From c95b6cfb1a91351cfe51eab2180848c5e37a67b6 Mon Sep 17 00:00:00 2001 From: adam Date: Fri, 8 Jul 2011 09:59:28 +0000 Subject: Changes 1.8.4: This is primarily a bugfix release. Fix vulnerabilities: * KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322] * kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022] * KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283] * KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003 CVE-2011-0284] * kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285] Interoperability: * Correctly encrypt GSSAPI forwarded credentials using the session key, not a subkey. * Set NT-SRV-INST on TGS principal names as expected by some Windows Server Domain Controllers. * Don't reject AP-REQ messages if their PAC doesn't validate; suppress the PAC instead. * Correctly validate HMAC-MD5 checksums that use DES keys --- security/mit-krb5/Makefile | 26 +++++++++++--------------- security/mit-krb5/buildlink3.mk | 6 +++--- security/mit-krb5/distinfo | 26 ++++---------------------- 3 files changed, 18 insertions(+), 40 deletions(-) (limited to 'security/mit-krb5') diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile index 1b5a2502448..25a04bc4b5d 100644 --- a/security/mit-krb5/Makefile +++ b/security/mit-krb5/Makefile @@ -1,16 +1,14 @@ -# $NetBSD: Makefile,v 1.53 2011/04/14 19:37:26 tez Exp $ +# $NetBSD: Makefile,v 1.54 2011/07/08 09:59:28 adam Exp $ -DISTNAME= krb5-1.8.3 +DISTNAME= krb5-1.8.4 PKGNAME= mit-${DISTNAME} -PKGREVISION= 5 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.8/ -DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} EXTRACT_SUFX= .tar +DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} -PATCH_SITES= http://web.mit.edu/kerberos/advisories/ - -PATCHFILES= 2010-006-patch.txt 2010-007-patch.txt 2011-001-patch.txt 2011-002-patch-r18.txt 2011-003-patch.txt 2011-004-patch-r18.txt +#PATCH_SITES= http://web.mit.edu/kerberos/advisories/ +#PATCHFILES= 2010-006-patch.txt 2010-007-patch.txt 2011-001-patch.txt 2011-002-patch-r18.txt 2011-003-patch.txt 2011-004-patch-r18.txt MAINTAINER= tez@NetBSD.org HOMEPAGE= http://web.mit.edu/kerberos/ @@ -28,27 +26,26 @@ BUILD_TARGET= generate-files-mac all CONFLICTS+= heimdal-[0-9]* CONFLICTS+= kth-krb4-[0-9]* -USE_TOOLS+= autoconf perl yacc m4 -USE_TOOLS+= gmake +USE_LIBTOOL= yes +USE_TOOLS+= autoconf gmake m4 perl yacc MAKE_PROGRAM= gmake GNU_CONFIGURE= yes -USE_LIBTOOL= yes # The actual KDC databases are stored in ${MIT_KRB5_STATEDIR}/krb5kdc. MIT_KRB5_STATEDIR?= ${VARBASE} -FILES_SUBST+= MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR:Q} +FILES_SUBST+= MIT_KRB5_STATEDIR=${MIT_KRB5_STATEDIR} BUILD_DEFS+= VARBASE -CONFIGURE_ARGS+= --localstatedir=${MIT_KRB5_STATEDIR:Q} -CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} +CONFIGURE_ARGS+= --localstatedir=${MIT_KRB5_STATEDIR} +CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} CONFIGURE_ARGS+= --enable-shared CONFIGURE_ARGS+= --enable-dns-for-realm CONFIGURE_ARGS+= --enable-kdc-replay-cache CONFIGURE_ARGS+= --disable-thread-support CONFIGURE_ARGS+= --without-tcl CONFIGURE_ARGS+= --enable-pkgsrc-libtool -MAKE_ENV+= ROOT_USER=${ROOT_USER:Q} +MAKE_ENV+= ROOT_USER=${ROOT_USER} PATCH_DIST_ARGS= -d ${WRKSRC} -p2 @@ -67,7 +64,6 @@ INSTALLATION_DIRS= bin include/gssapi include/gssrpc ${PKGINFODIR} \ # The MIT krb5 distribution is actually a tar file that contains the # real .tar.gz distfile and a PGP signature. -# post-extract: @${ECHO} "=> Extracting internal tarball"; \ extract_file="${WRKDIR}/${DISTNAME}.tar.gz"; \ diff --git a/security/mit-krb5/buildlink3.mk b/security/mit-krb5/buildlink3.mk index 7304320530d..7c1709f27ef 100644 --- a/security/mit-krb5/buildlink3.mk +++ b/security/mit-krb5/buildlink3.mk @@ -1,12 +1,12 @@ -# $NetBSD: buildlink3.mk,v 1.11 2011/04/09 00:16:18 tez Exp $ +# $NetBSD: buildlink3.mk,v 1.12 2011/07/08 09:59:28 adam Exp $ BUILDLINK_TREE+= mit-krb5 .if !defined(MIT_KRB5_BUILDLINK3_MK) MIT_KRB5_BUILDLINK3_MK:= -BUILDLINK_API_DEPENDS.mit-krb5+= mit-krb5>=1.8 -BUILDLINK_ABI_DEPENDS.mit-krb5+= mit-krb5>=1.4nb1 +BUILDLINK_API_DEPENDS.mit-krb5+= mit-krb5>=1.8 +BUILDLINK_ABI_DEPENDS.mit-krb5+= mit-krb5>=1.8 BUILDLINK_PKGSRCDIR.mit-krb5?= ../../security/mit-krb5 .endif # MIT_KRB5_BUILDLINK3_MK diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo index f4deaacbbe2..63f4b279b54 100644 --- a/security/mit-krb5/distinfo +++ b/security/mit-krb5/distinfo @@ -1,26 +1,8 @@ -$NetBSD: distinfo,v 1.30 2011/06/01 09:57:23 adam Exp $ +$NetBSD: distinfo,v 1.31 2011/07/08 09:59:28 adam Exp $ -SHA1 (2010-006-patch.txt) = 600f0890de65f96112f267b56317a4fd0166cba0 -RMD160 (2010-006-patch.txt) = fc262a23e9aa118262a4258f74832445062444e4 -Size (2010-006-patch.txt) = 1066 bytes -SHA1 (2010-007-patch.txt) = a6fbc3b6ab15ca98c1aa1521fd42dad1f5003ee8 -RMD160 (2010-007-patch.txt) = 848b776218473200e5a54beb4f3adfc3db915cf4 -Size (2010-007-patch.txt) = 7908 bytes -SHA1 (2011-001-patch.txt) = 79ece8b1c140deb2c01bfb64af575636b9bc7704 -RMD160 (2011-001-patch.txt) = 62a7b2b0d4acbca919fd9df52e707bf0b9fff076 -Size (2011-001-patch.txt) = 632 bytes -SHA1 (2011-002-patch-r18.txt) = 574a3c82ad7d3c9a1c9c62c6ff95c2d6f0e0fc96 -RMD160 (2011-002-patch-r18.txt) = 23cb2560f0d87e6128cdbb12f1e7d8aae85f85f5 -Size (2011-002-patch-r18.txt) = 6130 bytes -SHA1 (2011-003-patch.txt) = 1c72390c5d629eee592e5cb0c2b600b376e2fdc5 -RMD160 (2011-003-patch.txt) = 9b0d172a1abfaf437edacc9f18fd0a6e83028b3e -Size (2011-003-patch.txt) = 544 bytes -SHA1 (2011-004-patch-r18.txt) = 7853bcbdf0dba6f0fce15fc3b475f86d692287b2 -RMD160 (2011-004-patch-r18.txt) = 03d06d5c88505688eb4dbcd516144999ecb89a70 -Size (2011-004-patch-r18.txt) = 1136 bytes -SHA1 (krb5-1.8.3-signed.tar) = 69696f63b6c2b0e3238156b19eed68cecd661c6b -RMD160 (krb5-1.8.3-signed.tar) = bdf3a505e4b2447af0c9080b441918d665dcdd9c -Size (krb5-1.8.3-signed.tar) = 11642880 bytes +SHA1 (krb5-1.8.4-signed.tar) = fe1fc21e923ae8dcaa7a26f4f97e0ac49c8e3115 +RMD160 (krb5-1.8.4-signed.tar) = 34d6df8248007bac0321400b2650c2aca774af16 +Size (krb5-1.8.4-signed.tar) = 11642880 bytes SHA1 (patch-aa) = cd8cdc594bc872d641ceaba0aa0d91b5f1caf2ae SHA1 (patch-ad) = 49a9429d163adb872b1c97ade8ed0e13d8eec3cb SHA1 (patch-ae) = c7395b9de5baf6612b8787fad55dbc051a680bfd -- cgit v1.2.3