krb5 (1.4.4-7etch8) oldstable-security; urgency=high * cve-2009-4212, MIT-KRB5-SA-2009-004: Integer underflows in AES and RC4 decriptions. This can definitely lead to a DOS attack and potentially may leae to execution of unexpected code. It's potentially possible that arbitrary code could be executed, although much more likely that permuted heap contents or buffers not under attacker control will be executed. -- Sam Hartman Sun, 03 Jan 2010 15:49:58 -0500 krb5 (1.4.4-7etch7) oldstable-security; urgency=high * MITKRB5-SA-2009-002: ASN.1 general time decoder can free uninitialized pointer. (CVE-2009-0846) -- Sam Hartman Wed, 18 Mar 2009 22:27:02 -0400 krb5 (1.4.4-7etch6) stable-proposed-updates; urgency=low * Fix (non-exploitable) kadmind crash on 64-bit platforms during password change when a minimum password lifetime is set for a principal. (Closes: #428732) -- Russ Allbery Tue, 29 Apr 2008 14:39:07 -0700 krb5 (1.4.4-7etch5) stable-security; urgency=emergency * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC, malformed messages may result in NULL pointer use, double-frees, or exposure of information. (CVE-2008-0062, CVE-2008-0063) * MITKRB5-SA-2008-002: If the file descriptor limit is larger than FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an array overrun and memory corruption may result. (CVE-2008-0947) -- Russ Allbery Thu, 06 Mar 2008 14:27:28 -0800 krb5 (1.4.4-7etch4) stable-security; urgency=emergency * Fix bug in fix for CVE-2007-3999: the previous patch could allow an overflow of up to 32 bytes. Depending on how locals are layed out on the stack, this may or may not be a problem. -- Sam Hartman Tue, 04 Sep 2007 19:51:49 -0400 krb5 (1.4.4-7etch3) stable-security; urgency=emergency * Fix for mit-sa-2007-06 (in particular cve-2007-3999) : stack buffer overflow in rpcsec_gss when parsing rpchdr -- Sam Hartman Sat, 25 Aug 2007 16:39:24 -0400 krb5 (1.4.4-7etch2) stable-security; urgency=emergency * MIT-SA-2007-4: The kadmin RPC library can free an uninitialized pointer or write past the end of a stack buffer. This may lead to execution of arbitrary code. (CVE-2007-2442, CVE-2007-2443) * MIT-SA-2007-5: kadmind is vulnerable to a stack buffer overflow that may lead to execution of arbitrary code. (CVE-2007-2798) -- Russ Allbery Wed, 13 Jun 2007 13:31:23 -0700 krb5 (1.4.4-7etch1) testing-security; urgency=emergency * MIT-SA-2007-1: telnet allows login as an arbitrary user when presented with a specially crafted username; CVE-2007-0956 * krb5_klog_syslog has a trivial buffer overflow that can be exploited by network data; CVE-2007-0957. The upstream patch is very intrusive because it fixes each call to syslog to have proper length checking as well as the actual krb5_klog_syslog internals to use vsnprintf rather than vsprintf. I have chosen to only include the change to krb5_klog_syslog for sarge. This is sufficient to fix the problem but is much smaller and less intrusive. (MIT-SA-2007-2) * MIT-SA-2007-3: The GSS-API library can cause a double free if applications treat certain errors decoding a message as errors that require freeing the output buffer. At least the gssapi rpc library does this, so kadmind is vulnerable. Fix the gssapi library because the spec allows applications to treat errors this way. CVE-2007-1216 * New Japanese translation, thanks TANAKA Atushi, Closes: #414382 -- Sam Hartman Sun, 11 Mar 2007 19:08:52 -0400 krb5 (1.4.4-7) unstable; urgency=low * Translation updates: - New Portuguese translation, thanks Rui Branco. (Closes: #409318) -- Russ Allbery Wed, 21 Feb 2007 15:23:08 -0800 krb5 (1.4.4-6) unstable; urgency=emergency * MIT-SA-2006-2: kadmind and rpc library call through function pointer to freed memory (CVE-2006-6143). Null out xp_auth unless it is associated with an rpcsec_gss connection. -- Sam Hartman Thu, 4 Jan 2007 16:07:02 -0500 krb5 (1.4.4-5) unstable; urgency=low * Translation updates: - New Spanish translation, thanks Fernando Cerezal. (Closes: #402986) -- Russ Allbery Sun, 17 Dec 2006 17:18:05 -0800 krb5 (1.4.4-4) unstable; urgency=low * Remove the check for pthread_mutexattr_setrobust_np in the thread initialization code. This was only needed on Solaris 9 and