Skip to content
Snippets Groups Projects
  1. Jan 16, 2025
  2. Jan 07, 2025
  3. Jul 25, 2024
  4. Jul 24, 2024
  5. Jul 05, 2024
  6. Jul 03, 2024
  7. Jun 27, 2024
  8. Jun 26, 2024
    • Greg Hudson's avatar
      Update for krb5-1.21.3 · 8f56f544
      Greg Hudson authored
      8f56f544
    • Greg Hudson's avatar
      make regen · 36a2aa9c
      Greg Hudson authored
      36a2aa9c
    • Greg Hudson's avatar
      Fix vulnerabilities in GSS message token handling · 55fbf435
      Greg Hudson authored
      In gss_krb5int_unseal_token_v3() and gss_krb5int_unseal_v3_iov(),
      verify the Extra Count field of CFX wrap tokens against the encrypted
      header.  Reported by Jacob Champion.
      
      In gss_krb5int_unseal_token_v3(), check for a decrypted plaintext
      length too short to contain the encrypted header and extra count
      bytes.  Reported by Jacob Champion.
      
      In kg_unseal_iov_token(), separately track the header IOV length and
      complete token length when parsing the token's ASN.1 wrapper.  This
      fix contains modified versions of functions from k5-der.h and
      util_token.c; this duplication will be cleaned up in a future commit.
      
      CVE-2024-37370:
      
      In MIT krb5 release 1.3 and later, an attacker can modify the
      plaintext Extra Count field of a confidential GSS krb5 wrap token,
      causing the unwrapped token to appear truncated to the application.
      
      CVE-2024-37371:
      
      In MIT krb5 release 1.3 and later, an attacker can cause invalid
      memory reads by sending message tokens with invalid length fields.
      
      (cherry picked from commit b0a2f8a5365f2eec3e27d78907de9f9d2c80505a)
      
      ticket: 9128
      version_fixed: 1.21.3
      55fbf435
  9. Jun 24, 2024
    • Jon Moore's avatar
      Fix formatting error in realm_config.rst · ddf1efd8
      Jon Moore authored
      Commit 10eb9380 introduced a
      formatting error in the SRV record descriptions.  Fix it now.
      
      [ghudson@mit.edu: wrote commit message]
      
      (cherry picked from commit c5772bc916f8818070f9d78a2999bd5dfa0a68d5)
      
      ticket: 9125
      version_fixed: 1.21.3
      ddf1efd8
    • Greg Hudson's avatar
      Fix leak in KDC NDR encoding · 0c2de238
      Greg Hudson authored
      If the KDC tries to encode a principal containing encode invalid UTF-8
      sequences for inclusion in a PAC delegation info buffer, it will leak
      a small amount of memory in enc_wchar_pointer() before failing.  Fix
      the leak.
      
      (cherry picked from commit 7d0d85bf99caf60c0afd4dcf91b0c4c683b983fe)
      
      ticket: 9115
      version_fixed: 1.21.3
      0c2de238
    • Anthony Sottile's avatar
      Fix memory leak in macOS 11 ccache client · c9a83ad0
      Anthony Sottile authored
      In get_primary_name(), use the proper function to free conn.
      
      [ghudson@mit.edu: wrote commit message]
      
      (cherry picked from commit 52fe67623b7205d91ceac855651e8c17f56b10c8)
      
      ticket: 9109
      version_fixed: 1.21.3
      c9a83ad0
    • Greg Hudson's avatar
      In PKINIT, check for null PKCS7 enveloped fields · 5cbfb636
      Greg Hudson authored
      The PKCS7 ContentInfo content field and EncryptedContentInfo
      encryptedContent field are optional.  Check for null values in
      cms_envelopeddata_verify() before calling pkcs7_decrypt().  Reported
      by Bahaa Naamneh.
      
      (cherry picked from commit 48ccd81656381522d1f9ccb8705c13f0266a46ab)
      
      ticket: 9107
      version_fixed: 1.21.3
      5cbfb636
    • Greg Hudson's avatar
      Work around Doxygen 1.9.7 change · 59941e53
      Greg Hudson authored
      Doxygen 1.9.7 avoids duplicating member definitions in the XML
      documents for groups and header files (doxygen/doxygen#9797).  This
      change breaks the current Doxygen-REST bridge, which expects to find
      memberdef elements in krb5_8hin.xml.  To work around this problem,
      remove the @group and @ref declarations in krb5.hin; they were not
      translated into REST as it was.
      
