Fedora 12 Update: krb5-1.7.1-13.fc12

updates at fedoraproject.org updates at fedoraproject.org
Sat Sep 11 09:02:24 UTC 2010


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-13517
2010-08-26 00:25:16
--------------------------------------------------------------------------------

Name        : krb5
Product     : Fedora 12
Version     : 1.7.1
Release     : 13.fc12
URL         : http://web.mit.edu/kerberos/www/
Summary     : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

--------------------------------------------------------------------------------
Update Information:

A bug in the LDAP kdb backend module caused key expiration times to be computed
incorrectly in some cases, and the ksu application incorrectly performed PAM
account and session management as the invoking user rather than as root.  This
update corrects these bugs.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Aug 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-13
- adjust the last patch to apply properly to 1.7.1
* Tue Aug 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-12
- bump release
* Tue Aug 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-11
- fix a logic bug in computing key expiration times (RT#6762, #627022)
* Mon Jun 21 2010 Nalin Dahyabhai <nalin at redhat.com>
- pull up fix for upstream #6745, in which the gssapi library would add the
  wrong error table but subsequently attempt to unload the right one
* Wed Jun  9 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-10
- use the "pathmunge" function to add %{krb5prefix}/bin to $PATH rather
  than doing it the harder way ourselves (part of #544652)
* Thu May 27 2010 Nalin Dahyabhai <nalin at redhat.com>
- ksu: move session management calls to before we drop privileges, like
  su does (#596887), and don't skip the PAM account check for root or the
  same user (more of #540769)
* Tue May 18 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-9
- add patch to correct GSSAPI library null pointer dereference which could be
  triggered by malformed client requests (CVE-2010-1321, #582466)
* Tue May  4 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-8
- fix output of kprop's init script's "status" and "reload" commands (#588222)
* Tue Apr 20 2010 Nalin Dahyabhai <nalin at redhat.com> 1.7.1-7
- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #584093)
* Thu Apr  8 2010 Nalin Dahyabhai <nalin at redhat.com>
- drop patch to suppress key expiration warnings sent from the KDC in
  the last-req field, as the KDC is expected to just be configured to either
  send them or not as a particular key approaches expiration (#556495)
* Tue Mar 23 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-6
- add fix for denial-of-service in SPNEGO (CVE-2010-0628, #576324)
* Mon Mar  8 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-5
- pull up patch to get the client libraries to correctly perform password
  changes over IPv6 (Sumit Bose, RT#6661)
* Wed Mar  3 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-4
- fix a null pointer dereference and crash introduced in our PAM patch that
  would happen if ftpd was given the name of a user who wasn't known to the
  local system, limited to being triggerable by gssapi-authenticated clients by
  the default xinetd config (Olivier Fourdan, #569472)
* Tue Mar  2 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-3
- fix a regression (not labeling a kdb database lock file correctly, #569902)
* Tue Feb 16 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-2
- apply patch from upstream to fix KDC denial of service (CVE-2010-0283,
* Wed Feb  3 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7.1-1
- update to 1.7.1
  - don't trip AD lockout on wrong password (#542687, #554351)
  - incorporates fixes for CVE-2009-4212 and CVE-2009-3295
  - fixes gss_krb5_copy_ccache() when SPNEGO is used
- move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to
  the devel subpackage, better lining up with the expected krb5/krb5-appl
  split in 1.8
- drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already
  depends on -workstation which also includes them
* Mon Jan 25 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-23
- tighten up default permissions on kdc.conf and kadm5.acl (#558343)
* Fri Jan 22 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-22
- use portreserve correctly -- portrelease takes the basename of the file
  whose entries should be released, so we need three files, not one
* Mon Jan 18 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-21
- suppress warnings of impending password expiration if expiration is more than
  seven days away when the KDC reports it via the last-req field, just as we
  already do when it reports expiration via the key-expiration field (#556495)
- link with libtinfo rather than libncurses, when we can, in future RHEL
* Fri Jan 15 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-20
- krb5_get_init_creds_password: check opte->flags instead of options->flags
  when checking whether or not we get to use the prompter callback (#555875)
* Thu Jan 14 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-19
- use portreserve to make sure the KDC can always bind to the kerberos-iv
  port, kpropd can always bind to the krb5_prop port, and that kadmind can
  always bind to the kerberos-adm port (#555279)
- correct inadvertent use of macros in the changelog (rpmlint)
* Tue Jan 12 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-18
- add upstream patch for integer underflow during AES and RC4 decryption
  (CVE-2009-4212), via Tom Yu (#545015)
* Wed Jan  6 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-17
- put the conditional back for the -devel subpackage
- back down to the earlier version of the patch for #551764; the backported
  alternate version was incomplete
* Tue Jan  5 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-16
- use %global instead of %define
- pull up proposed patch for creating previously-not-there lock files for
  kdb databases when 'kdb5_util' is called to 'load' (#551764)
* Mon Jan  4 2010 Dennis Gregorovic <dgregor at redhat.com>
- fix conditional for future RHEL
* Mon Jan  4 2010 Nalin Dahyabhai <nalin at redhat.com> - 1.7-15
- add upstream patch for KDC crash during referral processing (CVE-2009-3295),
  via Tom Yu (#545002)
* Mon Dec 21 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-14
- refresh patch for #542868 from trunk
* Thu Dec 10 2009 Nalin Dahyabhai <nalin at redhat.com>
- move man pages that live in the -libs subpackage into the regular
  %{_mandir} tree where they'll still be found if that package is the
  only one installed (#529319)
* Wed Dec  9 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-13
- and put it back in
* Tue Dec  8 2009 Nalin Dahyabhai <nalin at redhat.com>
- back that last change out
* Tue Dec  8 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-12
- try to make gss_krb5_copy_ccache() work correctly for spnego (#542868)
* Fri Dec  4 2009 Nalin Dahyabhai <nalin at redhat.com>
- make krb5-config suppress CFLAGS output when called with --libs (#544391)
* Thu Dec  3 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-11
- ksu: move account management checks to before we drop privileges, like
  su does (#540769)
- selinux: set the user part of file creation contexts to match the current
  context instead of what we looked up
- configure with --enable-dns-for-realm instead of --enable-dns, which isn't
  recognized any more
* Fri Nov 20 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-10
- move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation,
  where it's actually needed (#538703)
* Fri Oct 23 2009 Nalin Dahyabhai <nalin at redhat.com> - 1.7-9
- add some conditional logic to simplify building on older Fedora releases
* Tue Oct 13 2009 Nalin Dahyabhai <nalin at redhat.com>
- don't forget the README
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #627022 - Incorrect handling of password expiration
        https://bugzilla.redhat.com/show_bug.cgi?id=627022
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list