has been removed upstream, and was causing FTBFS with glibc 2.5. Thanks, Martin Pitt. (Closes: #396166) * Translation updates: - New Romanian translation, thanks stan ioan-eugen. (Closes: #395347) -- Russ Allbery Sun, 5 Nov 2006 21:32:17 -0800 krb5 (1.4.4-3) unstable; urgency=low * Don't require the presence of debconf during the postrm. Thanks to Bill Allombert for the report. (Closes: #388784) * Fix uses of hyphens instead of minus signs in the man pages. -- Russ Allbery Fri, 22 Sep 2006 14:57:34 -0700 krb5 (1.4.4-2) unstable; urgency=low * Patch from Alejandro R. Sedeno to allow 32-bit and 64-bit krb4 ticket files to be used on the same system. Similar to a patch included in MIT Kerberos 1.5 but backported because of missing byte order macros. -- Sam Hartman Wed, 20 Sep 2006 22:51:59 -0400 krb5 (1.4.4-1) unstable; urgency=low * New upstream release. * Stop using --exec to start and stop services since then services will not be stopped properly during an upgrade. (Closes: #385039) * Rewrite the init scripts to include LSB information and to use the LSB logging functions. krb5-kdc and krb5-admin-server now depend on lsb-base (>= 3.0-6) for the LSB functions. -- Russ Allbery Fri, 1 Sep 2006 20:45:59 -0700 krb5 (1.4.4~beta1-1) unstable; urgency=low * New upstream version including several memory leak fixes * Install upstream changelog -- Sam Hartman Wed, 16 Aug 2006 16:45:56 -0400 krb5 (1.4.3-9) unstable; urgency=high * Add error checking to setuid, setreuid to avoid local privilege escalation ; fixes krb5-sa-2006-1, CVE-2006-3084, CVE-2006-3083 * Update standards version to 3.7.2 (no changes required). * Translation updates. - Russian, thanks Yuri Kozlov. (Closes: #380303) -- Sam Hartman Sun, 6 Aug 2006 17:12:40 -0400 krb5 (1.4.3-8) unstable; urgency=low * Defer seeding of the random number generator in kadmind until after forking and backgrounding, since otherwise blocking on /dev/random may block system startup. (Closes: #364308) * Update config.{guess,sub}. (Closes: #373727) * Better fix for error handling of a zero-length keytab. Thanks, Rainer Weikusat. -- Russ Allbery Sun, 16 Jul 2006 08:59:20 -0700 krb5 (1.4.3-7) unstable; urgency=low * Fix double free caused by a zero-length keytab. Thanks, Steve Langasek. (Closes: #344295) * Fix segfault in krb5_kuserok if the local name doesn't correspond to a local account. (Discovered in bug #354133.) * Build a separate libkrb5-dbg package containing the detached debugging information for libkrb53 and libkadm55. * Update debhelper compatibility level to V5 since the dh_strip behavior around debug packages changes in V5 and we should use the current interface from the beginning. * Translation updates. - Dutch, thanks Vincent Zweije. (Closes: #360444) - Galician, thanks Jacobo Tarrio. (Closes: #361809) -- Russ Allbery Sat, 15 Apr 2006 16:22:01 -0700 krb5 (1.4.3-6) unstable; urgency=low * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is passed in. Fixes a segfault in racoon from ipsec-tools. Thanks, Daniel Kahn Gillmor. (Closes: #351877) * v5passwdd is gone, so remove the debconf template, the prompts, and the code to start and stop it from the init script. Thanks, Greg Folkert. * Fix incorrect option names in krb5.conf(5). Thanks, Martin v. Loewis. (Closes: #347643) * Translation updates. - Danish, thanks Claus Hindsgaul. (Closes: #350041) -- Russ Allbery Tue, 21 Feb 2006 23:25:34 -0800 krb5 (1.4.3-5) unstable; urgency=medium * Configure with --enable-shared --enable-static so that libkrb5-dev gets static libraries. * Fix double free in getting credentials, Closes: #344543 -- Sam Hartman Sun, 25 Dec 2005 21:59:47 -0500 krb5 (1.4.3-4) unstable; urgency=high * Fix problem when libpthreads is dynamically loaded into a program causing mutexes to sometimes be used and sometimes not be used. If the library starts out without threads support it will never start using threads support; doing anything else causes hangs. -- Sam Hartman Fri, 16 Dec 2005 18:16:53 -0500 krb5 (1.4.3-3) unstable; urgency=low * Additional internal pthread symbols have to be declared weak on Hurd. Thanks, Michael Banck. (Closes: #341608) * Build on GNU/kFreeBSD. Thanks, Petr Salinger. (Closes: #261712) * Change the default KDC enctype to 3DES to match upstream (the difference was probably a mismerge). * Remove /etc/default/krb5-admin-server on purge. (Closes: #333161) * Document the behavior of klogind and kshd if the user has no .k5login file. Remove vestigial .rhosts references. (Closes: #250966) * Document krb5-rsh-server authorization defaults in README.Debian. * Enable kinit -a to match the man page. (Closes: #232431) * Remove the patch to tightly bind libkrb4 to libdes425. This should no longer be necessary with symbol versioning. * Upstream has removed the file with questionable licensing, so the upstream tarball is no longer repacked. Remove the get-orig-source target in debian/rules and the notes in copyright and README.Debian. * Add a watch file. * Translation updates. - German, thanks jens. (Closes: #330925) -- Russ Allbery Sun, 4 Dec 2005 11:37:40 -0800 krb5 (1.4.3-2) unstable; urgency=low * Conflict with libauthen-krb5-perl (<< 1.4-5) because of krb5_init_ets. * Update uploader address. * Conflict with libapache-mod-auth-kerb because it accesses library internals in a way that breaks. -- Sam Hartman Wed, 30 Nov 2005 22:33:47 -0500 krb5 (1.4.3-1) experimental; urgency=low * New upstream release. * Install ac_check_krb5 for use by aclocal. -- Sam Hartman Sat, 19 Nov 2005 16:20:56 -0500 krb5 (1.4.2-1) UNRELEASED; urgency=low * New upstream version. (Closes: #293077) - kadmind4, v5passwdd, and v5passwd are no longer included. - Increase the libkrb53 shlibs version dependency. Programs linked against this version will not work with an older libkrb53. - Rebuild should fix link problems on powerpc. (Closes: #329709) * Re-enable optimization on m68k to stop hiding the toolchain problem. * Don't build crypto code -O3. It uncovers too many gcc bugs. * Fix compilation on Hurd. Thanks, Michael Banck. (Closes: #324305) * Always initialize the output token in gss_init_sec_context, even with an unknown mechanism. (Closes: #311977) * rcp should fall back to /usr/bin/netkit-rcp, not /usr/bin/rpc. * Add the missing shared library depends for libkadm55. * Use dh_install rather than dh_movefiles and enable --fail-missing to be sure to pick up any new upstream files. * Avoid test -a in maintainer scripts. * Expand and reformat the documentation and sample kdc.conf file. * Add a doc-base file for the krb425 migration guide. * Ignore lintian warnings about the library package names. We'll fix them the next time upstream changes SONAMEs. * Conflict with packages that used internal symbols not part of the public ABI * Use "MIT Kerberos" rather than krb5 in the krb5-doc short description. * Remove the saved patches that have been applied upstream or are no longer applied to the package, update the remaining patches, and move them into debian/patches. * Break out the other patches of interest for ease submitting them upstream. * Translation updates. - Vietnamese, thanks Clytie Siddall. (Closes: #319704) -- Russ Allbery Thu, 22 Sep 2005 17:08:58 -0700 krb5 (1.3.6-5) unstable; urgency=high * Disable optimization on m68k to attempt to work around a gcc 4.0 bug. -- Russ Allbery Sun, 14 Aug 2005 22:26:00 -0700 krb5 (1.3.6-4) unstable; urgency=high [ Russ Allbery ] * Fix a mistake in variable names that caused the package to be built without optimization. * Allow whitespace before comments in krb5.conf. Thanks, Jeremie Koenig. (Closes: #314609) * GCC 4.0 compile fixes, thanks Daniel Schepler. (Closes: #315618) * Avoid "say yes" in debconf templates. (Closes: #306883) * Update Czech translation, thanks Miroslav Kure. * Update French translation, thanks Christian Perrier. (Closes: #307748) * Update Portuguese (Brazil) translation, thanks André Luís Lopes. * New Vietnamese translation, thanks Clytie Siddall. (Closes: #312172) * Update standards version to 3.6.2 (no changes required). * DAK can now handle not repeating maintainers in uploaders. [ Sam Hartman ] * Fix double free in krb5_recvauth; critical because it is in the code path for kpropd and may allow arbitrary code execution. (CAN-2005-1689) * krb5_unparse_name overflows allocated storage by one byte on 0 element principal name. (CAN-2005-1175, VU#885830) * Do not