![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / mit-krb5
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.118 / (download) - annotate - [select for diffs], Tue Jan 16 22:16:34 2024 UTC (2 months, 4 weeks ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2024Q1-base,
pkgsrc-2024Q1,
HEAD
Changes since 1.117: +1 -2
lines
Diff to previous 1.117 (colored)
security/mit-krb5: remove unknown configure option
Revision 1.117 / (download) - annotate - [select for diffs], Fri Jan 5 23:46:29 2024 UTC (3 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.116: +3 -4
lines
Diff to previous 1.116 (colored)
mit-krb5: updated to 1.21.2 Major changes in 1.21.2 (2023-08-14) Fix double-free in KDC TGS processing [CVE-2023-39975]. Major changes in 1.21.1 (2023-07-10) Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054]. Major changes in 1.21 (2023-06-05) User experience Added a credential cache type providing compatibility with the macOS 11 native credential cache. Developer experience libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. Added an interface to retrieve the ticket session key from a GSS context. Protocol evolution The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. The PKINIT client will advertise a more modern set of supported CMS algorithms. Code quality Removed unused code in libkrb5, libkrb5support, and the PKINIT module. Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. Improved the test framework's detection of memory errors in daemon processes when used with asan.
Revision 1.116 / (download) - annotate - [select for diffs], Tue Oct 24 22:10:52 2023 UTC (5 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q4-base,
pkgsrc-2023Q4
Changes since 1.115: +2 -1
lines
Diff to previous 1.115 (colored)
*: bump for openssl 3
Revision 1.115 / (download) - annotate - [select for diffs], Fri Jul 29 20:22:44 2022 UTC (20 months, 2 weeks ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base,
pkgsrc-2023Q3,
pkgsrc-2023Q2-base,
pkgsrc-2023Q2,
pkgsrc-2023Q1-base,
pkgsrc-2023Q1,
pkgsrc-2022Q4-base,
pkgsrc-2022Q4,
pkgsrc-2022Q3-base,
pkgsrc-2022Q3
Changes since 1.114: +3 -4
lines
Diff to previous 1.114 (colored)
mit-krb5: Update to 1.19.3. Major changes in 1.19.3 (2022-03-11) ------------------------------------ This is a bug fix release. * Fix a denial of service attack against the KDC [CVE-2021-37750]. krb5-1.19.3 changes by ticket ID -------------------------------- 9008 Fix KDC null deref on TGS inner body null server 9023 Fix conformance issue in GSSAPI tests Major changes in 1.19.2 (2021-07-22) ------------------------------------ This is a bug fix release. * Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222]. * Fix a memory leak when gss_inquire_cred() is called without a credential handle. krb5-1.19.2 changes by ticket ID -------------------------------- 8989 Fix typo in enctypes.rst 8992 Avoid rand() in aes-gen test program 9005 Fix argument type errors on Windows 9006 doc build fails with Sphinx 4.0.2 9007 Fix KDC null deref on bad encrypted challenge 9014 Using locking in MEMORY krb5_cc_get_principal() 9015 Fix use-after-free during krad remote_shutdown() 9016 Memory leak in krb5_gss_inquire_cred Major changes in 1.19.1 (2021-02-18) ------------------------------------ This is a bug fix release. * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. krb5-1.19.1 changes by ticket ID -------------------------------- 8984 Load certs when checking pkinit_identities values 8985 Restore krb5_set_default_tgs_ktypes() 8987 Synchronize command-line option documentation Major changes in 1.19 (2021-02-01) ---------------------------------- Administrator experience: * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience: * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution: * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience: * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). krb5-1.19 changes by ticket ID ------------------------------ 7976 Client keytab does not refresh manually obtained ccaches 8332 Referral and cross-realm TGS requests fail with anonymous cache 8871 Zero length fields when freeing object contents 8879 Allow certauth modules to set hw-authent flag 8885 PKINIT calls responder twice 8890 Add finalization safety check to com_err 8893 Do expiration warnings for all init_creds APIs 8897 Pass gss_localname() through SPNEGO 8899 Implement GSS_C_CHANNEL_BOUND_FLAG 8900 Implement KERB_AP_OPTIONS_CBT (server side) 8901 Stop reporting krb5 mech from IAKERB 8902 Omit KDC indicator check for S4U2Self requests 8904 Add KRB5_PRINCIPAL_PARSE_NO_DEF_REALM flag 8907 Pass channel bindings through SPNEGO 8909 Return GSS_S_NO_CRED from krb5 gss_acquire_cred 8910 Building with --enable-static fails when Yasm is available 8911 Default dns_canonicalize_hostname to "fallback" 8912 Omit PA_FOR_USER if we can't compute its checksum 8913 Deleting master key principal entry shouldn't be possible 8914 Invalid negative record length in keytab file 8915 Try to find <target>-ar when cross compiling 8917 Add three kvno options from Heimdal kgetcred 8919 Interop with Heimdal KDC for S4U2Self requests 8920 Fix KDC choice to send encrypted S4U_X509_USER 8921 Use the term "primary KDC" in source and docs 8922 Trace plugin module loading errors 8923 Add GSS_KRB5_NT_X509_CERT name type 8927 getdate.y %type warnings with bison 3.5 8928 Fix three configure tests for Xcode 12 8929 Ignore bad enctypes in krb5_string_to_keysalts() 8930 Expand dns_canonicalize_host=fallback support 8931 Cache S4U2Proxy requests by second ticket 8932 Do proper length decoding in SPNEGO gss_get_oid() 8934 Try kadmin/admin first in libkadm5clnt 8935 Don't create hostbased principals in new KDBs 8937 Fix Leash console option 8940 Remove Leash import functionality 8942 Fix KRB5_GC_CACHED for S4U2Self requests 8943 Allow KDC to canonicalize realm in TGS client 8944 Harmonize macOS pack declarations with Heimdal 8946 Improve KDC alias checking for S4U requests 8947 Warn when des3-cbc-sha1 is used for initial auth 8948 Update SRV record documentation 8950 Document enctype migration 8951 Allow aliases when matching U2U second ticket 8952 Fix doc issues with newer Doxygen and Sphinx 8953 Move more KDC checks to validate_tgs_request() 8954 Update Gladman AES code to a version with a clearer license 8957 Use PKG_CHECK_MODULES for system library com_err 8961 Fix gss_acquire_cred_from() IAKERB handling 8962 Add password option to cred store 8963 Add verify option to cred store 8964 Add GSS credential store documentation 8965 Install shared libraries as executable 8966 Improve duplicate checking in gss_add_cred() 8967 Continue on KRB5_FCC_NOFILE in KCM cache iteration 8969 Update kvno(1) synopsis with missing options 8971 Implement fallback for GSS acceptor names 8973 Revert dns_canonicalize_hostname default to true 8975 Incorrect runstatedir substitution affecting "make install" Major changes in 1.18.5 (2022-03-11) ------------------------------------ This is a bug fix release. * Fix a denial of service attack against the KDC [CVE-2021-37750]. krb5-1.18.5 changes by ticket ID -------------------------------- 9008 Fix KDC null deref on TGS inner body null server
Revision 1.114 / (download) - annotate - [select for diffs], Tue Jun 28 11:35:38 2022 UTC (21 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.113: +2 -1
lines
Diff to previous 1.113 (colored)
*: recursive bump for perl 5.36
Revision 1.113 / (download) - annotate - [select for diffs], Thu Aug 26 06:31:33 2021 UTC (2 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base,
pkgsrc-2022Q2,
pkgsrc-2022Q1-base,
pkgsrc-2022Q1,
pkgsrc-2021Q4-base,
pkgsrc-2021Q4,
pkgsrc-2021Q3-base,
pkgsrc-2021Q3
Changes since 1.112: +2 -3
lines
Diff to previous 1.112 (colored)
mit-krb5: updated to 1.18.4 Major changes in 1.18.4 Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222]. Fix a memory leak when gss_inquire_cred() is called without a credential handle.
