Upstream fix it but forget to mention in changelog

Thanks Guillem Jover for patch and for pointing out that setuid for
ksu will still work, Closes: #1092384

fix bug closing syntax

See merge request !11

Update to upstream version '1.21.3'
with Debian dir ab13beae92739457977e166816524c12088c6008

In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
verify the Extra Count field of CFX wrap tokens against the encrypted
header.  Reported by Jacob Champion.

In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
length too short to contain the encrypted header and extra count
bytes.  Reported by Jacob Champion.

In kg_unseal_iov_token(), separately track the header IOV length and
complete token length when parsing the token's ASN.1 wrapper.  This
fix contains modified versions of functions from k5-der.h and
util_token.c; this duplication will be cleaned up in a future commit.

CVE-2024-37370:

In MIT krb5 release 1.3 and later, an attacker can modify the
plaintext Extra Count field of a confidential GSS krb5 wrap token,
causing the unwrapped token to appear truncated to the application.

CVE-2024-37371:

In MIT krb5 release 1.3 and later, an attacker can cause invalid
memory reads by sending message tokens with invalid length fields.

(cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a)

ticket: 9128
version_fixed: 1.21.3

Commit 10eb9380 introduced a
formatting error in the SRV record descriptions.  Fix it now.

[ghudson@mit.edu: wrote commit message]

(cherry picked from commit c5772bc916f8818070f9d78a2999bd5dfa0a68d5)

ticket: 9125
version_fixed: 1.21.3

If the KDC tries to encode a principal containing encode invalid UTF-8
sequences for inclusion in a PAC delegation info buffer, it will leak
a small amount of memory in enc_wchar_pointer() before failing.  Fix
the leak.

(cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)

ticket: 9115
version_fixed: 1.21.3

In get_primary_name(), use the proper function to free conn.

[ghudson@mit.edu: wrote commit message]

(cherry picked from commit 52fe67623b7205d91ceac855651e8c17f56b10c8)

ticket: 9109
version_fixed: 1.21.3

The PKCS7 ContentInfo content field and EncryptedContentInfo
encryptedContent field are optional.  Check for null values in
cms_envelopeddata_verify() before calling pkcs7_decrypt().  Reported
by Bahaa Naamneh.

(cherry picked from commit 48ccd81656381522d1f9ccb8705c13f0266a46ab)

ticket: 9107
version_fixed: 1.21.3

Doxygen 1.9.7 avoids duplicating member definitions in the XML
documents for groups and header files (doxygen/doxygen#9797).  This
change breaks the current Doxygen-REST bridge, which expects to find
memberdef elements in krb5_8hin.xml.  To work around this problem,
remove the @group and @ref declarations in krb5.hin; they were not
translated into REST as it was.

Also remove a deprecated setting in Doxyfile.

(cherry picked from commit 6ed1f8e27eb624710c4aa152d8dee4cf2e528082)

ticket: 9104
version_fixed: 1.21.3

krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
and frees the resulting principal on success or failure.  Set princ to
null before each call to ensure we don't free a dangling pointer.

[ghudson@mit.edu: rewrote commit message; moved assignment for greater
clarity]

(cherry picked from commit 635c8cca65b745476d07c1f5ff701445db25c10d)

ticket: 9103
version_fixed: 1.21.3

Commit 9139a60c added an unconditional
include of getopt.h, which is non-portable (it isn't present on HP-UX)
and unecessary for getopt().  The same commit also disabled the
include of unistd.h (which is necessary for getopt()), as sim_client
no longer indirectly includes autoconf.  Make the unistd.h include
unconditional and remove the getopt.h include.

[ghudson@mit.edu: edited commit message]

(cherry picked from commit a6abaaf54925a4b63aff8c81da1a0af3a7c03466)

ticket: 9102
version_fixed: 1.21.3

* Allow kpropd to bind even if only loopback is configured, Closes: #1072952
  * Skip keyring tests if keyring blocked by seccomp

Update to upstream version '1.21.2'
with Debian dir a6cafbaf18c3322f856027b98ee019b4b6775b18

Enable Salsa-CI in source package krb5

See merge request !9

This will help ensure easily machine detectable regressions don't slip
into the code base.

This also makes any future contribution process faster and more
reliable, as any contributor submitting a Merge Request will get
immediate feedback, and the maintainers save time by not having to point
out basic mistakes.

Package krb5 build passes on all but three jobs out-of-the-box. The
crossbuild-arm64 is allowed to fail by default in Salsa-CI. Additionally
allow reprotest fail initially until they are fixed for this package.
The blhc check has two specific false positive overrides to pass.