From patchwork Sun Aug 27 13:43:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7122 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4RYZdj5Qfxz3wtG for ; Sun, 27 Aug 2023 13:43:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4RYZdg1815z1Cd; Sun, 27 Aug 2023 13:43:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4RYZdg0BCGz2yWP; Sun, 27 Aug 2023 13:43:19 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4RYZdd2wMWz2xbt for ; Sun, 27 Aug 2023 13:43:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4RYZdc3QxhzZ6; Sun, 27 Aug 2023 13:43:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1693143796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=JSpdQMOhNje8Z7+wPGOSgXj/Gro49V+i4C4AiXMjFMQ=; b=tVFfOgrxgRcuPbu4HUTmS10QNVy4qH0d2FA3SgQOkUNoPp7A5eBI4aTDSdtbdjoKUbpNfI mGxg34V0pXBOLoAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1693143796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=JSpdQMOhNje8Z7+wPGOSgXj/Gro49V+i4C4AiXMjFMQ=; b=Dj+r5gyBnJjxtRSzFMkQEejm89SqdGhJAA3hQ+PshIAFwXi1lQH5R6xE0ruRFIenMbHmwx c0KJ3Q1i2U4GCcD9d6MARj98oFKzJYlXngMd+J+ITJa2lpG+01vHcKleDenpYqOyf5aRAD lQ7hKIVqYht9JHAWYHAhFI8/LbuVwZBwPyzI0PGY3ZuNvNR2CQ7VbLGIKfRGG9D/zciqO7 9fp/zI6p+fWiAP8+Az2ZZuZzg3WFvB8CxWSBXHoIvbyFw5sDCYqF3j6HqFtusk6aCQyR3p WuxWAKn7rCu3lWQ5mpa7t4FOf074D+W2xLvU1M2iXNjozLdHdsyWSBEBCtYfRA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] krb5: Update to version 1.21.2 Date: Sun, 27 Aug 2023 15:43:10 +0200 Message-ID: <20230827134311.3422302-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 1.20.1 to 1.21.2 - Update of rootfile - Changelog Major changes in 1.21.2 (2023-08-14) This is a bug fix release. * Fix double-free in KDC TGS processing [CVE-2023-39975]. Changes by ticket ID 9101 Fix double-free in KDC TGS processing Major changes in 1.21.1 (2023-07-10) This is a bug fix release. * Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054]. Changes by ticket ID 9099 Ensure array count consistency in kadm5 RPC Major changes in 1.21 (2023-06-05) User experience: * Added a credential cache type providing compatibility with the macOS 11 native credential cache. Developer experience: * libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. * Added an interface to retrieve the ticket session key from a GSS context. Protocol evolution: * The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. * The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. * Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. * The PKINIT client will advertise a more modern set of supported CMS algorithms. Code quality: * Removed unused code in libkrb5, libkrb5support, and the PKINIT module. * Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. * Improved the test framework's detection of memory errors in daemon processes when used with asan. Changes by ticket ID 9052 Support macOS 11 native credential cache 9053 Make kprop work for dump files larger than 4GB 9054 Replace macros with typedefs in gssrpc types.h 9055 Use SHA-256 instead of SHA-1 for PKINIT CMS digest 9057 Omit LDFLAGS from krb5-config --libs output 9058 Add configure variable for default PKCS#11 module 9059 Use context profile for libkadm5 configuration 9066 Set reasonable supportedCMSTypes in PKINIT 9069 Update error checking for OpenSSL CMS_verify 9071 Add and use ts_interval() helper 9072 Avoid small read overrun in UTF8 normalization 9076 Use memmove() in Unicode functions 9077 Fix aclocal.m4 syntax error for autoconf 2.72 9078 Fix profile crash on memory exhaustion 9079 Fix preauth crash on memory exhaustion 9080 Fix gic_keytab crash on memory exhaustion 9082 Fix policy DB fallback error handling 9083 Fix kpropd crash with unrecognized option 9084 Add PAC full checksums 9085 Fix read overruns in SPNEGO parsing 9086 Fix possible double-free during KDB creation 9087 Fix meridian type in getdate.y 9088 Use control flow guard flag in Windows builds 9089 Add pac_privsvr_enctype string attribute 9090 Convey realm names to certauth modules 9091 Add GSS_C_INQ_ODBC_SESSION_KEY 9092 Fix maintainer-mode build for binutils 2.37 9093 Add PA-REDHAT-PASSKEY padata type Signed-off-by: Adolf Belka --- config/rootfiles/common/krb5 | 1 + lfs/krb5 | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/krb5 b/config/rootfiles/common/krb5 index 2e6e0285e..e1ec06753 100644 --- a/config/rootfiles/common/krb5 +++ b/config/rootfiles/common/krb5 @@ -137,6 +137,7 @@ usr/lib/libverto.so.0.0 #usr/share/locale/en_US #usr/share/locale/en_US/LC_MESSAGES #usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo +#usr/share/locale/ka/LC_MESSAGES/mit-krb5.mo #usr/share/man/cat1 #usr/share/man/cat5 #usr/share/man/cat7 diff --git a/lfs/krb5 b/lfs/krb5 index 0b4dae8cc..cf5daa54a 100644 --- a/lfs/krb5 +++ b/lfs/krb5 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Kerberos -VER = 1.20.1 +VER = 1.21.2 THISAPP = krb5-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = ead16f8b1aec8bba3776628b74257c9aec891770c1fa6d5c5e66275db5f078ca59c9944cd2b017453b777ce080f8e5a322f735fab77691479cfad7b881b92830 +$(DL_FILE)_BLAKE2 = 2afb3ff962a343bc07182fdab0c0ffb221632ff38baab74278cfc721ae72deacc260221470de36e420584f00b780e13221d2e511d4831bca8e1270b7f3d9e824 install : $(TARGET)