environments require vis.h and glob.h entries for PLIST. Set PLIST.vis and PLIST.glob for Linux.
Heimdal really uses termcap
fix PLIST options for solaris, including builtin openssl support
At least on my systems glob and vis are not installed, so introduce PLIST conditional. Please fix up the setting on your systems. Mark as not MAKE_JOBS_SAFE.
Changes 1.5.3: Bug fixes - Fix leaking file descriptors in KDC - Better socket/timeout handling in libkrb5 - General bug fixes - Build fixes
Attempt to fix readline fallout. Tested with both READLINE_TYPE on SmartOS.
* .include "../../devel/readline/buildlink3.mk" with USE_GNU_READLINE=yes are replaced with .include "../../devel/readline/buildlink3.mk", and USE_GNU_READLINE are removed, * .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE are replaced with .include "../../mk/readline.buildlink3.mk".
Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu.
PKGREVISION bumps for the security/openssl 1.0.1d update.
Revbump after graphics/jpeg and textproc/icu
recursive bump from cyrus-sasl libsasl2 shlib major bump.
When getting a file basename strip any leading directories.
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Add CONFLICTS with kth-krb4 (lib/libsl.so)
Fix install on at least Solaris.
Recursive bump from icu shlib major bumped to 49.
On SunOS, heimdal never builds hcrypto when pkgsrc OpenSSL used.
PR/39656 -- Use /var/heimdal as hdbdir, not /var.
Update to Heimdal 1.5.2 Release Notes - Heimdal - Version Heimdal 1.5.2 Security fixes - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege - Check that key types strictly match - denial of service Release Notes - Heimdal - Version Heimdal 1.5.1 Bug fixes - Fix building on Solaris, requires c99 - Fix building on Windows - Build system updates Release Notes - Heimdal - Version Heimdal 1.5 New features - Support GSS name extensions/attributes - SHA512 support - No Kerberos 4 support - Basic support for MIT Admin protocol (SECGSS flavor) in kadmind (extract keytab) - Replace editline with libedit
Provide access to tests (TEST_TARGET=check).
Revbump after db5 update
Fix for CVE-2011-4862 from FreeBSD When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer.
In OWN_DIRS_PERMS change ROOT_GROUP to REAL_ROOT_GROUP
Fix build on SunOS.
Adds the symbols _kdc_db_fetch and _kdc_free_ent to global visibility, so that they can be referenced from kdc/digest-service. Fixes build on Dragonfly. From Alex Hornung in PR pkg/45195.
Changes 1.4: New features * Support for reading MIT database file directly * KCM is polished up and now used in production * NTLM first class citizen, credentials stored in KCM * Table driven ASN.1 compiler, smaller!, not enabled by default * Native Windows client support Notes * Disabled write support NDBM hdb backend (read still in there) since it can't handle large records, please migrate to a diffrent backend (like BDB4) Changes 1.3.3: Bug fixes * Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] * Check NULL pointers before dereference them [kdc] Changes 1.3.2: Bug fixes * Don't mix length when clearing hmac (could memset too much) * More paranoid underrun checking when decrypting packets * Check the password change requests and refuse to answer empty packets * Build on OpenSolaris * Renumber AD-SIGNED-TICKET since it was stolen from US * Don't cache /dev/*random file descriptor, it doesn't get unloaded * Make C++ safe * Misc warnings
Reset maintainer, lost his commit bit.
Fix ownership. Bump revision.
Recursive PKGREVISION bump for jpeg update to 8.
Mark packages as MAKE_JOBS_SAFE=no that failed in a bulk build with MAKE_JOBS=2 and worked without.
Remove @dirrm related logic.
Recursive ABI depends update and PKGREVISION bump for readline-6.0 shlib major change. Reported by Robert Elz in PR 41345.
Use standard location for LICENSE line (in MAINTAINER/HOMEPAGE/COMMENT block). Uncomment some commented out LICENSE lines while here.
heimdal leaves empty directories after deinstallation, fix that. OK by wiz@.
libhcrypto.la only seems to get installed if we're building on 3.x or older, so make it only end up in the PLIST if that is the case.
Add missing library (libhcrypto) to PLIST, allowing sudo to build against this heimdal on 3.x. Bump PKGREVISION.
Convert to use PLIST_VARS instead of manually passing "@comment " through PLIST_SUBST to the plist module.
As of revision 1.2 of termcap.buildlink3.mk, "-ltermcap" is automatically transformed into the correct set of libraries, so we no longer need to override the configure script's check for which library has tgetent().
