-
Wed Aug 26 2015 Roland Mainz <rmainz@redhat.com> - 1.12.2-15
- Add a patch to fix RedHat bug #1256870 ("KDC sends multiple
requests to ipa-otpd for the same authentication") which causes
the KDC to send multiple retries to ipa-otpd for TCP transports
while it should only be done for UDP.
-
Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.12.2-14
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
loop on principal unknown errors").
-
Mon Jan 12 2015 Roland Mainz <rmainz@redhat.com> - 1.12.2-13
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial
deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly
validates server principal name (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications
leak uninitialized bytes (MITKRB5-SA-2015-001)"
-
Mon Dec 22 2014 Roland Mainz <rmainz@redhat.com> - 1.12.2-12
- fix for CVE-2014-5354 (#1174546) "krb5: NULL pointer
dereference when using keyless entries"
-
Mon Dec 22 2014 Roland Mainz <rmainz@redhat.com> - 1.12.2-11
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
name crash"
-
Sun Dec 07 2014 Roland Mainz <rmainz@redhat.com> - 1.12.2-10
- In ksu, without the -e flag, also check .k5users (#1105489)
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Patch by Nalin Dahyabhai <nalin@redhat.com>
-
Wed Dec 03 2014 Roland Mainz <rmainz@redhat.com> - 1.12.2-9
- Undo libkadmclnt SONAME change (from 8 to 9) which originally
happened in the krb5 1.12 rebase (#1166012) but broke
rubygem-rkerberos (sort of ruby language bindings for
libkadmclnt&co.) dependicies, as side effect of
rubygem-rkerberos using private interfaces in libkadmclnt.
-
Mon Sep 08 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-8
- fix the problem where the %license file has been a dangling symlink
- ksu: pull in fix from pull #206 to avoid breakage when the
default_ccache_name doesn't include a cache type as a prefix
- ksu: pull in a proposed fix for pull #207 to avoid breakage when the
invoking user doesn't already have a ccache
-
Sat Sep 06 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-7
- pull in patch from master to load plugins with RTLD_NODELETE, when
defined (RT#7947)
-
Fri Sep 05 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-6
- backport patch to make the client skip checking the server's reply
address when processing responses to password-change requests, which
between NAT and upcoming HTTPS support, can cause us to erroneously
report an error to the user when the server actually reported success
(RT#7886)
- backport support for accessing KDCs and kpasswd services via HTTPS
proxies (marked by being specified as https URIs instead as hostnames
or hostname-and-port), such as the one implemented in python-kdcproxy
(RT#7929, #109919), and pick up a subsequent patch to build HTTPS
as a plugin