2011
krb5 (1.8.3+dfsg-4squeeze5) squeeze-security; urgency=high
* CVE-2011-1529: null pointer dereference in KDC LDAP back end, Closes: #629558 * CVE-2011-1528: assertion failure in multiple KDC back ends regarding account lockout
-- Sam Hartman <hartmans@debian.org> Wed, 19 Oct 2011 11:55:43 -0400
krb5 (1.8.3+dfsg-4squeeze2) stable; urgency=low
* Upstream ticket 6852: permit gss_set_allowable_enctypes to restirct
acceptor enctypes. Required in order to permit newer than squeeze
clients to talk to a squeeze nfs server without degrading security
for non-nfs applications on the box, Closes: #622146
-- Sam Hartman <hartmans@debian.org> Tue, 09 Aug 2011 10:53:59 -0400
krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
* Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517 * Updated Danish debconf translations, thanks Joe Dalton, Closes: #584282 * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282, Closes: #613487 * Fix delegation of credentials against Windows servers; significant interoperability issue, Closes: #611906 * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes: #616429 * Don't fail authentication when PAC verification fails; support hmac- md5 checksums even for non-RC4 keys, Closes: #616728 * Port fix to upstream ticket 6899: fix invalid free in kadmind change password case, Closes: #622681
-- Sam Hartman <hartmans@debian.org> Thu, 02 Jun 2011 13:14:03 -0400
2010
krb5 (1.8.3+dfsg-4) unstable; urgency=medium
* Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925
-- Sam Hartman <hartmans@debian.org> Tue, 14 Dec 2010 11:53:26 -0500
krb5 (1.8.3+dfsg-3) unstable; urgency=emergency
* MITKRB5-SA-2010-007
* CVE-2010-1324: An unauthenticated attacker can inject arbitrary
content into an existing GSS connection that appears to be integrity
protected from the legitimate peer under some circumstances
* GSS applications may accept a PAC produced by an attacker as if it
were signed by a KDC
* CVE-2010-1323: attackers have a 1/256 chance of being able to
produce krb_safe messages that appear to be from legitimate remote
sources. Other than use in KDC database copies this may not be a
huge issue only because no one actually uses krb_safe
messages. Similarly, an attacker can force clients to display
challenge/response values of the attacker's choice.
* CVE-2010-4020: An attacker may be able to generate what is
accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
probability
* New Vietnamese debconf translations, Thanks Clytie Siddall,
Closes: #601533
* Update standards version to 3.9.1 (no changes required
-- Sam Hartman <hartmans@debian.org> Sat, 20 Nov 2010 14:50:54 -0500
krb5 (1.8.3+dfsg-2) unstable; urgency=high
* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in kdc_authdata.c leading to KDC crash, Closes: #599237 * Fix two memory leaks in krb5_get_init_creds path; one of these memory leaks is quite common for any application such as PAM or kinit that gets initial credentials, thanks Bastian Blank, Closes: #598032 * Install doc/CHANGES only in krb5-doc, not in all packages, saves several megabytes on most Debian systems, Closes: #599562
-- Sam Hartman <hartmans@debian.org> Wed, 13 Oct 2010 10:41:19 -0400
krb5 (1.8.3+dfsg-1) unstable; urgency=low
* New Upstream release; only change is version bump from beta1 to final
* Bring back a libkrb53 oldlibs package. Note that this is technically a
policy violation because it doesn't provide libdes425.so.3 or
libkrb4.so.2 and thus provides a different ABI. However, some
packages, such as postgres8.4 require the lenny version to be present
for the squeeze transition, so we cannot force the removal of
libkrb53's reverse dependencies. We can conflict or break with lenny
packages that will not work with this libkrb53, but we may break
out-of-archive packages without notice. Absent someone coming up with
a patch to the modern libk5crypto-3 that allows it to work with the
lenny libkrb53 (a weekend's worth of work proved this would be quite