The "missing-from-system" headers that Heimdal installs are now placed into ${PREFIX}/include/krb5/roken instead of ${PREFIX}/include/krb5. This is good because it reduces the likelihood of a conflict with any other similarly named headers if you simply add -I${PREFIX}/include/krb5 to the compiler command line. Patch from PR pkg/38119 by charlie.
Rename termlib.* to termcap.* to better document exactly what packages are trying to use (the termcap t*() API).
Update security/heimdal to version 1.1. Changes from version 0.7.2 include: * Read-only PKCS11 provider built-in to hx509. * Better compatibilty with Windows 2008 Server pre-releases and Vista. * Add RFC3526 modp group14 as default. * Handle [kdc] database = { } entries without realm = stanzas. * Add gss_pseudo_random() for mechglue and krb5. * Make session key for the krbtgt be selected by the best encryption type of the client. * Better interoperability with other PK-INIT implementations. * Alias support for inital ticket requests. * Make ASN.1 library less paranoid to with regard to NUL in string to make it inter-operate with MIT Kerberos again. * PK-INIT support. * HDB extensions support, used by PK-INIT. * New ASN.1 compiler. * GSS-API mechglue from FreeBSD. * Updated SPNEGO to support RFC4178. * Support for Cryptosystem Negotiation Extension (RFC 4537). * A new X.509 library (hx509) and related crypto functions. * A new ntlm library (heimntlm) and related crypto functions. * KDC will return the "response too big" error to force TCP retries for large (default 1400 bytes) UDP replies. This is common for PK-INIT requests. * Libkafs defaults to use 2b tokens. * krb5_kuserok() also checks ~/.k5login.d directory for acl files. * Fix memory leaks. * Bugs fixes
Per the process outlined in revbump(1), perform a recursive revbump on packages that are affected by the switch from the openssl 0.9.7 branch to the 0.9.8 branch. ok jlam@
Fixed the build on IRIX 6.5.
Pullup ticket 1784 - requested by salo security fix for heimdal Revisions pulled up: - pkgsrc/security/heimdal/Makefile 1.60-1.62 - pkgsrc/security/heimdal/distinfo 1.20-1.21 - pkgsrc/security/heimdal/PLIST 1.11 - pkgsrc/security/heimdal/PLIST.Linux removed - pkgsrc/security/heimdal/patches/patch-al 1.1 - pkgsrc/security/heimdal/patches/patch-am 1.1 - pkgsrc/security/heimdal/patches/patch-an 1.1 - pkgsrc/security/heimdal/patches/patch-ao 1.1 - pkgsrc/security/heimdal/patches/patch-ap 1.1 - pkgsrc/security/heimdal/patches/patch-aq 1.1 Module Name: pkgsrc Committed By: markd Date: Sun Jul 2 13:53:28 UTC 2006 Modified Files: pkgsrc/security/heimdal: Makefile Added Files: pkgsrc/security/heimdal: PLIST.SunOS Log Message: Solaris does not have err.h, glob.h, ifaddrs.h and vis.h compatible with heimdal, so heimdal installs its own. Add them in PLIST.SunOS Fixes PR pkg/33656. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: jlam Date: Wed Jul 5 04:39:15 UTC 2006 Modified Files: pkgsrc/security/heimdal: Makefile PLIST distinfo Added Files: pkgsrc/security/heimdal/patches: patch-al Removed Files: pkgsrc/security/heimdal: PLIST.Linux PLIST.SunOS Log Message: Back out previous and do the same thing more generally for all platforms. Since the heimdal install process will install additional headers in ${PREFIX}/include/krb5 depending on what the configure process detects, simply query the source Makefile at install-time for the extra headers that it will install and dynamically add them to the PLIST. --- Module Name: pkgsrc Committed By: salo Date: Wed Aug 9 17:58:09 UTC 2006 Modified Files: pkgsrc/security/heimdal: Makefile distinfo Added Files: pkgsrc/security/heimdal/patches: patch-am patch-an patch-ao patch-ap patch-aq Log Message: Security fix for SA21436: "A security issue has been reported in Heimdal, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled rcp application. This may be exploited to perform certain actions with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21436/ http://www.pdc.kth.se/heimdal/advisory/2006-08-08/ Bump PKGREVISION.
Security fix for SA21436: "A security issue has been reported in Heimdal, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled rcp application. This may be exploited to perform certain actions with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21436/ http://www.pdc.kth.se/heimdal/advisory/2006-08-08/ Bump PKGREVISION.
Back out previous and do the same thing more generally for all platforms. Since the heimdal install process will install additional headers in ${PREFIX}/include/krb5 depending on what the configure process detects, simply query the source Makefile at install-time for the extra headers that it will install and dynamically add them to the PLIST.
