diff mbox series

krb5: Update to version 1.21.2

Message ID	20230827134311.3422302-1-adolf.belka@ipfire.org
State	Staged
Commit	a1e625a2b9aec45dae20bb27f01790a374680a1a
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] krb5: Update to version 1.21.2 Date: Sun, 27 Aug 2023 15:43:10 +0200 Message-ID: <20230827134311.3422302-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	krb5: Update to version 1.21.2 \| krb5: Update to version 1.21.2

Commit Message

Adolf Belka Aug. 27, 2023, 1:43 p.m. UTC

  - Update from version 1.20.1 to 1.21.2
- Update of rootfile
- Changelog
Major changes in 1.21.2 (2023-08-14)
	This is a bug fix release.
		* Fix double-free in KDC TGS processing [CVE-2023-39975].
	Changes by ticket ID
		9101    Fix double-free in KDC TGS processing
Major changes in 1.21.1 (2023-07-10)
	This is a bug fix release.
		* Fix potential uninitialized pointer free in kadm5 XDR parsing
		  [CVE-2023-36054].
	Changes by ticket ID
		9099    Ensure array count consistency in kadm5 RPC
Major changes in 1.21 (2023-06-05)
	User experience:
		* Added a credential cache type providing compatibility with the macOS
		  11 native credential cache.
	Developer experience:
		* libkadm5 will use the provided krb5_context object to read
		  configuration values, instead of creating its own.
		* Added an interface to retrieve the ticket session key from a GSS
		  context.
	Protocol evolution:
		* The KDC will no longer issue tickets with RC4 or triple-DES session
		  keys unless explicitly configured with the new allow_rc4 or
		  allow_des3 variables respectively.
		* The KDC will assume that all services can handle aes256-sha1 session
		  keys unless the service principal has a session_enctypes string
		  attribute.
		* Support for PAC full KDC checksums has been added to mitigate an
		  S4U2Proxy privilege escalation attack.
		* The PKINIT client will advertise a more modern set of supported CMS
		  algorithms.
	Code quality:
		* Removed unused code in libkrb5, libkrb5support, and the PKINIT
		  module.
		* Modernized the KDC code for processing TGS requests, the code for
		  encrypting and decrypting key data, the PAC handling code, and the
		  GSS library packet parsing and composition code.
		* Improved the test framework's detection of memory errors in daemon
		  processes when used with asan.
	Changes by ticket ID
		9052    Support macOS 11 native credential cache
		9053    Make kprop work for dump files larger than 4GB
		9054    Replace macros with typedefs in gssrpc types.h
		9055    Use SHA-256 instead of SHA-1 for PKINIT CMS digest
		9057    Omit LDFLAGS from krb5-config --libs output
		9058    Add configure variable for default PKCS#11 module
		9059    Use context profile for libkadm5 configuration
		9066    Set reasonable supportedCMSTypes in PKINIT
		9069    Update error checking for OpenSSL CMS_verify
		9071    Add and use ts_interval() helper
		9072    Avoid small read overrun in UTF8 normalization
		9076    Use memmove() in Unicode functions
		9077    Fix aclocal.m4 syntax error for autoconf 2.72
		9078    Fix profile crash on memory exhaustion
		9079    Fix preauth crash on memory exhaustion
		9080    Fix gic_keytab crash on memory exhaustion
		9082    Fix policy DB fallback error handling
		9083    Fix kpropd crash with unrecognized option
		9084    Add PAC full checksums
		9085    Fix read overruns in SPNEGO parsing
		9086    Fix possible double-free during KDB creation
		9087    Fix meridian type in getdate.y
		9088    Use control flow guard flag in Windows builds
		9089    Add pac_privsvr_enctype string attribute
		9090    Convey realm names to certauth modules
		9091    Add GSS_C_INQ_ODBC_SESSION_KEY
		9092    Fix maintainer-mode build for binutils 2.37
		9093    Add PA-REDHAT-PASSKEY padata type

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/krb5 | 1 +
 lfs/krb5                     | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/config/rootfiles/common/krb5 b/config/rootfiles/common/krb5
index 2e6e0285e..e1ec06753 100644
--- a/config/rootfiles/common/krb5
+++ b/config/rootfiles/common/krb5
@@ -137,6 +137,7 @@  usr/lib/libverto.so.0.0
 #usr/share/locale/en_US
 #usr/share/locale/en_US/LC_MESSAGES
 #usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo
+#usr/share/locale/ka/LC_MESSAGES/mit-krb5.mo
 #usr/share/man/cat1
 #usr/share/man/cat5
 #usr/share/man/cat7
diff --git a/lfs/krb5 b/lfs/krb5
index 0b4dae8cc..cf5daa54a 100644
--- a/lfs/krb5
+++ b/lfs/krb5
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@  include Config
 
 SUMMARY    = Kerberos
 
-VER        = 1.20.1
+VER        = 1.21.2
 
 THISAPP    = krb5-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -44,7 +44,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = ead16f8b1aec8bba3776628b74257c9aec891770c1fa6d5c5e66275db5f078ca59c9944cd2b017453b777ce080f8e5a322f735fab77691479cfad7b881b92830
+$(DL_FILE)_BLAKE2 = 2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824
 
 install : $(TARGET)