difficult), this is the best solution we've come up with, Closes: #596678
-- Sam Hartman <hartmans@debian.org> Sun, 19 Sep 2010 14:59:46 -0400
krb5 (1.8.3+dfsg~beta1-2) unstable; urgency=low
* Remove documentation that has moved to the krb5-appl package and is
not shipped upstream from Debian diff
-- Sam Hartman <hartmans@debian.org> Tue, 10 Aug 2010 15:33:15 -0400
krb5 (1.8.3+dfsg~beta1-1) unstable; urgency=low
* New Upstream version
* Add breaks with libkrb53 because libdes425 cannot work with new
libk5crypto3 (Closes: #557929)
* You want this version: it fixes an incompatibility with how PACs are
verified with Windows 2008
* As a result of libkrb53 breaks, we no longer get into problems with
krb5int_hmac, Closes: #566988
* Note that libkdb5-4 breaks rather than conflicts libkadm5srv6, Closes:
#565429
* Start kdc before x display managers, Closes: #588536
-- Sam Hartman <hartmans@debian.org> Thu, 05 Aug 2010 12:15:50 -0400
krb5 (1.8.1+dfsg-5) unstable; urgency=low
* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
(LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494
-- Sam Hartman <hartmans@debian.org> Wed, 04 Aug 2010 16:10:02 -0400
krb5 (1.8.1+dfsg-4) unstable; urgency=low
* fix prerm script (Closes: #577389), thanks Harald Dunkel
-- Sam Hartman <hartmans@debian.org> Thu, 20 May 2010 12:33:43 -0400
krb5 (1.8.1+dfsg-3) unstable; urgency=high
* CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes: #582261 * Force use of bash for build, Closes: #581473 * Start slapd before krb5 when krb5-kdc-ldap installed, Closes: #582122
-- Sam Hartman <hartmans@debian.org> Wed, 19 May 2010 16:37:36 -0400
krb5 (1.8.1+dfsg-2) unstable; urgency=high
* Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490
-- Sam Hartman <hartmans@debian.org> Mon, 12 Apr 2010 13:08:35 -0400
krb5 (1.8.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes significant ABI incompatibility between Heimdal and MIT in the
init_creds_step API; backward incompatible change in the meaning of
the flags API. Since this was introduced in 1.8 and since no better
solution was found, it's felt that getting 1.8.1 out everywhere that
had 1.8 very promptly is the right approach. Otherwise software build
against 1.8 will be broken in the future.
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
* Acknowledge security team upload, thanks for picking up the slack and
sorry it was necessary
-- Sam Hartman <hartmans@debian.org> Sun, 11 Apr 2010 10:12:59 -0400
krb5 (1.8+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team. * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash) via an invalid packet that triggers incorrect preparation of an error token. (Closes: 575740) * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
-- Giuseppe Iuculano <iuculano@debian.org> Fri, 09 Apr 2010 19:11:50 +0200
krb5 (1.8+dfsg-1) unstable; urgency=low
* New upstream version
* Include new upstream notice file in docs
* Update symbols files
* Include upstream ticket 6676: fix handling of cross-realm tickets
issued by W2K8R2
* Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
* New Brazilian Portuguese translations, Thanks Eder L. Marques,
Closes: #574149
-- Sam Hartman <hartmans@debian.org> Wed, 17 Mar 2010 15:51:54 -0400
krb5 (1.8+dfsg~alpha1-7) unstable; urgency=high
* MITKRB5-SA-2010-001: Avoid an assertion failure leading to a denial of
service in the KDC by doing better input validation. (CVE-2010-0283)
* Update standards version to 3.8.4 (no changes required).
-- Russ Allbery <rra@debian.org> Tue, 16 Feb 2010 12:20:51 -0800
krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium
* Import upstream fixes including:
- A non-conformance with RFC 4120 that causes enc_padata to be
included when the client may not support it
- Weak crypto acts as a filter and does not reject if DES is
included in krb5.conf, fixes Samba net ads join, Closes: #566977
* Medium urgency because of the samba bug fix. If the samba maintainers
request the release team to bump to high I'd support that.