Revision 1.112 / (download) - annotate - [select for diffs], Mon May 24 19:53:54 2021 UTC (2 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.111: +2 -1
lines
Diff to previous 1.111 (colored)
*: recursive bump for perl 5.34
Revision 1.111 / (download) - annotate - [select for diffs], Sat Jan 16 09:00:23 2021 UTC (3 years, 2 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1
Changes since 1.110: +4 -8
lines
Diff to previous 1.110 (colored)
mit-krb5: Update to 1.18.3. Fixes issues the with autoconf 2.70 update and bison POSIX yacc errors. Major changes in 1.18.3 (2020-11-17) ------------------------------------ This is a bug fix release. * Fix a denial of service vulnerability when decoding Kerberos protocol messages. * Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database. * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded. krb5-1.18.3 changes by ticket ID -------------------------------- 7476 updated manual page for kvno 8614 Assertion failure when repeatedly loading libgssapi_krb5 8882 kdb5_util load ignores password expiration with LDAP KDB module 8918 KDC and kadmind fork with DB open, breaking LMDB KDB module 8926 Allow gss_unwrap_iov() of unpadded RC4 tokens 8933 Fix input length checking in SPNEGO DER decoding 8936 Set lockdown attribute when creating LDAP KDB 8938 Leash crashes on failure to auto-renew tickets 8939 Suppress Leash error popup on MSLSA renew failure 8959 Add recursion limit for ASN.1 indefinite lengths 8960 Fix compatibility with upcoming autoconf 2.70
Revision 1.110 / (download) - annotate - [select for diffs], Thu Oct 8 19:52:36 2020 UTC (3 years, 6 months ago) by gdt
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.109: +9 -1
lines
Diff to previous 1.109 (colored)
mit-krb5: Add comment about missing LICENSE. The license file is enormous. While mostly BSDish, one license is hard to safely read as Free. I have asked upstream to clarify the language.
Revision 1.109 / (download) - annotate - [select for diffs], Wed Oct 7 22:40:56 2020 UTC (3 years, 6 months ago) by gdt
Branch: MAIN
Changes since 1.108: +5 -4
lines
Diff to previous 1.108 (colored)
mit-kerberos: Update to 1.18.2
Upstream README excerpt:
Major changes in 1.18.2 (2020-05-21)
Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure.
Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype.
Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5.
Fix a NegoEx bug where the client name and delegated credential might not be reported.
Major changes in 1.18.1 (2020-04-13)
Fix a crash when qualifying short hostnames when the system has no primary DNS domain.
Fix a regression when an application imports "service@" as a GSS host-based name for its acceptor credential handle.
Fix KDC enforcement of auth indicators when they are modified by the KDB module.
Fix removal of require_auth string attributes when the LDAP KDB module is used.
Fix a compile error when building with musl libc on Linux.
Fix a compile error when building with gcc 4.x.
Change the KDC constrained delegation precedence order for consistency with Windows KDCs.
Revision 1.108 / (download) - annotate - [select for diffs], Mon Aug 31 18:11:09 2020 UTC (3 years, 7 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3
Changes since 1.107: +2 -1
lines
Diff to previous 1.107 (colored)
*: bump PKGREVISION for perl-5.32.
Revision 1.107 / (download) - annotate - [select for diffs], Fri Jul 3 13:22:55 2020 UTC (3 years, 9 months ago) by hauke
Branch: MAIN
Changes since 1.106: +2 -1
lines
Diff to previous 1.106 (colored)
Add missing dependency on databases/lmdb, adjust PLIST
Revision 1.106 / (download) - annotate - [select for diffs], Thu Apr 9 10:57:04 2020 UTC (4 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base,
pkgsrc-2020Q2
Changes since 1.105: +8 -20
lines
Diff to previous 1.105 (colored)
mit-krb5: updated to 1.18
Major changes in 1.18:
Administrator experience
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ".rcache2" by default.
* setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes.
Developer experience
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account name from a PAC.
Protocol evolution
* Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)
User experience
* Add support for "dns_canonicalize_hostname=fallback", causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a "qualify_shortname" krb5.conf relation to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios.
Code quality
* The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.
Major changes in 1.17.1:
This is a bug fix release.
* Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
* Fix a bug preventing time skew correction from working when a KCM credential cache is used.
Major changes in 1.17:
Administrator experience
* A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific principal names are requested.
* kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
Developer experience
* The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should perform better.
Protocol evolution
* The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust.
User experience
* The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.
* The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.
Code quality
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.
Revision 1.105 / (download) - annotate - [select for diffs], Sun Jan 26 17:32:04 2020 UTC (4 years, 2 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1
Changes since 1.104: +2 -2
lines
Diff to previous 1.104 (colored)
all: migrate homepages from http to https pkglint -r --network --only "migrate" As a side-effect of migrating the homepages, pkglint also fixed a few indentations in unrelated lines. These and the new homepages have been checked manually.
Revision 1.104 / (download) - annotate - [select for diffs], Sat Jan 25 10:45:11 2020 UTC (4 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.103: +1 -2
lines
Diff to previous 1.103 (colored)
*: Remove obsolete BUILDLINK_API_DEPENDS.openssl.
Revision 1.103 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:40 2020 UTC (4 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.102: +2 -2
lines
Diff to previous 1.102 (colored)
*: Recursive revision bump for openssl 1.1.1.
Revision 1.102 / (download) - annotate - [select for diffs], Sun Aug 11 13:22:48 2019 UTC (4 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base,
pkgsrc-2019Q4,
pkgsrc-2019Q3-base,
pkgsrc-2019Q3
Changes since 1.101: +2 -2
lines
Diff to previous 1.101 (colored)
Bump PKGREVISIONs for perl 5.30.0
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jul 12 15:40:55 2019 UTC (4 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.100: +4 -2
lines
Diff to previous 1.100 (colored)
mit-krb5: Support LDAP, fix plugin shared library naming. The libtool-ification caused plugins to have a "lib" prefix, causing a mismatch with what the code was trying to dlopen(), and failures. Bump PKGREVISION.