Solaris does not have err.h, glob.h, ifaddrs.h and vis.h compatible with heimdal, so heimdal installs its own. Add them in PLIST.SunOS Fixes PR pkg/33656. Bump PKGREVISION.
The databases/openldap package has been split in -client and -server component packages. Convert LDAP-based applications to depend on openldap-client, and bump PKGREVISION for those that depend on it by default.
Linux does not have glob.h and vis.h compatible with heimdal, so heimdal installs its own glob.h and vis.h. Add them to PLIST.Linux. Bump PKGREVISION.
This package requires flex to build.
heimdal and gss conflict because they install a common set of manpages for the gss_* functions.
* Honor PKGINFODIR. * List the info files directly in the PLIST.
Pullup ticket 1106 - requested by Love Hornquist Astrand security update for heimdal Revisions pulled up: - pkgsrc/security/heimdal/Makefile 1.54 - pkgsrc/security/heimdal/distinfo 1.19 - pkgsrc/security/heimdal/patches/patch-ab removed - pkgsrc/security/heimdal/patches/patch-ak removed - pkgsrc/security/heimdal/patches/patch-ae removed - pkgsrc/security/heimdal/patches/patch-af removed - pkgsrc/security/heimdal/patches/patch-ag removed - pkgsrc/security/heimdal/patches/patch-ah removed - pkgsrc/security/heimdal/patches/patch-ai removed - pkgsrc/security/heimdal/patches/patch-aj removed Module Name: pkgsrc Committed By: lha Date: Tue Feb 7 12:20:52 UTC 2006 Modified Files: pkgsrc/security/heimdal: Makefile distinfo Removed Files: pkgsrc/security/heimdal/patches: patch-ab patch-ae patch-af patch-ag patch-ah patch-ai patch-aj patch-ak Log Message: http://www.pdc.kth.se/heimdal/releases/0.7.2/ http://www.pdc.kth.se/heimdal/advisory/2006-02-06/ Changes in Heimdal 0.7.2 * Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write. * Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI. * Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8. * telnetd, login and rshd are now more verbose in logging failed and successful logins. * Bug fixes
http://www.pdc.kth.se/heimdal/releases/0.7.2/ http://www.pdc.kth.se/heimdal/advisory/2006-02-06/ Changes in Heimdal 0.7.2 * Fix security problem in rshd that enable an attacker to overwrite and change ownership of any file that root could write. * Fix a DOS in telnetd. The attacker could force the server to crash in a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast. * Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name exists in the keytab before returning success. This allows servers to check if its even possible to use GSSAPI. * Fix receiving end of token delegation for GSS-API. It still wrongly uses subkey for sending for compatibility reasons, this will change in 0.8. * telnetd, login and rshd are now more verbose in logging failed and successful logins. * Bug fixes
Force Heimdal to compile its own compile_et by telling the configure script not to find any system-installed compile_et. (This should really be done by using our own PATH that doesn't include any system paths, but we're not quite ready to do that yet.)
security/heimdal and net/openafs conflict because of: bin/compile_et bin/kpasswd bin/pagsh Addresses PR 32610 and PR 32612 by Ola Eriksson.
security/heimdal and arla conflict with each other because of: bin/mk_cmds lib/libroken.la lib/libsl.la lib/libss.la man/man3/arg_printusage.3 man/man3/getarg.3 Addresses PR 32610 and PR 32611 by Ola Eriksson.
Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk automatically detects whether we want the pkginstall machinery to be used by the package Makefile.
Add a non-conflicting definition for load_rc_config_var so that platforms with older versions of /etc/rc.subr can run smbd.sh and winbindd.sh without updating /etc/rc.subr. Bump PKGREVISION to 2.
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Pull in change from Heimdal CVS committed on 20051012 where the field in a publicly-exported structure was renamed from "private" to "opt_private". This allows <krb5.h> to be used by C++ compilers. Bump the PKGREVISION to 1.
Update security/heimdal to 0.7.1 (approved by lha). We drop support for the "db4" option and just rely on the appropriate BDB_* settings via bdb.buildlink3.mk. Also, we tweak the builtin.mk file so use krb5-config, if it's available, to check the version of the built-in heimdal. Patches patch-ab, patch-ae and patch-af have been sent back upstream and will be incorporated into future Heimdal releases. Changes between version 0.6.5 and version 0.7.1 include: * Support for KCM, a process based credential cache * Support CCAPI credential cache * SPNEGO support * AES (and the gssapi conterpart, CFX) support * Adding new and improve old documentation * Bug fixes
Solaris 9 has a <vis.h> header, but it is very different to the BSD <vis.h> header, which is expected by heimdal. Now the package builds on Solaris 9.
