krb5 security, bug fix, and enhancement update

[1.13.2-9]

• Add patch and test case for ‘KDC does not return proper
  client principal for client referrals’
• Resolves: #1259846
  [1.13.2-9]
• Ammend patch for RedHat bug #1252454 (‘testsuite complains
  ‘Lifetime has increased by 32436 sec while 0 sec passed!’,
  while rhel5-libkrb5 passes’) to handle the newly introduced
  valgrind hits.
  [1.13.2-8]
• Add a patch to fix RH Bug #1250154 (‘[s390x, ppc64, ppc64le]:
  kadmind does not accept ACL if kadm5.acl does not end with EOL’)
  The code ‘accidently’ works on x86/AMD64 because declaring a
  variable |char| results in an |unsigned char| by default while
  most other platforms (e.g. { s390x, ppc64, ppc64le, …})
  default to |signed char| (still have to use lint(1) to clean
  up 38 more instances of this kind of bug).
  [1.13.2-7]
• Obsolete multilib versions of server packages to fix RH
  bug #1251913 (‘krb5 should obsolete the multilib versions
  of krb5-server and krb5-server-ldap’).
  The following packages are declared obsolete:
  • krb5-server-1.11.3-49.el7.i686
  • krb5-server-1.11.3-49.el7.ppc
  • krb5-server-1.11.3-49.el7.s390
  • krb5-server-ldap-1.11.3-49.el7.i686
  • krb5-server-ldap-1.11.3-49.el7.ppc
  • krb5-server-ldap-1.11.3-49.el7.s390
    [1.13.2-6]
• Add a patch to fix RedHat bug #1252454 (‘testsuite complains
  ‘Lifetime has increased by 32436 sec while 0 sec passed!’,
  while rhel5-libkrb5 passes’) so that krb5 resolves GSS creds
  if |time_rec| is requested.
  [1.13.2-5]
• Add a patch to fix RedHat bug #1251586 (‘KDC sends multiple
  requests to ipa-otpd for the same authentication’) which causes
  the KDC to send multiple retries to ipa-otpd for TCP transports
  while it should only be done for UDP.
  [1.13.2-4]
• the rebase to krb5 1.13.2 in vers 1.13.2-0 also fixed:
  • Redhat Bug #1247761 (‘RFE: Minor krb5 spec file cleanup and sync
    with recent Fedora 22/23 changes’)
  • Redhat Bug #1247751 (‘krb5-config returns wrong -specs path’)
  • Redhat Bug #1247608 (‘Add support for multi-hop preauth mechs
    via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 (‘A
    Generalized Framework for Kerberos Pre-Authentication’)’)
• Removed ‘krb5-1.10-kprop-mktemp.patch’ and
  ‘krb5-1.3.4-send-pr-tempfile.patch’, both are no longer used since
  the rebase to krb5 1.13.1
  [1.13.2-3]
• Add patch to fix Redhat Bug #1222903 (‘[SELinux] AVC denials may appear
  when kadmind starts’). The issue was caused by an unneeded |htons()|
  which triggered SELinux AVC denials due to the ‘random’ port usage.
  [1.13.2-2]
• Add fix for RedHat Bug #1164304 (‘Upstream unit tests loads
  the installed shared libraries instead the ones from the build’)
  [1.13.2-1]
• the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed:
  • Bug 1144498 (‘Fix the race condition in the libkrb5 replay cache’)
  • Bug 1163402 (‘kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64’)
  • Bug 1185770 (‘Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c’)
  • Bug 1204211 (‘CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other’)
    [1.13.2-0]
• Update to krb5-1.13.2
  • drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2
  • drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2
    [1.13.1-2]
• the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed RH
  bug #1156144 (‘krb5 upstream test t_kdb.py failure’)
  [1.13.1-1]
• fix for CVE-2015-2694 (#1218020) ‘requires_preauth bypass
  in PKINIT-enabled KDC’.
  In MIT krb5 1.12 and later, when the KDC is configured with
  PKINIT support, an unauthenticated remote attacker can
  bypass the requires_preauth flag on a client principal and
  obtain a ciphertext encrypted in the principal’s long-term
  key. This ciphertext could be used to conduct an off-line
  dictionary attack against the user’s password.
