summaryrefslogtreecommitdiff
path: root/security/mit-krb5/Makefile
AgeCommit message (Collapse)AuthorFilesLines
2016-03-10Ensure libss is built -static, the library is not installed resultingjperkin1-2/+2
in runtime failures which weren't previously detected due to a bug in check-shlibs. Bump PKGREVISION.
2016-03-05Bump PKGREVISION for security/openssl ABI bump.jperkin1-2/+2
2015-11-05Fix build in case there is a system version of verto found.tez1-1/+2
No revbump because it failed to build before if there was one. Fixes pkg/50348
2015-06-12Recursive PKGREVISION bump for all packages mentioning 'perl',wiz1-2/+2
having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0.
2015-05-26Ensure we can find OpenSSL after rpath changes.jperkin1-1/+2
2015-03-22Redo rpath handling as the option is leaked into the config binary.joerg1-2/+2
Bump revision.
2015-03-16GC MAKE_PROGRAM as well.joerg1-2/+1
2015-03-15Don't use -R without argument. Make libapputils a convenience archive asjoerg1-2/+2
it is. Don't depend on gmake.
2015-03-12post-extract target needs gzip as tooltnn1-2/+2
2015-02-25Backported fixes for:tez1-2/+2
http://web.mit.edu/kerberos/advisories/2015-001-patch-r111.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355 (also apparently known as SA62976)
2014-11-25Add patch for CVE-2014-5351 from:tez1-2/+2
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018 https://github.com/krb5/krb5/commit/3bf9e33f9d66c0eef486cbd83f9e4f13a74d12c3.diff
2014-08-28Add fixes for CVE-2014-4341, CVE-2014-4342 (same patch as CVE-2014-4341)tez1-4/+4
CVE-2014-4343, CVE-2014-4344 & MITKRB5-SA-2014-001 (CVE-2014-4345).
2014-05-29Bump for perl-5.20.0.wiz1-2/+2
Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time.
2014-02-12Recursive PKGREVISION bump for OpenSSL API version bump.tron1-1/+2
2013-12-03Changes 1.10.7:adam1-2/+2
This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later. * Fix a KDC locking issue that could lead to the KDC process holding a persistent lock, preventing administrative actions such as password changes. * Fix a number of bugs related to KDC master key rollover. * Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms.
2013-06-16Changes 1.10.6:adam1-3/+2
Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] Improve interoperability with some Windows native PKINIT clients.
2013-05-31Bump all packages for perl-5.18, thatwiz1-2/+2
a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints.
2013-05-13The kpasswd service provided by kadmind was vulnerable to a UDPtez1-1/+2
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322ccvs
2013-05-09Changes 1.10.5:adam1-3/+2
This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later. * Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416] * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load.
2013-04-23Fix for CVE-2013-1416 from:tez1-1/+2
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7600
2013-03-14Fix build on Solaristez1-1/+2
(per http://old.nabble.com/Re%3A-build-problem-p34365918.html)
2013-03-13Changes 1.10.4:adam1-3/+2
This is a bugfix release. Fix null PKINIT pointer dereference vulnerabilities [CVE-2012-1016, CVE-2013-1415] Prevent the KDC from returning a host-based service principal referral to the local realm.
2013-02-28Add patch for CVE-2013-1415 (SA52390)tez1-2/+2
2013-02-06PKGREVISION bumps for the security/openssl 1.0.1d update.jperkin1-2/+2
2012-12-22Ensure correct initialisation. Bump revision.joerg1-2/+2
2012-10-23Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.asau1-2/+1
2012-10-03Bump all packages that use perl, or depend on a p5-* package, orwiz1-1/+2
are called p5-*. I hope that's all of them.
2012-08-20Changes 1.10.3:adam1-3/+2
This is a bugfix release. * Fix KDC uninitialized pointer vulnerabilities that could lead to a denial of service [CVE-2012-1014] or remote code execution [CVE-2012-1015]. * Correctly use default_tgs_enctypes instead of default_tkt_enctypes for TGS requests.
2012-08-09security/mit-krb5: USE_TOOLS+= msgfmtmarino1-2/+3
Note: Nobody that uses git from pkgsrc can install this package. It conflicts with security/heimdal which is sucked in by dependencies of scmgit-base. Since the default way of acquiring pkgsrc on DragonFly is via git, which is provided by the releases and daily snapshots, effectively this can't be installed by DragonFly users. Solving the conflict with heimdal, if possible, would be nice.
2012-07-16Changes 1.10.2:adam1-4/+4
This is a bugfix release. * Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. * Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. * Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] Changes 1.10.1: This is a bugfix release. * Fix access controls for KDB string attributes [CVE-2012-1012] * Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers * Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time.
