| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
approved by agc
|
|
lib/krb5/os/dnsglue.c uses statbuf structure before zeroing it.
Solaris requires it be zeroed first... all kerberos programs that
use dns lookup crash. Zeroing before use does not break anything
on any other platforms.
Bump PKGREVISION.
|
|
MITKRB5-SA-2008-002. Bump PKGREVISION now finally.
|
|
- telnetd username and environment sanitizing vulnerabilities ("-f root")
as described in MIT Kerberos advisory 2007-001.
- krb5_klog_syslog() problems with overly long log strings as described
in MIT Kerberos advisory 2007-002.
- GSS API kg_unseal_v1() double free vulnerability as described in the
MIT Kerberos advisory 2007-003.
|
|
things are restricted, pkgsrc's labeling rules aren't intended to
address export control issues, and there are vast numbers of packages
with apparently similar export control status and no RESTRICTED.)
|
|
Addresses PR pkg/34252 by Matthias Petermann.
Also delint a bit.
|
|
"An unauthenticated user may cause execution of arbitrary code in
kadmind, which can compromise the Kerberos key database and host
security. (kadmind usually runs as root.) Unsuccessful exploitation,
or even accidental replication of the required conditions by
non-malicious users, can result in kadmind crashing."
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-002-rpc.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143
Patch from MIT.
|
|
"A security issue has been reported in Kerberos, which potentially can
be exploited by malicious, local users to perform certain actions with
escalated privileges.
The security issue is caused due to missing checks for whether the
"setuid()" call has succeeded in the bundled krshd and v4rcp
applications. This can be exploited to disclose or manipulate the
contents of arbitrary files or execute arbitrary code with root
privileges if the "setuid()" call fails due to e.g. resource limits."
http://secunia.com/advisories/21402/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-001-setuid.txt
Bump PKGREVISION.
|
|
need them, for example RESTRICTED and SUBST_MESSAGE.*.
|
|
and replace with appropriate references to PKGINFODIR instead.
* Properly account for split info files during installation.
* Move info file listings directly into the package PLISTs.
This fixes info-file-related PLIST problems.
|
|
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
pkgsrc work.
|
|
CONFIGURE_ARGS.
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
thus were before 2005Q3.
|
|
include:
* Fix [MITKRB5-SA-2005-002] KDC double-free and heap overflow.
* Fix [MITKRB5-SA-2005-003] krb5_recvauth() double-free.
|
|
PKGSRC_USE_TOOLS go away. There is now only a single USE_TOOLS variable
that specifies all of the tools we need to build/run the package.
|
|
Bump PKGREVISION.
|
|
|
|
USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
|
|
compatibility provided via PKG_OPTIONS_LEGACY_OPTS.
|
|
user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also,
make use of PKG_OPTIONS_LEGACY_VARS.
Reviewed by wiz.
|
|
|
|
.tar file. Also, fix the yacc silliness while we're here.
|
|
implementation correctly on NetBSD>=2.0.
|
|
|
|
which fixes MITKRB5-SA-2005-001 (CAN-2005-0468 & CAN-2005-0469) relating
to buffer overflows in the telnet client. Bump PKGREVISION to 1.
|
|
* Merged Athena telnetd changes for creating a new option for requiring
encryption.
* Add implementation of the RPCSEC_GSS authentication flavor to the RPC
library.
* The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
* Thread safety for krb5 libraries.
* Yarrow code now uses AES.
* Merged Athena changes to allow ftpd to require encrypted passwords.
* Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
* Fix heap buffer overflow in password history mechanism.
[MITKRB5-SA-2004-004]
|
|
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
|
|
NOTE: THIS IS A SECURITY UPDATE.
Changes from version 1.3.4 include:
* [2841] Fix heap buffer overflow in password history
mechanism. [MITKRB5-SA-2004-004]
* [2682] Fix ftpd hang caused by empty PASS command.
* [2686] Fix double-free errors. [MITKRB5-SA-2004-002]
* [2687] Fix denial-of-service vulnerability in ASN.1
decoder. [MITKRB5-SA-2004-003]
|
|
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
|
|
scripts can be taught how to properly detect our utmpx implementation.
This should fix the build on NetBSD-2.0 and -current.
|
|
Bump the PKGREVISION for this security update.
|
|
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
|
|
for each package can be determined by invoking:
make show-var VARNAME=PKG_OPTIONS_VAR
The old options are still supported unless the variable named in
PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
|
|
|
|
|
|
include a fix for security advisory [MITKRB-SA-2004-001]:
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
Please read the security advisory to see if you are affected and should
update your MIT krb5 installation.
|
|
Bump PKGREVISION.
|
|
|
|
[2284] Fixed accept_sec_context to use a replay cache in the
GSS_C_NO_CREDENTIAL case.
[2453] The AES string-to-key function no longer returns a pointer to
stack memory when given a password longer than 64 characters.
[2277] In sendto_kdc, a socket leak on connection failure was fixed.
[2384] A memory leak in the TCP handling code in the KDC has been fixed.
|
|
info documentation. (Okay'd by jlam.)
|
|
* Support for AES in GSSAPI has been implemented. This corresponds to the
in-progress work in the IETF (CFX).
* To avoid compatibility problems, unrecognized TGS options will now be
ignored.
* 128-bit AES has been added to the default enctypes.
* AES cryptosystem now chains IVs. This WILL break backwards compatibility
for the kcmd applications, if they are using AES session keys.
* Assorted minor bug fixes and plugged memory leaks.
|
|
on the wip/mit-krb5 package by Jeremy Reed, but heavily modified by me to
libtoolize the build.
Kerberos V5 is an authentication system developed at MIT. It is a network
authentication protocol designed to provide strong authentication for
client/server applications by using secret-key cryptography. (Kerberos
5 is discussed in RFC 1510.)
This package provides Kerberos and GSSAPI (Generic Security Services
Application Programming Interface) development headers and libraries.
It also includes Kerberos ticket and principal tools, and Kerberized
r-services, telnet and ftp services.
|