free unallocated storage in the KDC's TCP request handling path. (CAN-2005-1174, VU#259798) -- Sam Hartman Tue, 12 Jul 2005 15:45:14 -0400 krb5 (1.3.6-3) unstable; urgency=low * krb5-kdc: Install a commented-out line for kpropd with update-inetd. Add dependency on netbase for update-inetd. (Closes: #293182) * krb5-kdc: Ask with debconf whether the user wishes to delete the KDC database on purge, modelled after how postgresql handles the same situation. (Closes: #289358) * Close leak in the arcfour crypto support. Thanks, fumihiko kakuma. (Closes: #244595) * krb5-config should never return -I/usr/include. (Closes: #165521) * Write manual pages for fakeka, krb524init, kadmind4, and v5passwdd. Backport from upstream the manual pages for krb5-config and krb524d. (Closes: #78953, #96437) * Fix paths in manual pages to match the Debian defaults. Fix service in the inetd.conf example in the kpropd man page to work with Debian /etc/services. (Closes: #157736) * Fix references to kerberos(1) in the rlogin and kinit man pages and include kerberos.1 in krb5-doc. (Closes: #154381, #154384) * Add more detailed information about each package to the extended descriptions. (Closes: #135517) * krb5-doc: Include info pages. (Closes: #292512) * krb5-doc: Fix two minor variable name problems in the texinfo docs. * Let dh_installdebconf set the debconf dependency. * Update standards version to 3.6.1. - Support noopt in DEB_BUILD_OPTIONS. - Let debhelper take care of calling ldconfig appropriately. - Remove calls to dh_undocumented. - Remove lintian overrides for links to the undocumented man page. - Install kdc.conf template in /usr/share/krb5-kdc rather than /usr/share/krb5 (policy 10.7.3 states the directory should be named after the package). - Symlink the kdc.conf template to /usr/share/doc/krb5-kdc/examples per policy 10.7.3 since it's also a useful example. * Update debhelper compatibility level to V4. - Remove all *.conffiles control files. They're no longer needed. * rules generally cleaned up. Commented out and unused debhelper programs removed as the set being run wasn't comprehensive anyway. Invocation order now matches the debhelper examples. * Removed (s) from copyright to make lintian happier. * Removed unnecessary lintian override for libkrb53. * Add lintian overrides for the duplicate dependencies on krb5 libraries. -- Russ Allbery Sat, 16 Apr 2005 14:12:08 -0700 krb5 (1.3.6-2) unstable; urgency=high * Package priority to standard * Fix buffer overflow in slc_add_reply in telnet.c (CAN-2005-0469) * Fix telnet.c env_opt_add buffer overflow (CAN-2005-0468) * Note that both of these vulnerabilities are client-side vulnerabilities that can be exploited only by a server. -- Sam Hartman Sun, 3 Apr 2005 23:49:08 -0400 krb5 (1.3.6-1) unstable; urgency=medium * New upstream version * Changing a password afwter the size of password history has been reduced may double free or write past end of an arry; fix (CAN-2004-1189 / CERT VU#948033) * Conflict between krb5-kdc and kerberos4kth-kdc; also deals with krb5-admin-server conflict indirectly, Closes: #274763 -- Sam Hartman Sun, 2 Jan 2005 15:55:25 -0500 krb5 (1.3.5-1) unstable; urgency=low * New pt_br debconf translation, Cluses: #278734 * New upstream version * Part of the fix to #261712: allow ftpd to build on gnu/bsd -- Sam Hartman Fri, 26 Nov 2004 18:44:02 -0500 krb5 (1.3.4-4) unstable; urgency=high * Fix what is hopefully the last remnant of the patch to gettextize the debconf without making the code consistent, thanks Thimo Neubauer, Closes: #271456 * Fix krb5_newrealm man page to better describe dependencies, thanks Rachel Elizabeth Dillon , Closes: #269685 -- Sam Hartman Mon, 13 Sep 2004 11:36:38 -0400 krb5 (1.3.4-3) unstable; urgency=high * Initial Czech translations thanks to Miroslav Kure, Closes: #264366 * Updated French debconf translation, thanks Martin Quinson, Closes: #264941 * KDC and clients double-free on error conditions (CAN-2004-0642 VU#795632) *krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT VU#866472 ) * ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and earlier allows unauthenticated remote attackers to induce infinite loop, causing