  [1.13.1-0]
• Update to krb5-1.13.1
  • patch krb5-1.12-selinux-label was updated and renamed to krb5-1.13-selinux-label
  • patch krb5-1.11-dirsrv-accountlock was updated and renamed to krb5-1.13-dirsrv-accountlock
  • drop patch for krb5-1.12-pwdch-fast, fixed in krb5-1.13
  • drop patch for krb5-1.12ish-kpasswd_tcp, fixed in krb5-1.13
  • drop patch for krb5-master-rcache-internal-const, no longer needed
  • drop patch for krb5-master-rcache-acquirecred-cleanup, no longer needed
  • drop patch for krb5-master-rcache-acquirecred-source, no longer needed
  • drop patch for krb5-master-rcache-acquirecred-test, no longer needed
  • drop patch for krb5-master-move-otp-sockets, no longer needed
  • drop patch for krb5-master-mechd, no longer needed
  • drop patch for krb5-master-strdupcheck, no longer needed
  • drop patch for krb5-master-compatible-keys, no longer needed
  • drop patch for krb5-1.12-system-exts, fixed in krb5-1.13
  • drop patch for 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted, no longer needed
  • drop patch for 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals, no longer needed
  • drop patch for 0003-Use-an-intermediate-memory-cache-in-ksu, no longer needed
  • drop patch for 0004-Make-ksu-respect-the-default_ccache_name-setting, no longer needed
  • drop patch for 0005-Copy-config-entries-to-the-ksu-target-ccache, no longer needed
  • drop patch for 0006-Use-more-randomness-for-ksu-secondary-cache-names, no longer needed
  • drop patch for 0007-Make-krb5_cc_new_unique-create-DIR-directories, no longer needed
  • drop patch for krb5-1.12-kpasswd-skip-address-check, fixed in krb5-1.13
  • drop patch for 0000-Refactor-cm-functions-in-sendto_kdc.c, no longer needed
  • drop patch for 0001-Simplify-sendto_kdc.c, no longer needed
  • drop patch for 0002-Add-helper-to-determine-if-a-KDC-is-the-master, no longer needed
  • drop patch for 0003-Use-k5_transport-_strategy-enums-for-k5_sendto, no longer needed
  • drop patch for 0004-Build-support-for-TLS-used-by-HTTPS-proxy-support, no longer needed
  • drop patch for 0005-Add-ASN.1-codec-for-KKDCP-s-KDC-PROXY-MESSAGE, no longer needed
  • drop patch for 0006-Dispatch-style-protocol-switching-for-transport, no longer needed
  • drop patch for 0007-HTTPS-transport-Microsoft-KKDCPP-implementation, no longer needed
  • drop patch for 0008-Load-custom-anchors-when-using-KKDCP, no longer needed
  • drop patch for 0009-Check-names-in-the-server-s-cert-when-using-KKDCP, no longer needed
  • drop patch for 0010-Add-some-longer-form-docs-for-HTTPS, no longer needed
  • drop patch for 0011-Have-k5test.py-provide-runenv-to-python-tests, no longer needed
  • drop patch for 0012-Add-a-simple-KDC-proxy-test-server, no longer needed
  • drop patch for 0013-Add-tests-for-MS-KKDCP-client-support, no longer needed
  • drop patch for krb5-1.12ish-tls-plugins, fixed in krb5-1.13.1
  • drop patch for krb5-1.12-nodelete-plugins, fixed in krb5-1.13.1
  • drop patch for krb5-1.12-ksu-untyped-default-ccache-name, fixed in krb5-1.13.1
  • drop patch for krb5-1.12-ksu-no-ccache, fixed in krb5-1.13.1
  • drop patch for krb5-ksu_not_working_with_default_principal, fixed in krb5-1.13.1
  • drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1
  • drop patch for CVE_2014_5354_support_keyless_principals_in_ldap, fixed in krb5-1.13.1
  • drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
  • drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1
  • added patch krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
  • added patch krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling
• Minor spec cleanup