Revision 1.100 / (download) - annotate - [select for diffs], Mon May 6 08:20:32 2019 UTC (4 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.99: +3 -2
lines
Diff to previous 1.99 (colored)
mit-krb5: update to 1.16.2nb1. Fix conflict with hmac symbol from libc, from Naveen Narayanan. Update configure option, it was renamed. Bump PKGREVISION for that. Small pkglint fix while here.
Revision 1.99 / (download) - annotate - [select for diffs], Fri Dec 21 15:45:13 2018 UTC (5 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1,
pkgsrc-2018Q4-base,
pkgsrc-2018Q4
Changes since 1.98: +8 -15
lines
Diff to previous 1.98 (colored)
mit-krb5: updated to 1.16.2 Major changes in 1.16.2 This is a bug fix release. Fix bugs with concurrent use of MEMORY ccache handles. Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry. Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name. Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism. Make cross-realm S4U2Self requests work on the client when no default_realm is configured. Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.
Revision 1.98 / (download) - annotate - [select for diffs], Wed Aug 22 09:46:19 2018 UTC (5 years, 7 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base,
pkgsrc-2018Q3
Changes since 1.97: +2 -2
lines
Diff to previous 1.97 (colored)
Recursive bump for perl5-5.28.0
Revision 1.97 / (download) - annotate - [select for diffs], Fri Jun 22 09:16:07 2018 UTC (5 years, 9 months ago) by hauke
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2
Changes since 1.96: +8 -2
lines
Diff to previous 1.96 (colored)
The SunOS (OmniOS) yacc(1) breaks the build with making generate-files-mac in kadmin... making generate-files-mac in kadmin/cli... ../../util/ss/mk_cmds kadmin_ct.ct /usr/bin/yacc getdate.y "getdate.y", line 180: fatal: invalid escape, or illegal reserved word: expect *** Error code 1 -- use bison(1) instead.
Revision 1.96 / (download) - annotate - [select for diffs], Fri Jun 15 20:46:01 2018 UTC (5 years, 10 months ago) by tez
Branch: MAIN
Changes since 1.95: +1 -1
lines
Diff to previous 1.95 (colored)
mit-krb5: update to 1.16.1
Major changes in 1.16.1 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Allow validation of Microsoft PACs containing enterprise names.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.16 (2017-12-05)
Administrator experience:
The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
Localization support can be disabled at build time with the --disable-nls configure option.
Developer experience:
The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.
Protocol evolution:
The client library will continue to try pre-authentication mechanisms after most failure conditions.
The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
The client library will use a random nonce for TGS requests instead of the current system time.
For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.
User experience:
Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
A German translation has been added.
Code quality:
The build is warning-clean under clang with the configured warning options.
The automated test suite runs cleanly under AddressSanitizer.
Major changes in 1.15.3 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.15.2 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
Ignore dotfiles when processing profile includedir directive
Improve documentation
Major changes in 1.15.1 (2017-03-01)
This is a bug fix release.
Allow KDB modules to determine how the e_data field of principal fields is freed
Fix udp_preference_limit when the KDC location is configured with SRV records
Fix KDC and kadmind startup on some IPv4-only systems
Fix the processing of PKINIT certificate matching rules which have two components and no explicit relation
Improve documentation
Major changes in 1.15 (2016-12-01)
Administrator experience:
Improve support for multihomed Kerberos servers by adding options for specifying restricted listening addresses for the KDC and kadmind.
Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.
Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.
Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.
Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and master KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.
Add support for password history to the LDAP back end.
Add support for principal renaming to the LDAP back end.
Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.
In the PKINIT client, use the correct DigestInfo encoding for PKCS #1 signatures, so that some especially strict smart cards will work.
Code quality:
Clean up numerous compilation warnings.
Remove various infrequently built modules, including some preauth modules that were not built by default.
Developer experience:
Add support for building with OpenSSL 1.1.
Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.
Eliminate util/reconf and allow the use of autoreconf alone to regenerate the configure script.
Protocol evolution:
Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.
Revision 1.95 / (download) - annotate - [select for diffs], Tue Oct 10 21:22:53 2017 UTC (6 years, 6 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base,
pkgsrc-2018Q1,
pkgsrc-2017Q4-base,
pkgsrc-2017Q4
Changes since 1.94: +1 -2
lines
Diff to previous 1.94 (colored)
mit-krb5: update to 1.14.6
Major changes in 1.14.6 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
Revision 1.94 / (download) - annotate - [select for diffs], Mon Aug 21 22:19:26 2017 UTC (6 years, 7 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base
Branch point for: pkgsrc-2017Q3
Changes since 1.93: +2 -1
lines
Diff to previous 1.93 (colored)
Update to 1.14.5 and patch for CVE-2017-11368
Revision 1.93 / (download) - annotate - [select for diffs], Fri Oct 28 20:56:14 2016 UTC (7 years, 5 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2,
pkgsrc-2017Q1-base,
pkgsrc-2017Q1,
pkgsrc-2016Q4-base,
pkgsrc-2016Q4
Changes since 1.92: +1 -2
lines
Diff to previous 1.92 (colored)
Update to 1.14.4 and fix build on OS X Should resolve PR#51136
Revision 1.92 / (download) - annotate - [select for diffs], Sat Jul 9 06:38:55 2016 UTC (7 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base,
pkgsrc-2016Q3
Changes since 1.91: +2 -2
lines
Diff to previous 1.91 (colored)
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
Revision 1.91 / (download) - annotate - [select for diffs], Tue May 17 10:32:08 2016 UTC (7 years, 11 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base,
pkgsrc-2016Q2
Changes since 1.90: +3 -3
lines
Diff to previous 1.90 (colored)
Use REAL_ROOT_USER/REAL_ROOT_GROUP instead of ROOT_USER/ROOT_GROUP for all pkgsrc dir/file ownership rules. Fixes unprivileged user/group names from leaking into binary packages, manifest as non-fatal chown/chgrp failure messages at pkg_add time. Bump respective packages' PKGREVISION.
Revision 1.90 / (download) - annotate - [select for diffs], Sun Apr 17 15:33:13 2016 UTC (8 years ago) by kamil
Branch: MAIN
Changes since 1.89: +2 -1
lines
Diff to previous 1.89 (colored)
Fix build on recent NetBSD-current
The RTM_RESOLVE symbol has been removed after the following change in
src/sys/net/route.h:
revision 1.98
date: 2016-04-04 09:37:07 +0200; author: ozaki-r; state: Exp; lines: +8 -6; commitid: r0chxU5ZkTdAqh1z;
Separate nexthop caches from the routing table
Bump PKGREVISION to 1
Revision 1.89 / (download) - annotate - [select for diffs], Fri Mar 18 19:08:39 2016 UTC (8 years, 1 month ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1
Changes since 1.88: +2 -1
lines
Diff to previous 1.88 (colored)
Fix build on 64 bit intel systems with yasm installed.