Remove some more *LEGACY* settings that are over a month old and thus were before 2005Q3.
Include sys/types.h. This fixes configure on DragonFly. Bump PKGREVISION. Okayed by lha@. I tested on Linux and DragonFly. I got this from Joerg Sonnenberger. On DragonFly, the configure errored like: /usr/include/openssl/md5.h:110: error: syntax error before "size_t" In file included from conftest.c:34: /usr/include/openssl/sha.h:109: error: syntax error before "size_t" This caused tests to break and it ended up building and installing libdes and des.h, md4.h, and related headers. So later libgssapi needed this libdes which was not buildlinked which broke kdelibs3 build.
Add patch-aa to make heimdal compile with gcc-4 (default with darwin 8) This patch is the same as revision 1.3 of /cvsroot/src/crypto/dist/heimdal/lib/asn1/gen_glue.c by matt@ those cvs log: Don't emit struct units [] anymore. emit a struct units * const foo and in the C file initialize that to the static list. Bump pkgrevision: it changes the binary package on gcc<4 platforms approved by wiz@
Update to Heimdal 0.6.5 Changes in release 0.6.5 * fix vulnerabilities in telnetd * unbreak Kerberos 4 and kaserver
Make this build on Darwin. This fixes PR pkg/29147.
Rename option prefix-cmds to kerberos-prefix-cmds. Backwards compatibility provided via PKG_OPTIONS_LEGACY_OPTS.
Packages have no business modifying PKG_DEFAULT_OPTIONS -- it's a user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also, make use of PKG_OPTIONS_LEGACY_VARS. Reviewed by wiz.
Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions: USE_GNU_TOOLS -> USE_TOOLS awk -> gawk m4 -> gm4 make -> gmake sed -> gsed yacc -> bison
Pullup ticket 458 - requested by Love Hornquist-Astrand security fix for heimdal Revisions pulled up: - pkgsrc/security/heimdal/Makefile 1.34-1.35 - pkgsrc/security/heimdal/PLIST 1.7 - pkgsrc/security/heimdal/distinfo 1.11 - pkgsrc/security/heimdal/patches/patch-ae removed Module Name: pkgsrc Committed By: wiz Date: Thu Apr 21 14:00:36 UTC 2005 Modified Files: pkgsrc/security/heimdal: Makefile Log Message: lha agreed to maintain this package. --- Module Name: pkgsrc Committed By: lha Date: Thu Apr 21 14:35:47 UTC 2005 Modified Files: pkgsrc/security/heimdal: Makefile PLIST distinfo Removed Files: pkgsrc/security/heimdal/patches: patch-ae Log Message: Update to Heimdal 0.6.4. While I'm here, claim maintainership of this package. Also please pkglint. Changes in heimdal 0.6.4 include: * fix vulnerabilities in telnet * rshd: encryption without a separate error socket should now work * telnet now uses appdefaults for the encrypt and forward/forwardable settings * bug fixes
Update to Heimdal 0.6.4. While I'm here, claim maintainership of this package. Also please pkglint. Changes in heimdal 0.6.4 include: * fix vulnerabilities in telnet * rshd: encryption without a separate error socket should now work * telnet now uses appdefaults for the encrypt and forward/forwardable settings * bug fixes
lha agreed to maintain this package.
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
The default location of the pkgsrc-installed rc.d scripts is now under share/examples/rc.d. The variable name already was named RCD_SCRIPTS_EXAMPLEDIR. This is from ideas from Greg Woods and others. Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism (as requested by wiz).
Enable building heimdal with the "ldap" option to allow using an LDAP server as a datastore for the KDC.
Set USE_OLD_DES_API and replace custom changes to work with NetBSD-2.0's OpenSSL, with patches to use <openssl/des_old.h>.
Remove pre-buildlink and post-buildlink as part of getting pkgsrc ready for pkgsrc-2004Q4. The "buildlink" phase was removed for the last branch, and this is the final cleanup. "post-buildlink" is now "post-wrapper".
Correctly detect the old DES API in the OpenSSL in NetBSD's base install. This prevents Heimdal from building and installing its own DES library and headers. Bump the PKGREVISION.
Add a new variable BROKEN_READLINE_DETECTION which should be set to yes/no by a package Makefile, depending on whether the configure process properly detects the additional libraries needed to link against -lreadline (typically, you need either "-lreadline -ltermcap", or "-lreadline -lcurses" to properly link against -lreadline). If this variable is set to "yes", then we automatically expand "-lreadline" into "-lreadline -l<termcap functions library>". BROKEN_READLINE_DETECTION defaults to "no". Set BROKEN_READLINE_DETECTION to "yes" in security/heimdal and remove the custom logic that did the same work.
