- Jan 16, 2025
-
-
Sam Hartman authored
-
Sam Hartman authored
Thanks Guillem Jover for patch and for pointing out that setuid for ksu will still work, Closes: #1092384
-
- Jan 07, 2025
-
-
Sam Hartman authored
-
Sam Hartman authored
-
- Jul 25, 2024
-
-
Benjamin Kaduk authored
fix bug closing syntax See merge request !11
-
- Jul 24, 2024
-
-
Fabio Pedretti authored
-
- Jul 05, 2024
-
-
Sam Hartman authored
-
Sam Hartman authored
-
- Jul 03, 2024
-
-
Sam Hartman authored
-
Sam Hartman authored
-
Sam Hartman authored
-
- Jun 27, 2024
-
-
Sam Hartman authored
-
Sam Hartman authored
-
Sam Hartman authored
-
Sam Hartman authored
Update to upstream version '1.21.3' with Debian dir ab13beae92739457977e166816524c12088c6008
-
Sam Hartman authored
-
- Jun 26, 2024
-
-
Greg Hudson authored
-
Greg Hudson authored
-
Greg Hudson authored
In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(), verify the Extra Count field of CFX wrap tokens against the encrypted header. Reported by Jacob Champion. In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext length too short to contain the encrypted header and extra count bytes. Reported by Jacob Champion. In kg_unseal_iov_token(), separately track the header IOV length and complete token length when parsing the token's ASN.1 wrapper. This fix contains modified versions of functions from k5-der.h and util_token.c; this duplication will be cleaned up in a future commit. CVE-2024-37370: In MIT krb5 release 1.3 and later, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37371: In MIT krb5 release 1.3 and later, an attacker can cause invalid memory reads by sending message tokens with invalid length fields. (cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a) ticket: 9128 version_fixed: 1.21.3
-
- Jun 24, 2024
-
-
Greg Hudson authored
If the KDC tries to encode a principal containing encode invalid UTF-8 sequences for inclusion in a PAC delegation info buffer, it will leak a small amount of memory in enc_wchar_pointer() before failing. Fix the leak. (cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe) ticket: 9115 version_fixed: 1.21.3
-
Anthony Sottile authored
In get_primary_name(), use the proper function to free conn. [ghudson@mit.edu: wrote commit message] (cherry picked from commit 52fe67623b7205d91ceac855651e8c17f56b10c8) ticket: 9109 version_fixed: 1.21.3
-
Greg Hudson authored
The PKCS7 ContentInfo content field and EncryptedContentInfo encryptedContent field are optional. Check for null values in cms_envelopeddata_verify() before calling pkcs7_decrypt(). Reported by Bahaa Naamneh. (cherry picked from commit 48ccd81656381522d1f9ccb8705c13f0266a46ab) ticket: 9107 version_fixed: 1.21.3
-
Greg Hudson authored
Doxygen 1.9.7 avoids duplicating member definitions in the XML documents for groups and header files (doxygen/doxygen#9797). This change breaks the current Doxygen-REST bridge, which expects to find memberdef elements in krb5_8hin.xml. To work around this problem, remove the @group and @ref declarations in krb5.hin; they were not translated into REST as it was. Also remove a deprecated setting in Doxyfile. (cherry picked from commit 6ed1f8e27eb624710c4aa152d8dee4cf2e528082) ticket: 9104 version_fixed: 1.21.3
-
Ilya Gladyshev authored
krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop, and frees the resulting principal on success or failure. Set princ to null before each call to ensure we don't free a dangling pointer. [ghudson@mit.edu: rewrote commit message; moved assignment for greater clarity] (cherry picked from commit 635c8cca65b745476d07c1f5ff701445db25c10d) ticket: 9103 version_fixed: 1.21.3
-
Michael Osipov authored
Commit 9139a60c added an unconditional include of getopt.h, which is non-portable (it isn't present on HP-UX) and unecessary for getopt(). The same commit also disabled the include of unistd.h (which is necessary for getopt()), as sim_client no longer indirectly includes autoconf. Make the unistd.h include unconditional and remove the getopt.h include. [ghudson@mit.edu: edited commit message] (cherry picked from commit a6abaaf54925a4b63aff8c81da1a0af3a7c03466) ticket: 9102 version_fixed: 1.21.3
-
Greg Hudson authored
- Jun 17, 2024
-
-
Sam Hartman authored
-
- Jun 14, 2024
-
-
Sam Hartman authored
* Allow kpropd to bind even if only loopback is configured, Closes: #1072952 * Skip keyring tests if keyring blocked by seccomp
-
- Jun 13, 2024
-
-
Sam Hartman authored
-
Sam Hartman authored
-
Sam Hartman authored
Update to upstream version '1.21.2' with Debian dir a6cafbaf18c3322f856027b98ee019b4b6775b18
-
Sam Hartman authored
-
Sam Hartman authored
-
- Jun 06, 2024
-
-
Sam Hartman authored
-
Sam Hartman authored
Enable Salsa-CI in source package krb5 See merge request !9
-
- May 28, 2024
-
-
Otto Kekäläinen authored
This will help ensure easily machine detectable regressions don't slip into the code base. This also makes any future contribution process faster and more reliable, as any contributor submitting a Merge Request will get immediate feedback, and the maintainers save time by not having to point out basic mistakes. Package krb5 build passes on all but three jobs out-of-the-box. The crossbuild-arm64 is allowed to fail by default in Salsa-CI. Additionally allow reprotest fail initially until they are fixed for this package. The blhc check has two specific false positive overrides to pass.
-
- May 19, 2024
-
-
Otto Kekäläinen authored
Add overrides to remaining Lintian errors after validating it make sense to do so. After this Lintian will not yield Lintian errors (only warnings) and thus also Salsa-CI Lintian job can be enabled and enforced.
-
Otto Kekäläinen authored
The package is now empty and no longer used. This fixes Lintian errors: E: krb5-admin-server: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6) E: krb5-kdc: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6) E: krb5-kpropd: depends-on-obsolete-package Depends: lsb-base The functionality of lsb-base is in the Essential:yes set since Bullseye. The package itself is now an empty transitional package (because debootstrap doesn't understand the Provides relationship) which depends on the new provider of the functionality, sysvinit-utils, which is also in the Essential:yes set. More information in https://lists.debian.org/debian-devel/2023/01/msg00150.html and https://tracker.debian.org/media/packages/l/lsb/changelog-11.5
-
Otto Kekäläinen authored
Skip running full wrap-and-sort with '-a' in in debian/control as maintainer indicated in !5 (comment 246097) preference to have file unchanged despite inconsistent syntax. Maintainer did however later apply wrap-and-sort in f21251ec and 15ffa3e6, so finalize that following the same convetion with this change.
-