Revision 1.88 / (download) - annotate - [select for diffs], Tue Mar 15 15:16:39 2016 UTC (8 years, 1 month ago) by tez
Branch: MAIN
Changes since 1.87: +10 -16
lines
Diff to previous 1.87 (colored)
Update to 1.14.1 resolving all reported vulnerabilities including: CVE-2015-2695 CVE-2015-2696 CVE-2015-2697 CVE-2015-2698 CVE-2015-8629 CVE-2015-8630 CVE-2015-8631
Revision 1.87 / (download) - annotate - [select for diffs], Thu Mar 10 18:21:58 2016 UTC (8 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.86: +2 -2
lines
Diff to previous 1.86 (colored)
Ensure libss is built -static, the library is not installed resulting in runtime failures which weren't previously detected due to a bug in check-shlibs. Bump PKGREVISION.
Revision 1.86 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:22 2016 UTC (8 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.85: +2 -2
lines
Diff to previous 1.85 (colored)
Bump PKGREVISION for security/openssl ABI bump.
Revision 1.85 / (download) - annotate - [select for diffs], Thu Nov 5 19:10:29 2015 UTC (8 years, 5 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base,
pkgsrc-2015Q4
Changes since 1.84: +2 -1
lines
Diff to previous 1.84 (colored)
Fix build in case there is a system version of verto found. No revbump because it failed to build before if there was one. Fixes pkg/50348
Revision 1.84 / (download) - annotate - [select for diffs], Fri Jun 12 10:51:03 2015 UTC (8 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base,
pkgsrc-2015Q2-base,
pkgsrc-2015Q2
Branch point for: pkgsrc-2015Q3
Changes since 1.83: +2 -2
lines
Diff to previous 1.83 (colored)
Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0.
Revision 1.83 / (download) - annotate - [select for diffs], Tue May 26 13:56:16 2015 UTC (8 years, 10 months ago) by jperkin
Branch: MAIN
Changes since 1.82: +2 -1
lines
Diff to previous 1.82 (colored)
Ensure we can find OpenSSL after rpath changes.
Revision 1.82 / (download) - annotate - [select for diffs], Sun Mar 22 20:09:09 2015 UTC (9 years ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Changes since 1.81: +2 -2
lines
Diff to previous 1.81 (colored)
Redo rpath handling as the option is leaked into the config binary. Bump revision.
Revision 1.81 / (download) - annotate - [select for diffs], Mon Mar 16 10:44:23 2015 UTC (9 years, 1 month ago) by joerg
Branch: MAIN
Changes since 1.80: +1 -2
lines
Diff to previous 1.80 (colored)
GC MAKE_PROGRAM as well.
Revision 1.80 / (download) - annotate - [select for diffs], Sun Mar 15 23:07:20 2015 UTC (9 years, 1 month ago) by joerg
Branch: MAIN
Changes since 1.79: +2 -2
lines
Diff to previous 1.79 (colored)
Don't use -R without argument. Make libapputils a convenience archive as it is. Don't depend on gmake.
Revision 1.79 / (download) - annotate - [select for diffs], Thu Mar 12 14:26:11 2015 UTC (9 years, 1 month ago) by tnn
Branch: MAIN
Changes since 1.78: +2 -2
lines
Diff to previous 1.78 (colored)
post-extract target needs gzip as tool
Revision 1.78 / (download) - annotate - [select for diffs], Wed Feb 25 22:28:58 2015 UTC (9 years, 1 month ago) by tez
Branch: MAIN
Changes since 1.77: +2 -2
lines
Diff to previous 1.77 (colored)
Backported fixes for: http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355 (also apparently known as SA62976)
Revision 1.77 / (download) - annotate - [select for diffs], Tue Nov 25 23:40:49 2014 UTC (9 years, 4 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.76: +1 -1
lines
Diff to previous 1.76 (colored)
Add patch for CVE-2014-5351 from: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018 https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.diff
Revision 1.76 / (download) - annotate - [select for diffs], Thu Aug 28 22:23:05 2014 UTC (9 years, 7 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base,
pkgsrc-2014Q3
Changes since 1.75: +3 -3
lines
Diff to previous 1.75 (colored)
Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341) CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
Revision 1.75 / (download) - annotate - [select for diffs], Thu May 29 23:37:20 2014 UTC (9 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base,
pkgsrc-2014Q2
Changes since 1.74: +2 -2
lines
Diff to previous 1.74 (colored)
Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time.
Revision 1.74 / (download) - annotate - [select for diffs], Wed Feb 12 23:18:33 2014 UTC (10 years, 2 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Changes since 1.73: +2 -1
lines
Diff to previous 1.73 (colored)
Recursive PKGREVISION bump for OpenSSL API version bump.
Revision 1.73 / (download) - annotate - [select for diffs], Tue Dec 3 14:08:53 2013 UTC (10 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base,
pkgsrc-2013Q4
Changes since 1.72: +2 -2
lines
Diff to previous 1.72 (colored)
Changes 1.10.7: This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later. * Fix a KDC locking issue that could lead to the KDC process holding a persistent lock, preventing administrative actions such as password changes. * Fix a number of bugs related to KDC master key rollover. * Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms.
Revision 1.72 / (download) - annotate - [select for diffs], Sun Jun 16 07:22:47 2013 UTC (10 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base,
pkgsrc-2013Q3,
pkgsrc-2013Q2-base,
pkgsrc-2013Q2
Changes since 1.71: +2 -3
lines
Diff to previous 1.71 (colored)
Changes 1.10.6: Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] Improve interoperability with some Windows native PKINIT clients.
Revision 1.71 / (download) - annotate - [select for diffs], Fri May 31 12:41:52 2013 UTC (10 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.70: +2 -2
lines
Diff to previous 1.70 (colored)
Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints.
Revision 1.70 / (download) - annotate - [select for diffs], Mon May 13 22:42:33 2013 UTC (10 years, 11 months ago) by tez
Branch: MAIN
Changes since 1.69: +2 -1
lines
Diff to previous 1.69 (colored)
The kpasswd service provided by kadmind was vulnerable to a UDP "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322ccvs
Revision 1.69 / (download) - annotate - [select for diffs], Thu May 9 08:40:05 2013 UTC (10 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.68: +2 -3
lines
Diff to previous 1.68 (colored)
Changes 1.10.5: This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later. * Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416] * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load.