denial of service, including in KDC code (CAN-2004-0644 , CERT VU#550464) * Fix double free in krb524d handling of encrypted ticket contents (CAN-2004-0772) -- Sam Hartman Tue, 31 Aug 2004 13:04:51 -0400 krb5 (1.3.4-2) unstable; urgency=low * Fix doc-base files, Closes: #262916 -- Sam Hartman Wed, 4 Aug 2004 13:08:53 -0400 krb5 (1.3.4-1) unstable; urgency=low * New upstream version * Update krb5-doc to include pointers to the right html documents, Closes: #203321 * Patches to find res_search on amd64 and to include new Debian ports in shared library building, Closes: #261712 * Install default file for krb5-admin-server, Closes: #262428 * Patch from Russ Allbery to only prompt for a password once in krb4 when null is passed in to krb_get_in_pw_tkt, Closes: #262192 * New pt_br translation, thanks Andre Luis Lopes, Closes: #254115 * New French translation, thanks Christian Perrier, closes: #253685 -- Sam Hartman Sat, 31 Jul 2004 12:12:44 -0400 krb5 (1.3.3-2) unstable; urgency=high * Fix buffer overflow in krb5_aname_to_localname; potential remote root exploit in some fairly limited circumstances. You are not vulnerable unless you have enabled aname_to_lname rules in krb5.conf (CAN-2004-0523) * Fix kadmind template formatting, thanks Christian Perrier -- Sam Hartman Sat, 5 Jun 2004 16:57:44 -0400 krb5 (1.3.3-1) unstable; urgency=low * New upstream version * Gettextize my debconf templates, thanks Martin Quinson , Closes: #236176 * Don't remove /etc/krb5.conf on libkrb53 purge -- Sam Hartman Tue, 13 Apr 2004 20:04:37 -0400 krb5 (1.3.2-2) unstable; urgency=low * Don't check for /etc/krb5kdc/kadm5.keytab, Closes: #235966 * Fix dangling symlink, Closes: #203622 -- Sam Hartman Sun, 14 Mar 2004 20:46:27 -0500 krb5 (1.3.2-1) unstable; urgency=low * New Upstream Release, Closes: #223485 * Includes upstream patch to ignore unknown address families, Closes: #206851 * Include note that encrypted services are not enabled, Closes: #232115 * Up shlib deps because of new features in auth context -- Sam Hartman Sun, 29 Feb 2004 09:36:27 -0500 krb5 (1.3-3) unstable; urgency=low * Don't clear the key schedule so krb4 callers can use it, Closes: #203566 * Use alternatives system for rcp, Closes: #218392 -- Sam Hartman Tue, 3 Feb 2004 14:07:12 -0500 krb5 (1.3-2) unstable; urgency=low * Include patch to MIT Bug #1681, an incompatible change to etype_info2. This change will break clients between 1.3 beta1 and 1.3-1 talking to 1.3-2 KDCs, but is necessary because of a protocol bug. -- Sam Hartman Thu, 24 Jul 2003 13:32:33 -0400 krb5 (1.3-1) unstable; urgency=medium * New upstream version--finally 1.3 is released, Closes: #199573 * Don't depend on com_err in libcrypto, Closes: #201005 * Urgency is medium because the only code change is removing a single call to com_err and this package not being in testing is blocking other packages. The beta has been in unstable more than 10 days. * Update shlibs again to avoid long-term references to a beta in the archive -- Sam Hartman Sat, 19 Jul 2003 15:19:38 -0400 krb5 (1.2.99-1.3.beta5-1) unstable; urgency=low * New upstream version -- Sam Hartman Sat, 5 Jul 2003 21:29:44 -0400 krb5 (1.2.99-1.3.beta4-1) unstable; urgency=low * Fix rpath on generated binaries and in krb5-config, Closes: #198124 * Fix build-depends to require comerr-dev with correct shlibs, Closes: #197650 * New upstream version * Don't generate /etc/krb5kdc/kadm5.keytab as 1.3 does not require it except for kadmind4 -- Sam Hartman Fri, 20 Jun 2003 17:37:15 -0400 krb5 (1.2.99-1.3.beta3-4) unstable; urgency=low * Add replaces for libkadm55 on libkrb53 -- Sam Hartman Wed, 11 Jun 2003 16:41:16 -0400 krb5 (1.2.99-1.3.beta3-3) unstable; urgency=low * One more try at avoiding autoconf dependency -- Sam Hartman Wed, 11 Jun 2003 03:04:56 -0400 krb5 (1.2.99-1.3.beta3-2) unstable; urgency=low * Touch some more files to defeat autoheader -- Sam Hartman Tue, 10 Jun 2003 23:55:08 -0400 krb5 (1.2.99-1.3.beta3-1) unstable; urgency=low * Fix dh_makeshlibs call so dependencies are correct * New upstream version * Patch from Steve Langasek for versioned symbols; adapted to better fit the build system and to work for all libraries * This version builds