Fix location of heimdal mirror at ftp.sunet.se.
This needs a yacc. So used: USE_GNU_TOOLS+= yacc (But it didn't necessarily need a GNU version.)
Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
Mechanical changes to package PLISTs to make use of LIBTOOLIZE_PLIST. All library names listed by *.la files no longer need to be listed in the PLIST, e.g., instead of: lib/libfoo.a lib/libfoo.la lib/libfoo.so lib/libfoo.so.0 lib/libfoo.so.0.1 one simply needs: lib/libfoo.la and bsd.pkg.mk will automatically ensure that the additional library names are listed in the installed package +CONTENTS file. Also make LIBTOOLIZE_PLIST default to "yes".
The configure script checks for some libraries the wrong order, since -lreadline also needs either -ltermcap, -lcurses, -lncurses in the link command to resolve all symbols used in the readline library. Cause one of these libraries to automatically be added whenever "-lreadline" appears on the command line. This is a generalization of the change in revision 1.6 to work on more operating systems.
Update security/heimdal to 0.6.3. Changes from version 0.6.1 include: * fix vulnerabilities in ftpd * support for linux AFS /proc "syscalls" * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in kpasswdd * fix possible KDC denial of service * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
Change the way that legacy USE_* and FOO_USE_* options are converted into the bsd.options.mk framework. Instead of appending to ${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes the default options to be the union of PKG_DEFAULT_OPTIONS and any old USE_* and FOO_USE_* settings. This fixes PR pkg/26590.
It's PKG_OPTIONS.heimdal, not PKG_OPTIONS.mit-krb5.
Convert to use bsd.options.mk. The relevant options variable to set for each package can be determined by invoking: make show-var VARNAME=PKG_OPTIONS_VAR The old options are still supported unless the variable named in PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
Honor VARBASE; bump PKGREVISION.
Cede maintainership to the hard-working people on tech-pkg@NetBSD.org.
Whitespace nits.
There is no PKGREVISION less than 1. Just remove it in this case.
Update to 0.6.1: * Fixed cross realm vulnerability * Fixed ARCFOUR suppport * kdc: fix denial of service attack * kdc: stop clients from renewing tickets into the future * bug fixes
Note the info file for the new info file handling framework.
Fix the Kerberized telnetd and rsh to use the Heimdal binaries for login and rsh so that the correct programs (and not the system ones) are executed. Bump the PKGREVISION to 3.
Reverse the use of USE_DB185 in bdb.buildlink3.mk -- it defaults to "yes" and packages that can't use the DB-1.85 API should set it to "no". This makes the native DB the preferred DB if it exists.
PKGREVISION bump after openssl-security-fix-update to 0.9.6m. Buildlink files: RECOMMENDED version changed to current version.
Convert to use bdb.buildlink3.mk.
Let the rc.d script start kdc detached, as is the default for the in-tree kdc. From Jukka Salmi in PR 24489, ok'd by lukem@. Bump PKGREVISION to 1.
configure looks for and finds -ltermcap too late in the process for it to be linked in when testing -lreadline usability so that test fails on Solaris - so pass that lib into configure at the start via the environment. Also allow optional use of db4 rather that db.
LIBTOOL_OVERRIDE and SHLIBTOOL_OVERRIDE are now lists of shell globs relative to ${WRKSRC}. Remove redundant LIBTOOL_OVERRIDE settings that are automatically handled by the default setting in bsd.pkg.mk.
Support a new yes/no variable "KERBEROS_PREFIX_CMDS" that can be used by Kerberos implementation packages to decide whether to prefix certain commands with a "k" to differentiate it from system tools with similar names. KERBEROS_PREFIX_CMDS defaults to "no".
Note CONFLICT with forthcoming mit-krb5 package.
Add a rc.d script to start the kdc daemon on the Kerberos master server.
Initial import of heimdal-0.6 into security/heimdal. Heimdal is a free implementation of Kerberos 5. Kerberos is a system for authenticating users and services on a network. It is built upon the assumption that the network is "unsafe". Kerberos is a trusted third-party service. That means that there is a third party (the Kerberos server) that is trusted by all the entities on the network (users and services, usually called "principals"). All principals share a secret password (or key) with the Kerberos server and this enables principals to verify that the messages from the Kerberos server are authentic. Thus trusting the Kerberos server, users and services can authenticate each other.
Initial revision