Revision 1.68 / (download) - annotate - [select for diffs], Tue Apr 23 22:09:44 2013 UTC (10 years, 11 months ago) by tez
Branch: MAIN
Changes since 1.67: +1 -0
lines
Diff to previous 1.67 (colored)
Fix for CVE-2013-1416 from: http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7600
Revision 1.67 / (download) - annotate - [select for diffs], Thu Mar 14 13:53:18 2013 UTC (11 years, 1 month ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base
Branch point for: pkgsrc-2013Q1
Changes since 1.66: +2 -1
lines
Diff to previous 1.66 (colored)
Fix build on Solaris (per http://old.nabble.com/Re%3A-build-problem-p34365918.html)
Revision 1.66 / (download) - annotate - [select for diffs], Wed Mar 13 12:35:40 2013 UTC (11 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.65: +2 -3
lines
Diff to previous 1.65 (colored)
Changes 1.10.4: This is a bugfix release. Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016, CVE-2013-1415] Prevent the KDC from returning a host-based service principal referral to the local realm.
Revision 1.65 / (download) - annotate - [select for diffs], Thu Feb 28 14:19:36 2013 UTC (11 years, 1 month ago) by tez
Branch: MAIN
Changes since 1.64: +2 -2
lines
Diff to previous 1.64 (colored)
Add patch for CVE-2013-1415 (SA52390)
Revision 1.64 / (download) - annotate - [select for diffs], Wed Feb 6 23:23:39 2013 UTC (11 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.63: +2 -2
lines
Diff to previous 1.63 (colored)
PKGREVISION bumps for the security/openssl 1.0.1d update.
Revision 1.63 / (download) - annotate - [select for diffs], Sat Dec 22 02:27:56 2012 UTC (11 years, 3 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base
Branch point for: pkgsrc-2012Q4
Changes since 1.62: +2 -2
lines
Diff to previous 1.62 (colored)
Ensure correct initialisation. Bump revision.
Revision 1.62 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:36 2012 UTC (11 years, 5 months ago) by asau
Branch: MAIN
Changes since 1.61: +1 -2
lines
Diff to previous 1.61 (colored)
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Revision 1.61 / (download) - annotate - [select for diffs], Wed Oct 3 21:57:25 2012 UTC (11 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.60: +2 -1
lines
Diff to previous 1.60 (colored)
Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them.
Revision 1.60 / (download) - annotate - [select for diffs], Mon Aug 20 08:16:26 2012 UTC (11 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3
Changes since 1.59: +2 -3
lines
Diff to previous 1.59 (colored)
Changes 1.10.3: This is a bugfix release. * Fix KDC uninitialized pointer vulnerabilities that could lead to a denial of service [CVE-2012-1014] or remote code execution [CVE-2012-1015]. * Correctly use default_tgs_enctypes instead of default_tkt_enctypes for TGS requests.
Revision 1.59 / (download) - annotate - [select for diffs], Thu Aug 9 20:15:20 2012 UTC (11 years, 8 months ago) by marino
Branch: MAIN
Changes since 1.58: +3 -2
lines
Diff to previous 1.58 (colored)
security/mit-krb5: USE_TOOLS+= msgfmt Note: Nobody that uses git from pkgsrc can install this package. It conflicts with security/heimdal which is sucked in by dependencies of scmgit-base. Since the default way of acquiring pkgsrc on DragonFly is via git, which is provided by the releases and daily snapshots, effectively this can't be installed by DragonFly users. Solving the conflict with heimdal, if possible, would be nice.
Revision 1.58 / (download) - annotate - [select for diffs], Mon Jul 16 19:12:33 2012 UTC (11 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.57: +4 -4
lines
Diff to previous 1.57 (colored)
Changes 1.10.2: This is a bugfix release. * Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. * Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. * Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] Changes 1.10.1: This is a bugfix release. * Fix access controls for KDB string attributes [CVE-2012-1012] * Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers * Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time.
Revision 1.57 / (download) - annotate - [select for diffs], Wed Jun 6 18:17:46 2012 UTC (11 years, 10 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base,
pkgsrc-2012Q2
Changes since 1.56: +1 -0
lines
Diff to previous 1.56 (colored)
Fix for CVE-2012-1013 from: https://github.com/krb5/krb5/commit/ca2909440015d33be42e77d1955194963d8c0955
Revision 1.56 / (download) - annotate - [select for diffs], Sun Feb 26 13:14:19 2012 UTC (12 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base
Branch point for: pkgsrc-2012Q1
Changes since 1.55: +4 -5
lines
Diff to previous 1.55 (colored)
Changes 1.8.6: This is primarily a bugfix release. * Fix an interaction in iprop that could cause spurious excess kadmind processes when a kprop child fails. Changes 1.8.5: This is primarily a bugfix release. * Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities [CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
Revision 1.55 / (download) - annotate - [select for diffs], Sun Oct 23 19:58:16 2011 UTC (12 years, 5 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base,
pkgsrc-2011Q4
Changes since 1.54: +3 -2
lines
Diff to previous 1.54 (colored)
add vendor patch 2011-006-patch-r18 from MITKRB5-SA-2011-006 this fixes CVE-2011-1528, CVE-2011-1529 & CVE-2011-4151
Revision 1.54 / (download) - annotate - [select for diffs], Fri Jul 8 09:59:28 2011 UTC (12 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base
Branch point for: pkgsrc-2011Q3
Changes since 1.53: +11 -15
lines
Diff to previous 1.53 (colored)
Changes 1.8.4: This is primarily a bugfix release. Fix vulnerabilities: * KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322] * kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022] * KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] * KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] * kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285] Interoperability: * Correctly encrypt GSSAPI forwarded credentials using the session key, not a subkey. * Set NT-SRV-INST on TGS principal names as expected by some Windows Server Domain Controllers. * Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC instead. * Correctly validate HMAC-MD5 checksums that use DES keys
Revision 1.53 / (download) - annotate - [select for diffs], Thu Apr 14 19:37:26 2011 UTC (13 years ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base,
pkgsrc-2011Q2
Changes since 1.52: +2 -2
lines
Diff to previous 1.52 (colored)
fix MITKRB5-SA-2011-004 (CVE-2011-0285) DOS in kadmind
Revision 1.52 / (download) - annotate - [select for diffs], Sat Apr 9 00:16:18 2011 UTC (13 years ago) by tez
Branch: MAIN
Changes since 1.51: +3 -2
lines
Diff to previous 1.51 (colored)
correct openssl dependency (it needs >=0.9.8) correct BUILDLINK_API_DEPENDS.mit-krb5 fix building where libtool chokes on "--version-info : " (at least OS X)
Revision 1.51 / (download) - annotate - [select for diffs], Tue Mar 22 23:31:04 2011 UTC (13 years ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base
Branch point for: pkgsrc-2011Q1
Changes since 1.50: +32 -105
lines
Diff to previous 1.50 (colored)
Update MIT Kerberos to v1.8.3 with the latest security patches up to and including MITKRB5-SA-2011-003. Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2 Note that the r-services, telnetd and ftpd services and the related client applications are now in a separate pacakge security/mit-krb5-appl.
