| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The libtool-ification caused plugins to have a "lib" prefix, causing a mismatch
with what the code was trying to dlopen(), and failures. Bump PKGREVISION.
|
|
Major changes in 1.16.2
This is a bug fix release.
Fix bugs with concurrent use of MEMORY ccache handles.
Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry.
Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name.
Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism.
Make cross-realm S4U2Self requests work on the client when no default_realm is configured.
Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.
|
|
Major changes in 1.16.1 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a regression in pkinit_cert_match matching of client certificates containing Microsoft UPN SANs.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Allow validation of Microsoft PACs containing enterprise names.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.16 (2017-12-05)
Administrator experience:
The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option.
The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string.
kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode.
The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
Localization support can be disabled at build time with the --disable-nls configure option.
Developer experience:
The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.
Protocol evolution:
The client library will continue to try pre-authentication mechanisms after most failure conditions.
The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
The client library will use a random nonce for TGS requests instead of the current system time.
For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.
User experience:
Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
A German translation has been added.
Code quality:
The build is warning-clean under clang with the configured warning options.
The automated test suite runs cleanly under AddressSanitizer.
Major changes in 1.15.3 (2018-05-03)
This is a bug fix release.
Fix flaws in LDAP DN checking, including a null dereference KDC crash which could be triggered by kadmin clients with administrative privileges [CVE-2018-5729, CVE-2018-5730].
Fix a KDC PKINIT memory leak.
Fix a small KDC memory leak on transited or authdata errors when processing TGS requests.
Fix a null dereference when the KDC sends a large TGS reply.
Fix "kdestroy -A" with the KCM credential cache type.
Fix the handling of capaths "." values.
Fix handling of repeated subsection specifications in profile files (such as when multiple included files specify relations in the same subsection).
Major changes in 1.15.2 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge without FAST
Ignore dotfiles when processing profile includedir directive
Improve documentation
Major changes in 1.15.1 (2017-03-01)
This is a bug fix release.
Allow KDB modules to determine how the e_data field of principal fields is freed
Fix udp_preference_limit when the KDC location is configured with SRV records
Fix KDC and kadmind startup on some IPv4-only systems
Fix the processing of PKINIT certificate matching rules which have two components and no explicit relation
Improve documentation
Major changes in 1.15 (2016-12-01)
Administrator experience:
Improve support for multihomed Kerberos servers by adding options for specifying restricted listening addresses for the KDC and kadmind.
Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.
Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.
Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.
Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and master KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.
Add support for password history to the LDAP back end.
Add support for principal renaming to the LDAP back end.
Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.
In the PKINIT client, use the correct DigestInfo encoding for PKCS #1 signatures, so that some especially strict smart cards will work.
Code quality:
Clean up numerous compilation warnings.
Remove various infrequently built modules, including some preauth modules that were not built by default.
Developer experience:
Add support for building with OpenSSL 1.1.
Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.
Eliminate util/reconf and allow the use of autoreconf alone to regenerate the configure script.
Protocol evolution:
Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.
|
|
CVE-2015-2695
CVE-2015-2696
CVE-2015-2697
CVE-2015-2698
CVE-2015-8629
CVE-2015-8630
CVE-2015-8631
|
|
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
|
This is a bugfix release.
* Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers.
* Update a workaround for a glibc bug that would cause DNS PTR queries to occur
even when rdns = false.
* Fix a kadmind denial of service issue (null pointer dereference), which could
only be triggered by an administrator with the "create" privilege.
[CVE-2012-1013]
Changes 1.10.1:
This is a bugfix release.
* Fix access controls for KDB string attributes [CVE-2012-1012]
* Make the ASN.1 encoding of key version numbers interoperate with Windows
Read-Only Domain Controllers
* Avoid generating spurious password expiry warnings in cases where the KDC
sends an account expiry time without a password expiry time.
|
|
This is primarily a bugfix release.
* Fix an interaction in iprop that could cause spurious excess kadmind processes
when a kprop child fails.
Changes 1.8.5:
This is primarily a bugfix release.
* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
[CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
|
|
including MITKRB5-SA-2011-003.
Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2
Note that the r-services, telnetd and ftpd services and the related client
applications are now in a separate pacakge security/mit-krb5-appl.
|
|
|
|
and replace with appropriate references to PKGINFODIR instead.
* Properly account for split info files during installation.
* Move info file listings directly into the package PLISTs.
This fixes info-file-related PLIST problems.
|
|
|
|
|
|
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
|
|
is a PKG_OPTION.
|
|
|
|
* Merged Athena telnetd changes for creating a new option for requiring
encryption.
* Add implementation of the RPCSEC_GSS authentication flavor to the RPC
library.
* The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
* Thread safety for krb5 libraries.
* Yarrow code now uses AES.
* Merged Athena changes to allow ftpd to require encrypted passwords.
* Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
* Fix heap buffer overflow in password history mechanism.
[MITKRB5-SA-2004-004]
|
|
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
|
|
|
|
Bump PKGREVISION.
|
|
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
|
|
on the wip/mit-krb5 package by Jeremy Reed, but heavily modified by me to
libtoolize the build.
Kerberos V5 is an authentication system developed at MIT. It is a network
authentication protocol designed to provide strong authentication for
client/server applications by using secret-key cryptography. (Kerberos
5 is discussed in RFC 1510.)
This package provides Kerberos and GSSAPI (Generic Security Services
Application Programming Interface) development headers and libraries.
It also includes Kerberos ticket and principal tools, and Kerberized
r-services, telnet and ftp services.
|