      Also remove a deprecated setting in Doxyfile.
      
      (cherry picked from commit 6ed1f8e27eb624710c4aa152d8dee4cf2e528082)
      
      ticket: 9104
      version_fixed: 1.21.3
      59941e53
    • Ilya Gladyshev's avatar
      Fix krb5_cccol_have_content() bad pointer free · bdfb45dd
      Ilya Gladyshev authored
      krb5_cccol_have_content() calls krb5_cc_get_principal() within a loop,
      and frees the resulting principal on success or failure.  Set princ to
      null before each call to ensure we don't free a dangling pointer.
      
      [ghudson@mit.edu: rewrote commit message; moved assignment for greater
      clarity]
      
      (cherry picked from commit 635c8cca65b745476d07c1f5ff701445db25c10d)
      
      ticket: 9103
      version_fixed: 1.21.3
      bdfb45dd
    • Michael Osipov's avatar
      Eliminate sim_client include of getopt.h · 8780d883
      Michael Osipov authored
      Commit 9139a60c added an unconditional
      include of getopt.h, which is non-portable (it isn't present on HP-UX)
      and unecessary for getopt().  The same commit also disabled the
      include of unistd.h (which is necessary for getopt()), as sim_client
      no longer indirectly includes autoconf.  Make the unistd.h include
      unconditional and remove the getopt.h include.
      
      [ghudson@mit.edu: edited commit message]
      
      (cherry picked from commit a6abaaf54925a4b63aff8c81da1a0af3a7c03466)
      
      ticket: 9102
      version_fixed: 1.21.3
      8780d883
    • Greg Hudson's avatar
      Update copyright years to 2024 · fec2c44e
      Greg Hudson authored
      fec2c44e
  10. Jun 17, 2024
  11. Jun 14, 2024
    • Sam Hartman's avatar
      New patches: · b104eb94
      Sam Hartman authored
      * Allow kpropd to bind even if only loopback is configured, Closes: #1072952
        * Skip keyring tests if keyring blocked by seccomp
      b104eb94
  12. Jun 13, 2024
  13. Jun 06, 2024
  14. May 28, 2024
    • Otto Kekäläinen's avatar
      Enable Salsa-CI · 4ab53658
      Otto Kekäläinen authored
      This will help ensure easily machine detectable regressions don't slip
      into the code base.
      
      This also makes any future contribution process faster and more
      reliable, as any contributor submitting a Merge Request will get
      immediate feedback, and the maintainers save time by not having to point
      out basic mistakes.
      
      Package krb5 build passes on all but three jobs out-of-the-box. The
      crossbuild-arm64 is allowed to fail by default in Salsa-CI. Additionally
      allow reprotest fail initially until they are fixed for this package.
      The blhc check has two specific false positive overrides to pass.
      4ab53658
  15. May 19, 2024
    • Otto Kekäläinen's avatar
      Make package Lintian clean · 9625ea40
      Otto Kekäläinen authored
      Add overrides to remaining Lintian errors after validating it make sense
      to do so. After this Lintian will not yield Lintian errors (only warnings)
      and thus also Salsa-CI Lintian job can be enabled and enforced.
      9625ea40
    • Otto Kekäläinen's avatar
      Drop obsolete dependency on package lsb-base · 9aeb9d9b
      Otto Kekäläinen authored
      The package is now empty and no longer used. This fixes Lintian errors:
      
          E: krb5-admin-server: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
          E: krb5-kdc: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
          E: krb5-kpropd: depends-on-obsolete-package Depends: lsb-base
      
      The functionality of lsb-base is in the Essential:yes set since
      Bullseye. The package itself is now an empty transitional package
      (because debootstrap doesn't understand the Provides relationship) which
      depends on the new provider of the functionality, sysvinit-utils, which
      is also in the Essential:yes set.
      
      More information in
      https://lists.debian.org/debian-devel/2023/01/msg00150.html
      and https://tracker.debian.org/media/packages/l/lsb/changelog-11.5
      9aeb9d9b
    • Otto Kekäläinen's avatar
      Run 'wrap-and-sort' · 948c5d73
      Otto Kekäläinen authored
      Skip running full wrap-and-sort with '-a' in in debian/control as
      maintainer indicated in
      !5 (comment 246097)
      preference to have file unchanged despite inconsistent syntax.
      
      Maintainer did however later apply wrap-and-sort in f21251ec and 15ffa3e6,
      so finalize that following the same convetion with this change.
      948c5d73
Loading