Revision 1.50 / (download) - annotate - [select for diffs], Fri Dec 3 20:11:31 2010 UTC (13 years, 4 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base,
pkgsrc-2010Q4
Changes since 1.49: +2 -2
lines
Diff to previous 1.49 (colored)
add fix for CVE-2010-1323 from http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt
Revision 1.49 / (download) - annotate - [select for diffs], Thu May 20 14:21:23 2010 UTC (13 years, 11 months ago) by tez
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base,
pkgsrc-2010Q2-base,
pkgsrc-2010Q2
Branch point for: pkgsrc-2010Q3
Changes since 1.48: +2 -2
lines
Diff to previous 1.48 (colored)
fix CVE-2010-1321 (MITKRB5-SA-2010-005) and take maintainership
Revision 1.48 / (download) - annotate - [select for diffs], Fri Mar 26 21:44:59 2010 UTC (14 years ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base
Branch point for: pkgsrc-2010Q1
Changes since 1.47: +3 -2
lines
Diff to previous 1.47 (colored)
Apply some sense to the build system by always linking the .la archives in src/lib as that is the location it wants to pick it up. Work around the dependencies in other places by symlinking to that, effectively reverting the direction. Link telnet(d) consistently. Add DESTDIR support.
Revision 1.47 / (download) - annotate - [select for diffs], Wed Feb 24 19:07:51 2010 UTC (14 years, 1 month ago) by tez
Branch: MAIN
Changes since 1.46: +2 -2
lines
Diff to previous 1.46 (colored)
Fix CVE-2009-4212 (MITKRB5-SA-2009-004) using patches from http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt (slightly adjusted for older kerberos version)
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jun 30 00:07:22 2009 UTC (14 years, 9 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base,
pkgsrc-2009Q4,
pkgsrc-2009Q3-base,
pkgsrc-2009Q3,
pkgsrc-2009Q2-base,
pkgsrc-2009Q2
Changes since 1.45: +3 -1
lines
Diff to previous 1.45 (colored)
Mark packages as MAKE_JOBS_SAFE=no that failed in a bulk build with MAKE_JOBS=2 and worked without.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Apr 21 18:58:17 2009 UTC (14 years, 11 months ago) by tez
Branch: MAIN
Changes since 1.44: +2 -2
lines
Diff to previous 1.44 (colored)
Add patches for CVE-2009-0846 & CVE-2009-0847 approved by agc
Revision 1.44 / (download) - annotate - [select for diffs], Thu Dec 11 09:42:25 2008 UTC (15 years, 4 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base,
pkgsrc-2008Q4-base,
pkgsrc-2008Q4
Branch point for: pkgsrc-2009Q1
Changes since 1.43: +2 -2
lines
Diff to previous 1.43 (colored)
PR 40152 by Tim Zingelman: lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it. Solaris requires it be zeroed first... all kerberos programs that use dns lookup crash. Zeroing before use does not break anything on any other platforms. Bump PKGREVISION.
Revision 1.43 / (download) - annotate - [select for diffs], Sat Jun 7 23:58:11 2008 UTC (15 years, 10 months ago) by tonnerre
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Changes since 1.42: +2 -2
lines
Diff to previous 1.42 (colored)
Add more patches, now for MITKRB5-SA-2007-006, MITKRB5-SA-2008-001 and MITKRB5-SA-2008-002. Bump PKGREVISION now finally.
Revision 1.42 / (download) - annotate - [select for diffs], Sat Jun 7 18:36:06 2008 UTC (15 years, 10 months ago) by tonnerre
Branch: MAIN
Changes since 1.41: +2 -2
lines
Diff to previous 1.41 (colored)
Add security patches for 3 Kerberos vulnerabilities:
- telnetd username and environment sanitizing vulnerabilities ("-f root")
as described in MIT Kerberos advisory 2007-001.
- krb5_klog_syslog() problems with overly long log strings as described
in MIT Kerberos advisory 2007-002.
- GSS API kg_unseal_v1() double free vulnerability as described in the
MIT Kerberos advisory 2007-003.
Revision 1.41 / (download) - annotate - [select for diffs], Fri Jun 22 14:20:01 2007 UTC (16 years, 9 months ago) by gdt
Branch: MAIN
CVS Tags: pkgsrc-2008Q1-base,
pkgsrc-2007Q4-base,
pkgsrc-2007Q4,
pkgsrc-2007Q3-base,
pkgsrc-2007Q3,
pkgsrc-2007Q2-base,
pkgsrc-2007Q2
Branch point for: pkgsrc-2008Q1
Changes since 1.40: +1 -3
lines
Diff to previous 1.40 (colored)
Remove RESTRICTED comment about US export control. (While lots of things are restricted, pkgsrc's labeling rules aren't intended to address export control issues, and there are vast numbers of packages with apparently similar export control status and no RESTRICTED.)
Revision 1.40 / (download) - annotate - [select for diffs], Thu Jan 18 17:28:24 2007 UTC (17 years, 3 months ago) by salo
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base,
pkgsrc-2007Q1
Changes since 1.39: +62 -5
lines
Diff to previous 1.39 (colored)
Fix building with Autoconf 2.60 and newer. Addresses PR pkg/34252 by Matthias Petermann. Also delint a bit.
Revision 1.39 / (download) - annotate - [select for diffs], Wed Jan 17 23:43:47 2007 UTC (17 years, 3 months ago) by salo
Branch: MAIN
Changes since 1.38: +2 -2
lines
Diff to previous 1.38 (colored)
Security fix for CVE-2006-6143: "An unauthenticated user may cause execution of arbitrary code in kadmind, which can compromise the Kerberos key database and host security. (kadmind usually runs as root.) Unsuccessful exploitation, or even accidental replication of the required conditions by non-malicious users, can result in kadmind crashing." http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-002-rpc.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143 Patch from MIT.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Aug 9 17:31:10 2006 UTC (17 years, 8 months ago) by salo
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base,
pkgsrc-2006Q3-base,
pkgsrc-2006Q3
Branch point for: pkgsrc-2006Q4
Changes since 1.37: +2 -2
lines
Diff to previous 1.37 (colored)
Security fixes for SA21402: "A security issue has been reported in Kerberos, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled krshd and v4rcp applications. This can be exploited to disclose or manipulate the contents of arbitrary files or execute arbitrary code with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21402/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-001-setuid.txt Bump PKGREVISION.
Revision 1.37 / (download) - annotate - [select for diffs], Sat Apr 22 09:22:14 2006 UTC (17 years, 11 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base
Branch point for: pkgsrc-2006Q2
Changes since 1.36: +2 -2
lines
Diff to previous 1.36 (colored)
Removed the superfluous "quotes" and 'quotes' from variables that don't need them, for example RESTRICTED and SUBST_MESSAGE.*.