with GCC 3.3, Closes: #195571 * Move the rest of the administration libraries into libkadm55 to reduce space required by libkrb53. * libkrb53 conflicts with current openafs-krb5 because of ABI changes in krb524 -- Sam Hartman Tue, 10 Jun 2003 20:56:33 -0400 krb5 (1.2.99-1.3.beta2-1) experimental; urgency=low * New upstream version * Include a patch from upstream CVS (post beta2) to fix renewable tickets. -- Sam Hartman Sun, 1 Jun 2003 00:30:35 -0400 krb5 (1.2.99-1.3.beta1-1) experimental; urgency=low * New upstream pre-release * Update copyright * Add db_stop calls to krb5-kdc.postinst and krb5-admin-server.postinst * Install a fakeka binary * Install libkrb524.a even though upstream does not * kdc defaults to no v4 support per upstream change. -- Sam Hartman Thu, 15 May 2003 11:37:10 -0400 krb5 (1.2.99-1.3.alpha3-1) experimental; urgency=low * New upstream pre-release - ftp no longer segfaults on wildcards, Closes: #175495 - Clock skew is returned on clock skew with preauth, Closes: #98855 - Preauthentication has been reworked to improve interoperability with older implementations and to comply with Kerberos Clarifications, Closes: #169014 - Typo in man page fixed, Closes: #127302 * Remove dangling symlink, Closes: #133244 * Depend on sufficiently new com_err and libss * Build the crypto library -O9 as it seems to help performance a lot. * Bump up shared library versions; all the public libraries have new functions -- Sam Hartman Mon, 12 May 2003 02:22:37 -0400 krb5 (1.2.7-3) unstable; urgency=high * Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in Kerberos 4 - Add -X option to krb5kdc and krb524d. By default cross-realm is no longer supported for krb4 as it is a security hole. - Add protection to isolate krb5 keys from krb4 especially for the TGS key - Remove support for the MIT extension to krb4 to use 3DES keys as it is insecure. * Patch to various DOS issues where the KDC assumes principal names have certain components. Fixes CAN-2003-0072 * VU#516825: Additional errors in XDR that may lead to denial of service. * Fix template bug in v5passwd template, Closes: #172565 -- Sam Hartman Tue, 25 Mar 2003 08:03:00 -0500 krb5 (1.2.7-2) unstable; urgency=low * Remove declaration of errno from krb.h -- Sam Hartman Mon, 6 Jan 2003 15:38:20 -0500 krb5 (1.2.7-1) unstable; urgency=high * New upstream version * Still urgency high until the kadmin4 fix gets into testing * Don't declare errno so glibc will be happy; applying upstream as well, Closes :#168528 * Remove pidfile argument from start-stop-daemon call for restarting krb5kdc so it actually works, Closes: #174881 -- Sam Hartman Sun, 5 Jan 2003 18:00:55 -0500 krb5 (1.2.6-2) unstable; urgency=high * Security fix for buffer overflow in kadmind4 (mitsa-2002-2) * If bison is too good for yacc compatibility then we're to good for bison, Closes: #165655 * Include readme.debian if we're going to reference it, Closes: #166399 * Fix readme.debian comments to be correct -- Sam Hartman Sat, 26 Oct 2002 17:18:41 -0400 krb5 (1.2.6-1) unstable; urgency=low * New upstream version * Important: upstream has introduced a new way of handling AFS tickets within krb524d; long-term this may allow the use of ticket keys other than DES with AFS, but short-term this will break AFS because OpenAFS has not yet released servers that support the new mechanism. If you run AFS servers and don't want them to break, please look at README.debian * This includes a fix for 162794 as that is now in the upstream * For now, libkrb5-dev is going to be priority extra. If anyone complains I'll attempt to fight the comerr-dev dependency battle; honestly I think comerr-dev is common enough and on enough systems that it rates optional but the maintainer does not, Closes: #145165 * Fix restart to restart krb524d, Closes: #162477 -- Sam Hartman Sun, 6 Oct 2002 16:40:44 -0400 krb5 (1.2.5-3) unstable; urgency=high * Try to fix diversion handling for real this time, Closes: #155514 -- Sam Hartman Mon, 5 Aug 2002 13:40:53 -0400 krb5 (1.2.5-2) unstable; urgency=high * We are still installing a krb5.conf.template; don't as that is kerberos-configs's job. * The MIT KDC was not sending etype info padata; this