Changes 1.8.4:

This is primarily a bugfix release.
Fix vulnerabilities:
* KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322]
* kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
* KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
* KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284]
* kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
Interoperability:
* Correctly encrypt GSSAPI forwarded credentials using the session key, not
  a subkey.
* Set NT-SRV-INST on TGS principal names as expected by some Windows Server
  Domain Controllers.
* Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC
  instead.
* Correctly validate HMAC-MD5 checksums that use DES keys

3 files changed, 18 insertions, 40 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 1b5a2502448..25a04bc4b5d 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,16 +1,14 @@
-# $NetBSD: Makefile,v 1.53 2011/04/14 19:37:26 tez Exp $
+# $NetBSD: Makefile,v 1.54 2011/07/08 09:59:28 adam Exp $
 
-DISTNAME=	krb5-1.8.3
+DISTNAME=	krb5-1.8.4
 PKGNAME=	mit-${DISTNAME}
-PKGREVISION=	5
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/1.8/
-DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
 EXTRACT_SUFX=	.tar
+DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
 
-PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
-
-PATCHFILES=	2010-006-patch.txt 2010-007-patch.txt 2011-001-patch.txt 2011-002-patch-r18.txt 2011-003-patch.txt 2011-004-patch-r18.txt
+#PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
+#PATCHFILES=	2010-006-patch.txt 2010-007-patch.txt 2011-001-patch.txt 2011-002-patch-r18.txt 2011-003-patch.txt 2011-004-patch-r18.txt
 
 MAINTAINER=	tez@NetBSD.org
 HOMEPAGE=	http://web.mit.edu/kerberos/
@@ -28,27 +26,26 @@ BUILD_TARGET=	generate-files-mac all
 CONFLICTS+=	heimdal-[0-9]*
 CONFLICTS+=	kth-krb4-[0-9]*
 
-USE_TOOLS+=		autoconf perl yacc m4
-USE_TOOLS+=		gmake
+USE_LIBTOOL=		yes
+USE_TOOLS+=		autoconf gmake m4 perl yacc
 MAKE_PROGRAM=		gmake
 GNU_CONFIGURE=		yes
-USE_LIBTOOL=		yes
 
 # The actual KDC databases are stored in ${MIT_KRB5_STATEDIR}/krb5kdc.
 MIT_KRB5_STATEDIR?=	${VARBASE}
-FILES_SUBST+=		MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR:Q}
+FILES_SUBST+=		MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR}
 
 BUILD_DEFS+=		VARBASE
 
-CONFIGURE_ARGS+=	--localstatedir=${MIT_KRB5_STATEDIR:Q}
-CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR:Q}
+CONFIGURE_ARGS+=	--localstatedir=${MIT_KRB5_STATEDIR}
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--enable-shared
 CONFIGURE_ARGS+=	--enable-dns-for-realm
 CONFIGURE_ARGS+=	--enable-kdc-replay-cache
 CONFIGURE_ARGS+=	--disable-thread-support
 CONFIGURE_ARGS+=	--without-tcl
 CONFIGURE_ARGS+=	--enable-pkgsrc-libtool
-MAKE_ENV+=		ROOT_USER=${ROOT_USER:Q}
+MAKE_ENV+=		ROOT_USER=${ROOT_USER}
 
 PATCH_DIST_ARGS=	-d ${WRKSRC} -p2
 
@@ -67,7 +64,6 @@ INSTALLATION_DIRS=	bin include/gssapi include/gssrpc ${PKGINFODIR}	\
 
 # The MIT krb5 distribution is actually a tar file that contains the
 # real .tar.gz distfile and a PGP signature.
-#
 post-extract:
 	@${ECHO} "=> Extracting internal tarball";			\
 	extract_file="${WRKDIR}/${DISTNAME}.tar.gz";			\
diff --git a/security/mit-krb5/buildlink3.mk b/security/mit-krb5/buildlink3.mk
index 7304320530d..7c1709f27ef 100644
--- a/security/mit-krb5/buildlink3.mk
+++ b/security/mit-krb5/buildlink3.mk
@@ -1,12 +1,12 @@
-# $NetBSD: buildlink3.mk,v 1.11 2011/04/09 00:16:18 tez Exp $
+# $NetBSD: buildlink3.mk,v 1.12 2011/07/08 09:59:28 adam Exp $
 