Revision 1.36 / (download) - annotate - [select for diffs], Mon Mar 20 18:15:38 2006 UTC (18 years, 1 month ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base,
pkgsrc-2006Q1
Changes since 1.35: +7 -11
lines
Diff to previous 1.35 (colored)
* Nuke all references to and definitions of INFO_DIR in package Makefiles and replace with appropriate references to PKGINFODIR instead. * Properly account for split info files during installation. * Move info file listings directly into the package PLISTs. This fixes info-file-related PLIST problems.
Revision 1.35 / (download) - annotate - [select for diffs], Tue Mar 14 16:00:41 2006 UTC (18 years, 1 month ago) by jlam
Branch: MAIN
Changes since 1.34: +2 -2
lines
Diff to previous 1.34 (colored)
Drop maintainership for packages that I no longer have time to maintain.
Revision 1.34 / (download) - annotate - [select for diffs], Thu Dec 29 06:22:10 2005 UTC (18 years, 3 months ago) by jlam
Branch: MAIN
Changes since 1.33: +1 -2
lines
Diff to previous 1.33 (colored)
Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk automatically detects whether we want the pkginstall machinery to be used by the package Makefile.
Revision 1.33 / (download) - annotate - [select for diffs], Sat Dec 17 05:20:23 2005 UTC (18 years, 4 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base,
pkgsrc-2005Q4
Changes since 1.32: +2 -2
lines
Diff to previous 1.32 (colored)
Change my MAINTAINER email address to the one I've been using for pkgsrc work.
Revision 1.32 / (download) - annotate - [select for diffs], Mon Dec 5 23:55:18 2005 UTC (18 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.31: +4 -4
lines
Diff to previous 1.31 (colored)
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Dec 5 20:50:56 2005 UTC (18 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.30: +4 -4
lines
Diff to previous 1.30 (colored)
Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Revision 1.30 / (download) - annotate - [select for diffs], Wed Oct 5 13:29:51 2005 UTC (18 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.29: +1 -3
lines
Diff to previous 1.29 (colored)
Remove some more *LEGACY* settings that are over a month old and thus were before 2005Q3.
Revision 1.29 / (download) - annotate - [select for diffs], Thu Sep 22 19:45:42 2005 UTC (18 years, 6 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base,
pkgsrc-2005Q3
Changes since 1.28: +2 -2
lines
Diff to previous 1.28 (colored)
Update security/mit-krb5 to version 1.4.2 Changes from version 1.4 include: * Fix [MITKRB5-SA-2005-002] KDC double-free and heap overflow. * Fix [MITKRB5-SA-2005-003] krb5_recvauth() double-free.
Revision 1.28 / (download) - annotate - [select for diffs], Fri Jul 15 18:27:53 2005 UTC (18 years, 9 months ago) by jlam
Branch: MAIN
Changes since 1.27: +2 -3
lines
Diff to previous 1.27 (colored)
Drop distinction between PKGSRC_USE_TOOLS and USE_TOOLS by making PKGSRC_USE_TOOLS go away. There is now only a single USE_TOOLS variable that specifies all of the tools we need to build/run the package.
Revision 1.27 / (download) - annotate - [select for diffs], Mon Jun 20 06:39:59 2005 UTC (18 years, 10 months ago) by kristerw
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base,
pkgsrc-2005Q2
Changes since 1.26: +3 -5
lines
Diff to previous 1.26 (colored)
Disable thread support per request of jlam. Bump PKGREVISION.
Revision 1.26 / (download) - annotate - [select for diffs], Thu Jun 16 23:33:10 2005 UTC (18 years, 10 months ago) by kristerw
Branch: MAIN
Changes since 1.25: +4 -1
lines
Diff to previous 1.25 (colored)
This package need pthreads in order to build.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Jun 1 20:08:01 2005 UTC (18 years, 10 months ago) by jlam
Branch: MAIN
Changes since 1.24: +3 -4
lines
Diff to previous 1.24 (colored)
Remove mk/autoconf.mk and mk/automake.mk and replace their usage with
USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
Revision 1.24 / (download) - annotate - [select for diffs], Tue May 31 11:31:07 2005 UTC (18 years, 10 months ago) by dillo
Branch: MAIN
Changes since 1.23: +5 -4
lines
Diff to previous 1.23 (colored)
Rename option prefix-cmds to kerberos-prefix-cmds. Backwards compatibility provided via PKG_OPTIONS_LEGACY_OPTS.
Revision 1.23 / (download) - annotate - [select for diffs], Tue May 31 10:01:39 2005 UTC (18 years, 10 months ago) by dillo
Branch: MAIN
Changes since 1.22: +3 -5
lines
Diff to previous 1.22 (colored)
Packages have no business modifying PKG_DEFAULT_OPTIONS -- it's a user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also, make use of PKG_OPTIONS_LEGACY_VARS. Reviewed by wiz.
Revision 1.22 / (download) - annotate - [select for diffs], Sun May 22 19:11:12 2005 UTC (18 years, 10 months ago) by jlam
Branch: MAIN
Changes since 1.21: +1 -8
lines
Diff to previous 1.21 (colored)
Remove the old tools framework and references to _USE_NEW_TOOLS.
Revision 1.21 / (download) - annotate - [select for diffs], Mon May 16 16:32:28 2005 UTC (18 years, 11 months ago) by jlam
Branch: MAIN
Changes since 1.20: +5 -1
lines
Diff to previous 1.20 (colored)
This package needs gzcat to extract the .tar.gz file inside the original .tar file. Also, fix the yacc silliness while we're here.
Revision 1.20 / (download) - annotate - [select for diffs], Thu Apr 14 23:07:55 2005 UTC (19 years ago) by jlam
Branch: MAIN
Changes since 1.19: +1 -9
lines
Diff to previous 1.19 (colored)
Remove unused section... MIT krb5 apparently now detects NetBSD's utmpx implementation correctly on NetBSD>=2.0.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Apr 11 21:47:13 2005 UTC (19 years ago) by tv
Branch: MAIN
Changes since 1.18: +1 -2
lines
Diff to previous 1.18 (colored)
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
Revision 1.18 / (download) - annotate - [select for diffs], Sun Apr 10 07:46:50 2005 UTC (19 years ago) by jlam
Branch: MAIN
Changes since 1.17: +2 -1
lines
Diff to previous 1.17 (colored)
Patch from http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt which fixes MITKRB5-SA-2005-001 (CAN-2005-0468 & CAN-2005-0469) relating to buffer overflows in the telnet client. Bump PKGREVISION to 1.
Revision 1.17 / (download) - annotate - [select for diffs], Sun Apr 10 07:15:24 2005 UTC (19 years ago) by jlam
Branch: MAIN
Changes since 1.16: +15 -14
lines
Diff to previous 1.16 (colored)
Updated security/mit-krb5 to krb5-1.4. Changes from version 1.3.6 include:
* Merged Athena telnetd changes for creating a new option for requiring
encryption.