couldcreate a problem if you require preauth and have unusual salts; patch from upstream CVS * Add readme to krb5-user, Closes: #152670 * Fix typo in alternatives handling so man page symlinks are handled correctely, Closes: #152707 * Include XDR encoding patch for krb5-sa-2002-01; same patch as the woody security update -- Sam Hartman Sat, 3 Aug 2002 17:51:50 -0400 krb5 (1.2.5-1) unstable; urgency=low * New upstream version; not really any patches that will actually affect Debian at all, as we pulled them into 1.2.4 packages from upstream CVS * Stop shipping patches that upstream has accepted and released * Update included upstream PGP signature * Fix diversion handling; it was fairly broken in 1.2.4. All we divert now is rcp * Ftp should not be diverted, closes: #146171 * Fix overly small fixed length buffer in kuserok, closes: #145106 -- Sam Hartman Sun, 2 Jun 2002 19:22:39 -0400 krb5 (1.2.4-5) unstable; urgency=low * Pull up bugfix from 1.2.5 beta1 to src/lib/krb5/asn.1/asn1_get.c * This should be the last thing we need from 1.2.5; Debian has all the 1.2.5 changes besides the API reorg. I'm not checking an API reorg this close to woody release. -- Sam Hartman Fri, 12 Apr 2002 12:16:49 -0400 krb5 (1.2.4-4) unstable; urgency=low * Suggest rather than recommend krb5-user from libkrb53, closes: #140116 * Fix null pointer dereference in krb5 library; pull patch from 1.2.5 beta1 -- Sam Hartman Wed, 10 Apr 2002 14:19:49 -0400 krb5 (1.2.4-3) unstable; urgency=medium * Move from non-us to main -- Sam Hartman Sat, 16 Mar 2002 15:04:44 -0500 krb5 (1.2.4-2) unstable; urgency=low * Don't respect umask when writing out srvtabs; you always want them 0600 and if you don't you can chmod later, closes: #135988 * To work with Heimdal, accept encrypted creds in gss_accept_sec_context, closes: #135962 * Fix kadmin ACL bug. Targets (a cool but undocumented ACL feature) didn't work quite right. They do now. -- Sam Hartman Sun, 3 Mar 2002 18:53:40 -0500 krb5 (1.2.4-1) unstable; urgency=low * Don't check address in krb5_rd_cred; upstream patch also applied to their CVS, closes: #132226 * Patch from Ken Raeburn to improve over-the-wire errors from KDC, included because I happened to be testing it and it seemed to work * New upstream release -- Sam Hartman Fri, 1 Mar 2002 00:44:26 -0500 krb5 (1.2.3-2) unstable; urgency=low * We want to be able to use krb4 and libssl's libcrypto in the same program. To do this, we make libkrb4 bind libdes425 -Bsymbolic and we allow krb_mk_priv and krb_rd_priv to take null schedule arguments. -- Sam Hartman Tue, 15 Jan 2002 12:17:40 -0500 krb5 (1.2.3-1) unstable; urgency=low * New upstream version, closes: #110932 * Use alternatives for rsh, closes: #122710 * Major version of libkadm5 bumped; we no longer conflict with heimdal there -- Sam hartman Thu, 10 Jan 2002 06:59:13 -0500 krb5 (1.2.2-8) unstable; urgency=low * Oops, call htons around port numbers in kprop patch * Register with doc-base, closes: #100463 * Move krb5.conf and kdc.conf manpages into krb5-doc; krb5-doc now conflicts with heimdal-docs, closes: #121141 -- Sam Hartman Sun, 25 Nov 2001 23:47:35 -0500 krb5 (1.2.2-7) unstable; urgency=low * Forward only tickets we believe the remote side knows the enctype of, closes: #99320 * Start krb5-kdc and krb5-admin-server before RPC services, thanks Hein Roehrig, closes: #88604 * Install krb5.conf and kdc.conf man pages in krb5-user. This is not ideal but installing them in krb5-config won't work as they are implementation dependent, closes: #109522 * Install kprop manpage, thanks Steve Langasek, closes: #120040 * Fix FHS paths with kprop; store files in /var/lib/krb5kdc, thanks again Steve, closes: #120050 * Telnet help should open a connection to the host help not give you a usage message, thanks Graeme Mathieson for a patch which will be sent upstream, closes: #118730 * Fix kprop handling of service name. If we can't find what we are looking for in /etc/services default to the obvious correct answer; thanks Steve, will commit upstream, closes: #120010 -- Sam Hartman Sat, 24 Nov 2001 22:10:16 -0500 krb5 (1.2.2-6) unstable; urgency=high * Include telnetd security patch for ring buffer issue from upstream * Conflict with the right Heimdal libs, closes: #103872 -- Sam Hartman Wed, 1 Aug 2001 15:19:43 -0400 krb5 (1.2.2-5) unstable; urgency=low * Use krb5-config; remove our own krb5.conf handling.. Note this is the krb5-config package for /etc/krb5.conf, not the krb5-config library helper command. * * Conflict with kerberos4kth-services, closes: #93303 * Update config.guess and config.sub, closes: #97585 * Have telnetd depend on krb5-rsh-server. I suspect this will make people grumpy and we need a better fix. Really, Kerberized rlogin is better than telnetd from a security standpoint, so I'm OK with it for now. Closes: #96695 -- Sam Hartman Wed, 16 May 2001 17:44:47 -0400 krb5 (1.2.2-4) unstable; urgency=low * Fix shared libraries to build with gcc not ld to properly include -lgcc symbols, closes: #94407 -- Sam Hartman Fri, 20 Apr 2001 02:47:21 -0400 krb5 (1.2.2-3) unstable; urgency=high * Fix vulnerability with glob call. CERT claims that Linux is not vulnerable, but I believe the krb5 implementation is. The result of glob was copied into a fixed-sized buffer. This fixes that closes: #93689 * Provide ftp-server not ftpd, closes: #93531 * Do not link kadm5clnt against kdb5. -- Sam Hartman Wed, 11 Apr 2001 19:50:17 -0400 krb5 (1.2.2-2) unstable; urgency=low * Work to provide an alternative for telnet and to be a telnet-client, closes: 87914 * libkrb5-dev depends on comerr-dev, closes: #87489 * Make clean target remove configure-stamp -- Sam Hartman Mon, 5 Mar 2001 08:25:17 -0500 krb5 (1.2.2-1) unstable; urgency=low * New Upstream version, Closes: #82546 * Depend on debconf, closes: #87490 * Fix debconf formatting issue, closes: #84447 * Create sample ACL file, closes: #84448 * Fix lintian warnings and override as appropriate * Upgrade to policy 3.5 moving stuff out of examples. -- Sam Hartman Fri, 2 Mar 2001 11:32:06 -0500 krb5 (1.2.1-9) unstable; urgency=low * Do not use TIOCGLTC anywhere * Build without TCL, closes: #81977 * Fix krb5-admin-server restart, closes: #81070 * With the new dpkg-source, files get diffed in the wrong order for us to prevent autoconf from getting run just by mangling things and making sure we change every configure script. So, touch every configure script in debian/rules. -- Sam Hartman Sat, 13 Jan 2001 19:27:37 -0500 krb5 (1.2.1-8) unstable; urgency=low * Use separate build directory because the source tree supports it and it works around failures in the upstream clean target, closes: #78954 * Make sure we modify all the configure scripts since we modify aclocal.m4 so that time stamps don't cause autoconf to be run. * Add bison and debhelper as build-depends, closes: #79643 * New maintainer address -- Sam Hartman Sat, 23 Dec 2000 16:20:24 -0500 krb5 (1.2.1-7) unstable; urgency=low * Do not conflict with libss.a * Upload to Debian(Closes: BUG#78499) -- Sam Hartman Mon, 4 Dec 2000 04:15:50 -0500 krb5 (1.2.1-6) unstable; urgency=low * Fix kpasswd manpage. * Split out libkadm5 to avoid Heimdal conflict * Conflict with kerberos4kth. * Remove runpaths from libs and executables. -- Sam Hartman Wed, 29 Nov 2000 12:18:22 -0500 krb5 (1.2.1-5) unstable; urgency=low * If libkrb53 was preconfigured, then krb5.conf could overide explicit user input. -- Sam Hartman Sat, 25 Nov 2000 17:01:26 -0500 krb5 (1.2.1-4) unstable; urgency=low * Write init.d scripts for kdc and admin server. * Ask what admin programs to run and what krb4 mode to use. * Populate initial kdc.conf if needed. * New script (krb5_newrealm) to set up a Kerberos realm * Document KDC issues. * Make libkrb53.config work again so libkrb53 installs -- Sam Hartman Sat, 18 Nov 2000 17:22:16 -0500 krb5 (1.2.1-3) unstable; urgency=low * Add KDC packages * Install login.krb5 Sadly, it is needed to make forwarded credentials work. This is unfortunate; it is not a good login program. -- Sam Hartman Wed, 8 Nov 2000 16:10:13 -0500 krb5 (1.2.1-2) unstable; urgency=low * Add copyright and README.debian * Ship kadmin in krb5-user. * Add services to inetd.conf * Add support for generating krb5.conf -- Sam Hartman Thu, 2 Nov 2000 17:29:59 -0500 krb5 (1.2.1-1) unstable; urgency=low * Initial Release. -- Sam Hartman Thu, 19 Oct 2000 16:05:06 -0400