2012-06-06Fix for CVE-2012-1013 from:tez1-1/+2
https://github.com/krb5/krb5/commit/ca2909440015d33be42e77d1955194963d8c0955
2012-02-26Changes 1.8.6:adam1-5/+4
This is primarily a bugfix release. * Fix an interaction in iprop that could cause spurious excess kadmind processes when a kprop child fails. Changes 1.8.5: This is primarily a bugfix release. * Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities [CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
2011-10-23add vendor patch 2011-006-patch-r18 from MITKRB5-SA-2011-006tez1-3/+4
this fixes CVE-2011-1528, CVE-2011-1529 & CVE-2011-4151
2011-07-08Changes 1.8.4:adam1-15/+11
This is primarily a bugfix release. Fix vulnerabilities: * KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322] * kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022] * KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] * KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] * kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285] Interoperability: * Correctly encrypt GSSAPI forwarded credentials using the session key, not a subkey. * Set NT-SRV-INST on TGS principal names as expected by some Windows Server Domain Controllers. * Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC instead. * Correctly validate HMAC-MD5 checksums that use DES keys
2011-04-14fix MITKRB5-SA-2011-004 (CVE-2011-0285) DOS in kadmindtez1-3/+3
2011-04-09correct openssl dependency (it needs >=0.9.8)tez1-2/+3
correct BUILDLINK_API_DEPENDS.mit-krb5 fix building where libtool chokes on "--version-info : " (at least OS X)
2011-03-22Update MIT Kerberos to v1.8.3 with the latest security patches up to andtez1-105/+32
including MITKRB5-SA-2011-003. Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2 Note that the r-services, telnetd and ftpd services and the related client applications are now in a separate pacakge security/mit-krb5-appl.
2010-12-03add fix for CVE-2010-1323 fromtez1-2/+2
http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt
2010-05-20fix CVE-2010-1321 (MITKRB5-SA-2010-005) and take maintainershiptez1-3/+3
2010-03-26Apply some sense to the build system by always linking the .la archivesjoerg1-2/+3
in src/lib as that is the location it wants to pick it up. Work around the dependencies in other places by symlinking to that, effectively reverting the direction. Link telnet(d) consistently. Add DESTDIR support.
2010-02-24Fix CVE-2009-4212 (MITKRB5-SA-2009-004) using patches fromtez1-2/+2
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt (slightly adjusted for older kerberos version)
2009-06-30Mark packages as MAKE_JOBS_SAFE=no that failed in a bulk build withjoerg1-1/+3
MAKE_JOBS=2 and worked without.
2009-04-21Add patches for CVE-2009-0846 & CVE-2009-0847tez1-2/+2
approved by agc
2008-12-11PR 40152 by Tim Zingelman:wiz1-2/+2
lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it. Solaris requires it be zeroed first... all kerberos programs that use dns lookup crash. Zeroing before use does not break anything on any other platforms. Bump PKGREVISION.
2008-06-07Add more patches, now for MITKRB5-SA-2007-006, MITKRB5-SA-2008-001 andtonnerre1-2/+2
MITKRB5-SA-2008-002. Bump PKGREVISION now finally.
2008-06-07Add security patches for 3 Kerberos vulnerabilities:tonnerre1-2/+2
- telnetd username and environment sanitizing vulnerabilities ("-f root") as described in MIT Kerberos advisory 2007-001. - krb5_klog_syslog() problems with overly long log strings as described in MIT Kerberos advisory 2007-002. - GSS API kg_unseal_v1() double free vulnerability as described in the MIT Kerberos advisory 2007-003.
2007-06-22Remove RESTRICTED comment about US export control. (While lots ofgdt1-3/+1
things are restricted, pkgsrc's labeling rules aren't intended to address export control issues, and there are vast numbers of packages with apparently similar export control status and no RESTRICTED.)
2007-01-18Fix building with Autoconf 2.60 and newer.salo1-5/+62
Addresses PR pkg/34252 by Matthias Petermann. Also delint a bit.
2007-01-17Security fix for CVE-2006-6143:salo1-2/+2
"An unauthenticated user may cause execution of arbitrary code in kadmind, which can compromise the Kerberos key database and host security. (kadmind usually runs as root.) Unsuccessful exploitation, or even accidental replication of the required conditions by non-malicious users, can result in kadmind crashing." http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-002-rpc.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143 Patch from MIT.
2006-08-09Security fixes for SA21402:salo1-2/+2
"A security issue has been reported in Kerberos, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled krshd and v4rcp applications. This can be exploited to disclose or manipulate the contents of arbitrary files or execute arbitrary code with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21402/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-001-setuid.txt Bump PKGREVISION.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-13 16:16:17 +0000