* Add implementation of the RPCSEC_GSS authentication flavor to the RPC
library.
* The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
* Thread safety for krb5 libraries.
* Yarrow code now uses AES.
* Merged Athena changes to allow ftpd to require encrypted passwords.
* Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
* Fix heap buffer overflow in password history mechanism.
[MITKRB5-SA-2004-004]
Revision 1.16 / (download) - annotate - [select for diffs], Tue Dec 28 02:47:49 2004 UTC (19 years, 3 months ago) by reed
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base
Branch point for: pkgsrc-2005Q1
Changes since 1.15: +2 -1
lines
Diff to previous 1.15 (colored)
The default location of the pkgsrc-installed rc.d scripts is now under share/examples/rc.d. The variable name already was named RCD_SCRIPTS_EXAMPLEDIR. This is from ideas from Greg Woods and others. Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism (as requested by wiz).
Revision 1.15 / (download) - annotate - [select for diffs], Thu Dec 23 04:02:39 2004 UTC (19 years, 3 months ago) by jlam
Branch: MAIN
Changes since 1.14: +13 -27
lines
Diff to previous 1.14 (colored)
Update security/mit-krb5 to 1.3.6. NOTE: THIS IS A SECURITY UPDATE. Changes from version 1.3.4 include: * [2841] Fix heap buffer overflow in password history mechanism. [MITKRB5-SA-2004-004] * [2682] Fix ftpd hang caused by empty PASS command. * [2686] Fix double-free errors. [MITKRB5-SA-2004-002] * [2687] Fix denial-of-service vulnerability in ASN.1 decoder. [MITKRB5-SA-2004-003]
Revision 1.14 / (download) - annotate - [select for diffs], Sun Oct 3 00:18:10 2004 UTC (19 years, 6 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base
Branch point for: pkgsrc-2004Q4
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
Revision 1.13 / (download) - annotate - [select for diffs], Wed Sep 15 15:29:49 2004 UTC (19 years, 7 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base,
pkgsrc-2004Q3
Changes since 1.12: +9 -1
lines
Diff to previous 1.12 (colored)
Force using the BSD utmp interface on NetBSD until the configure scripts can be taught how to properly detect our utmpx implementation. This should fix the build on NetBSD-2.0 and -current.
Revision 1.12 / (download) - annotate - [select for diffs], Tue Sep 7 01:47:28 2004 UTC (19 years, 7 months ago) by jlam
Branch: MAIN
Changes since 1.11: +12 -2
lines
Diff to previous 1.11 (colored)
Apply the patches for security/mit-krb5 that fix MITKRB5-SA-2004-00{2,3}.
Bump the PKGREVISION for this security update.
Revision 1.11 / (download) - annotate - [select for diffs], Sun Aug 22 19:32:52 2004 UTC (19 years, 7 months ago) by jlam
Branch: MAIN
Changes since 1.10: +3 -8
lines
Diff to previous 1.10 (colored)
Change the way that legacy USE_* and FOO_USE_* options are converted
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
Revision 1.10 / (download) - annotate - [select for diffs], Fri Jul 30 21:05:42 2004 UTC (19 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.9: +15 -3
lines
Diff to previous 1.9 (colored)
Convert to use bsd.options.mk. The relevant options variable to set for each package can be determined by invoking: make show-var VARNAME=PKG_OPTIONS_VAR The old options are still supported unless the variable named in PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
Revision 1.9 / (download) - annotate - [select for diffs], Sat Jul 24 13:56:09 2004 UTC (19 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.8: +2 -1
lines
Diff to previous 1.8 (colored)
Bump PKGREVISION for last change.
Revision 1.8 / (download) - annotate - [select for diffs], Sat Jul 24 13:55:30 2004 UTC (19 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored)
Honor VARBASE.
Revision 1.7 / (download) - annotate - [select for diffs], Thu Jun 24 14:43:29 2004 UTC (19 years, 9 months ago) by jlam
Branch: MAIN
Changes since 1.6: +2 -3
lines
Diff to previous 1.6 (colored)
Update to security/mit-krb5 to 1.3.4. Major changes from version 1.3.3 include a fix for security advisory [MITKRB-SA-2004-001]: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-001-an_to_ln.txt Please read the security advisory to see if you are affected and should update your MIT krb5 installation.
Revision 1.6 / (download) - annotate - [select for diffs], Mon May 10 01:20:39 2004 UTC (19 years, 11 months ago) by kristerw
Branch: MAIN
CVS Tags: pkgsrc-2004Q2-base,
pkgsrc-2004Q2
Changes since 1.5: +2 -1
lines
Diff to previous 1.5 (colored)
Correct PLIST when not renaming the applications. Bump PKGREVISION.
Revision 1.5 / (download) - annotate - [select for diffs], Mon May 10 01:18:34 2004 UTC (19 years, 11 months ago) by kristerw
Branch: MAIN
Changes since 1.4: +3 -2
lines
Diff to previous 1.4 (colored)
Move WRKSRC from the DISTNAME section to silence a pkglint FATAL error.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Apr 26 06:58:28 2004 UTC (19 years, 11 months ago) by jlam
Branch: MAIN
Changes since 1.3: +7 -11
lines
Diff to previous 1.3 (colored)
Updated security/mit-krb5 to 1.3.3. Changes from version 1.3.2 include:
[2284] Fixed accept_sec_context to use a replay cache in the
GSS_C_NO_CREDENTIAL case.
[2453] The AES string-to-key function no longer returns a pointer to
stack memory when given a password longer than 64 characters.
[2277] In sendto_kdc, a socket leak on connection failure was fixed.
[2384] A memory leak in the TCP handling code in the KDC has been fixed.
Revision 1.3 / (download) - annotate - [select for diffs], Thu Apr 8 17:22:59 2004 UTC (20 years ago) by reed
Branch: MAIN
Changes since 1.2: +3 -3
lines
Diff to previous 1.2 (colored)
Use ${PREFIX}/${INFO_DIR} instead of ${PREFIX}/info for
info documentation. (Okay'd by jlam.)
Revision 1.2 / (download) - annotate - [select for diffs], Tue Mar 30 20:17:42 2004 UTC (20 years ago) by jlam
Branch: MAIN
Changes since 1.1: +6 -14
lines
Diff to previous 1.1 (colored)
Updated security/mit-krb5 to 1.3.2. Changes from version 1.3.1 include: * Support for AES in GSSAPI has been implemented. This corresponds to the in-progress work in the IETF (CFX). * To avoid compatibility problems, unrecognized TGS options will now be ignored. * 128-bit AES has been added to the default enctypes. * AES cryptosystem now chains IVs. This WILL break backwards compatibility for the kcmd applications, if they are using AES session keys. * Assorted minor bug fixes and plugged memory leaks.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Mar 30 18:07:18 2004 UTC (20 years ago) by jlam
Branch: MAIN
Initial revision