 BUILDLINK_TREE+=	mit-krb5
 
 .if !defined(MIT_KRB5_BUILDLINK3_MK)
 MIT_KRB5_BUILDLINK3_MK:=
 
-BUILDLINK_API_DEPENDS.mit-krb5+=		mit-krb5>=1.8
-BUILDLINK_ABI_DEPENDS.mit-krb5+=	mit-krb5>=1.4nb1
+BUILDLINK_API_DEPENDS.mit-krb5+=	mit-krb5>=1.8
+BUILDLINK_ABI_DEPENDS.mit-krb5+=	mit-krb5>=1.8
 BUILDLINK_PKGSRCDIR.mit-krb5?=		../../security/mit-krb5
 .endif # MIT_KRB5_BUILDLINK3_MK
 
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index f4deaacbbe2..63f4b279b54 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,26 +1,8 @@
-$NetBSD: distinfo,v 1.30 2011/06/01 09:57:23 adam Exp $
+$NetBSD: distinfo,v 1.31 2011/07/08 09:59:28 adam Exp $
 
-SHA1 (2010-006-patch.txt) = 600f0890de65f96112f267b56317a4fd0166cba0
-RMD160 (2010-006-patch.txt) = fc262a23e9aa118262a4258f74832445062444e4
-Size (2010-006-patch.txt) = 1066 bytes
-SHA1 (2010-007-patch.txt) = a6fbc3b6ab15ca98c1aa1521fd42dad1f5003ee8
-RMD160 (2010-007-patch.txt) = 848b776218473200e5a54beb4f3adfc3db915cf4
-Size (2010-007-patch.txt) = 7908 bytes
-SHA1 (2011-001-patch.txt) = 79ece8b1c140deb2c01bfb64af575636b9bc7704
-RMD160 (2011-001-patch.txt) = 62a7b2b0d4acbca919fd9df52e707bf0b9fff076
-Size (2011-001-patch.txt) = 632 bytes
-SHA1 (2011-002-patch-r18.txt) = 574a3c82ad7d3c9a1c9c62c6ff95c2d6f0e0fc96
-RMD160 (2011-002-patch-r18.txt) = 23cb2560f0d87e6128cdbb12f1e7d8aae85f85f5
-Size (2011-002-patch-r18.txt) = 6130 bytes
-SHA1 (2011-003-patch.txt) = 1c72390c5d629eee592e5cb0c2b600b376e2fdc5
-RMD160 (2011-003-patch.txt) = 9b0d172a1abfaf437edacc9f18fd0a6e83028b3e
-Size (2011-003-patch.txt) = 544 bytes
-SHA1 (2011-004-patch-r18.txt) = 7853bcbdf0dba6f0fce15fc3b475f86d692287b2
-RMD160 (2011-004-patch-r18.txt) = 03d06d5c88505688eb4dbcd516144999ecb89a70
-Size (2011-004-patch-r18.txt) = 1136 bytes
-SHA1 (krb5-1.8.3-signed.tar) = 69696f63b6c2b0e3238156b19eed68cecd661c6b
-RMD160 (krb5-1.8.3-signed.tar) = bdf3a505e4b2447af0c9080b441918d665dcdd9c
-Size (krb5-1.8.3-signed.tar) = 11642880 bytes
+SHA1 (krb5-1.8.4-signed.tar) = fe1fc21e923ae8dcaa7a26f4f97e0ac49c8e3115
+RMD160 (krb5-1.8.4-signed.tar) = 34d6df8248007bac0321400b2650c2aca774af16
+Size (krb5-1.8.4-signed.tar) = 11642880 bytes
 SHA1 (patch-aa) = cd8cdc594bc872d641ceaba0aa0d91b5f1caf2ae
 SHA1 (patch-ad) = 49a9429d163adb872b1c97ade8ed0e13d8eec3cb
 SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd