krb5 security, bug fix and enhancement update

[1.12.2-14]

• fix for kinit -C loops (#1184629, MIT/krb5 issue 243, ‘Do not
  loop on principal unknown errors’).
  [1.12.2-13]
• fix for CVE-2014-5352 (#1179856) ‘gss_process_context_token()
  incorrectly frees context (MITKRB5-SA-2015-001)’
• fix for CVE-2014-9421 (#1179857) ‘kadmind doubly frees partial
  deserialization results (MITKRB5-SA-2015-001)’
• fix for CVE-2014-9422 (#1179861) ‘kadmind incorrectly
  validates server principal name (MITKRB5-SA-2015-001)’
• fix for CVE-2014-9423 (#1179863) ‘libgssrpc server applications
  leak uninitialized bytes (MITKRB5-SA-2015-001)’
  [1.12.2-12]
• fix for CVE-2014-5354 (#1174546) ‘krb5: NULL pointer
  dereference when using keyless entries’
  [1.12.2-11]
• fix for CVE-2014-5353 (#1174543) ‘Fix LDAP misused policy
  name crash’
  [1.12.2-10]
• In ksu, without the -e flag, also check .k5users (#1105489)
  When ksu was explicitly told to spawn a shell, a line in .k5users which
  listed ‘*’ as the allowed command would cause the principal named on the
  line to be considered as a candidate for authentication.
  When ksu was not passed a command to run, which implicitly meant that
  the invoking user wanted to run the target user’s login shell, knowledge
  that the principal was a valid candidate was ignored, which could cause
  a less optimal choice of the default target principal.
  This doesn’t impact the authorization checks which we perform later.
  Patch by Nalin Dahyabhai
  [1.12.2-9]
• Undo libkadmclnt SONAME change (from 8 to 9) which originally
  happened in the krb5 1.12 rebase (#1166012) but broke
  rubygem-rkerberos (sort of ruby language bindings for
  libkadmclnt&co.) dependicies, as side effect of
  rubygem-rkerberos using private interfaces in libkadmclnt.
  [1.12.2-8]
• fix the problem where the %license file has been a dangling symlink
• ksu: pull in fix from pull #206 to avoid breakage when the
  default_ccache_name doesn’t include a cache type as a prefix
• ksu: pull in a proposed fix for pull #207 to avoid breakage when the
  invoking user doesn’t already have a ccache
  [1.12.2-7]
• pull in patch from master to load plugins with RTLD_NODELETE, when
  defined (RT#7947)
  [1.12.2-6]
• backport patch to make the client skip checking the server’s reply
  address when processing responses to password-change requests, which
  between NAT and upcoming HTTPS support, can cause us to erroneously
  report an error to the user when the server actually reported success
  (RT#7886)
• backport support for accessing KDCs and kpasswd services via HTTPS
  proxies (marked by being specified as https URIs instead as hostnames
  or hostname-and-port), such as the one implemented in python-kdcproxy
  (RT#7929, #109919), and pick up a subsequent patch to build HTTPS
  as a plugin
  [1.12.2-5]
• backport fix for trying all compatible keys when not being strict about
  acceptor names while reading AP-REQs (RT#7883, #1078888)
• define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that
  it’s declared (#1059730,#1084068,#1109102)
  [1.12.2-4]
• kpropd hasn’t bothered with -S since 1.11; stop trying to use that flag
  in the systemd unit file
  [1.12.2-3]
• pull in upstream fix for an incorrect check on the value returned by a
  strdup() call (#1132062)
  [1.12.1-15]
• Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
  [1.12.2-2]
• Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
  [1.12.2-1]
• update to 1.12.2
  • drop patch for RT#7820, fixed in 1.12.2
  • drop patch for #231147, fixed as RT#3277 in 1.12.2
  • drop patch for RT#7818, fixed in 1.12.2
  • drop patch for RT#7836, fixed in 1.12.2
  • drop patch for RT#7858, fixed in 1.12.2
  • drop patch for RT#7924, fixed in 1.12.2
  • drop patch for RT#7926, fixed in 1.12.2
  • drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
  • drop patch for CVE-2014-4343, included in 1.12.2
  • drop patch for CVE-2014-4344, included in 1.12.2
  • drop patch for CVE-2014-4345, included in 1.12.2
• replace older proposed changes for ksu with backports of the changes
  after review and merging upstream (#1015559, #1026099, #1118347)
  [1.12.1-14]
• incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
  [1.12.1-13]
• gssapi: pull in upstream fix for a possible NULL dereference
  in spnego (CVE-2014-4344)
  [1.12.1-12]
• gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, CVE-2014-4343, #1117963)
  [1.12.1-11]
• fix license handling
  [1.12.1-10]
• pull in fix for denial of service by injection of malformed GSSAPI tokens
  (CVE-2014-4341, CVE-2014-4342, #1116181)
  [1.12.1-9]
• pull in changes from upstream which add processing of the contents of
  /etc/gss/mech.d/*.conf when loading GSS modules (#1102839)
  [1.12.1-8]
• pull in fix for building against tcl 8.6 (#1107061)
  [1.12.1-7]
• Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
  [1.12.1-6]
• Backport fix for change password requests when using FAST (RT#7868)
  [1.12.1-5]
• spnego: pull in patch from master to restore preserving the OID of the
  mechanism the initiator requested when we have multiple OIDs for the same
  mechanism, so that we reply using the same mechanism OID and the initiator
  doesn’t get confused (#1066000, RT#7858)
  [1.12.1-4]
• pull in patch from master to move the default directory which the KDC uses
  when computing the socket path for a local OTP daemon from the database
  directory (/var/kerberos/krb5kdc) to the newly-added run directory
  (/run/krb5kdc), in line with what we’re expecting in 1.13 (RT#7859, more
  of #1040056 as #1063905)
• add a tmpfiles.d configuration file to have /run/krb5kdc created at
  boot-time
• own /var/run/krb5kdc
  [1.12.1-3]
• refresh nss_wrapper and add socket_wrapper to the %check environment

• Fri Jan 31 2014 Nalin Dahyabhai

• add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)
  [1.12.1-2]
• pull in multiple changes to allow replay caches to be added to a GSS
  credential store as ‘rcache’-type credentials (RT#7818/#7819/#7836,
  [1.12.1-1]
• update to 1.12.1
  • drop patch for RT#7794, included now
  • drop patch for RT#7797, included now
  • drop patch for RT#7803, included now
  • drop patch for RT#7805, included now
  • drop patch for RT#7807, included now
  • drop patch for RT#7045, included now
  • drop patches for RT#7813 and RT#7815, included now
  • add patch to always retrieve the KDC time offsets from keyring caches,
    so that we don’t mistakenly interpret creds as expired before their
    time when our clock is ahead of the KDC’s (RT#7820, #1030607)
    [1.12-11]
• update the PIC patch for iaesx86.s to not use ELF relocations to the version
  that landed upstream (RT#7815, #1045699)

• Thu Jan 09 2014 Nalin Dahyabhai

• pass -Wl,–warn-shared-textrel to the compiler when we’re creating shared
  libraries
  [1.12-10]
• amend the PIC patch for iaesx86.s to also save/restore ebx in the
  functions where we modify it, because the ELF spec says we need to
  [1.12-9]
• grab a more-commented version of the most recent patch from upstream
  master
• make a guess at making the 32-bit AES-NI implementation sufficiently
  position-independent to not require execmod permissions for libk5crypto
  (more of #1045699)
  [1.12-8]
• add patch from Dhiru Kholia for the AES-NI implementations to allow
  libk5crypto to be properly marked as not needing an executable stack
  on arches where they’re used (#1045699, and so many others)
  [1.12-7]
• revert that last change for a bit while sorting out execstack when we
  use AES-NI (#1045699)
  [1.12-6]
• add yasm as a build requirement for AES-NI support, on arches that have
  yasm and AES-NI
  [1.12-5]
• pull in fix from master to make reporting of errors encountered by
  the SPNEGO mechanism work better (RT#7045, part of #1043962)

• Thu Dec 19 2013 Nalin Dahyabhai

• update a test wrapper to properly handle things that the new libkrad does,
  and add python-pyrad as a build requirement so that we can run its tests
  [1.12-4]
• revise previous patch to initialize one more element
  [1.12-3]
• backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
  [1.12-2]
• pull in fix from master to return a NULL pointer rather than allocating
  zero bytes of memory if we read a zero-length input token (RT#7794, part of
  • pull in fix from master to ignore an empty token from an acceptor if
    we’ve already finished authenticating (RT#7797, part of #1043962)
• pull in fix from master to avoid a memory leak when a mechanism’s
  init_sec_context function fails (RT#7803, part of #1043962)
• pull in fix from master to avoid a memory leak in a couple of error
  cases which could occur while obtaining acceptor credentials (RT#7805, part
  of #1043962)
  [1.12-1]
• update to 1.12 final
  [1.12-beta2.0]
• update to beta2
  • drop obsolete backports for storing KDC time offsets and expiration times
    in keyring credential caches
    [1.12-beta1.0]
• rebase to master
• update to beta1
  • drop obsolete backport of fix for RT#7706
    [1.11.4-2]
• pull in fix to store KDC time offsets in keyring credential caches (RT#7768,
  • pull in fix to set expiration times on credentials stored in keyring
    credential caches (RT#7769, #1031724)
    [1.11.4-1]
• update to 1.11.4
  • drop patch for RT#7650, obsoleted
  • drop patch for RT#7706, obsoleted as RT#7723
  • drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4