* Update libkdb5 symbols for new upstream internal interface
-- Sam Hartman <hartmans@debian.org> Fri, 12 Feb 2010 12:24:26 -0500
krb5 (1.8+dfsg~alpha1-5) unstable; urgency=high
[ Sam Hartman ]
* New API to allow an application to enable weak crypto
* Rename libkadm5clnt and libkadm5srv to libkadm5clnt_mit and
libkadm5srv_mit in order to avoid conflicts with Heimdal packages.
Sorry for the second trip through new, but we needed to coordinate
with upstream on the ABI issues involved with this change.
* Medium urgency in order to get a fix for openafs-krb5 weak crypto into
testing sooner
* Include fix for pam-krb5 segfault with wrong password; bump urgency to
high.
[ Russ Allbery ]
* Change libkrb5-dbg to only depend on libkrb5-3, libk5crypto3, or
libkrb5support0. All of the other packages for which it provides
debugging symbols also depend on one of those packages and always
will, so listing the disjunction of every library package is
overkill. Remove from the Depends several obsolete library packages
no longer included.
* Drop obsolete Replaces for libkadm5srv-mit7 and libkadm5clnt-mit7.
* Wrap krb5-multidev dependencies and description and shorten the short
description.
* Reformat NEWS.Debian to avoid using a bulleted list per devref.
[ Sam Hartman ]
* Link libkadm5{clnt,srv}.so specially so that the links work without
libkrb5-dev installed
-- Sam Hartman <hartmans@debian.org> Fri, 22 Jan 2010 23:35:09 -0500
krb5 (1.8+dfsg~alpha1-4) unstable; urgency=high
* Add replaces to deal with moving files from krb5-multidev to
libkrb5-dev, Closes: #565217
* This is definitely the getting all the conflicts combinations right is
tricky series of releases. Sorry about the wasted cycles.
-- Sam Hartman <hartmans@debian.org> Wed, 13 Jan 2010 19:00:37 -0500
krb5 (1.8+dfsg~alpha1-3) unstable; urgency=high
* Move files to avoid overlap between heimdal-dev and krb5-multidev,
Closes: #565132
-- Sam Hartman <hartmans@debian.org> Wed, 13 Jan 2010 04:18:32 -0500
krb5 (1.8+dfsg~alpha1-2) unstable; urgency=high
* While Kerberos 1.8 is not vulnerable to CVE-2009-4212 (the vulnerable code was removed during the 1.8 release process for code simplification and code size reasons), this is urgency high to get a version of Kerberos that fixes that integer underflow in the AES and RC4 code into testing. * For now, heimdal and MIT shared libraries for kadm5 will conflict; discussions of how to fix this are ongoing upstream, Closes: #564666 * New translations; sorry about missing them in the last upload - Vietnamese, Thanks Clytie Siddall, Closes: #548204 - Basque, Thanks Piarres Beobide, Closes: #534284 * Update standards version (no changes required) * Pull upstream changes made since alpha1 into the package. In particular this includes a fix to a bug where unkeyed checksums are accepted by the FAST KDC backend. That bug was introduced between 1.7 and 1.8 alpha1 so is only present in prior Debian packages of 1.8. See upstream tickets 6632 and 6633.
-- Sam Hartman <hartmans@debian.org> Tue, 12 Jan 2010 19:26:09 -0500
krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low
* Include symlinks in libkrb5-dev too * New upstream release * Fix .so symlinks in krb5-multidev
-- Sam Hartman <hartmans@debian.org> Fri, 08 Jan 2010 22:41:23 -0500
krb5 (1.8+dfsg~aa+r23527-1) experimental; urgency=low
* MIT krb5 trunk prior to 1.8 branch
* Remove krb5-telnet, krb5-ftpd, krb5-clients, krb5-rsh-server, no
longer provided upstream. These are provided now in a separate source
distribution.
* Bring back functions needed by Samba, Closes: #531635
* I know that the symbols revisions are generating lintian warnings;
that will be cleaned up when upstream actually makes an alpha release
* Implement krb5-multidev similar to heimdal-multidev so that packages
can be built against both MIT Kerberos and Heimdal
-- Sam Hartman <hartmans@debian.org> Sun, 03 Jan 2010 17:54:04 -0500
2009
krb5 (1.7+dfsg-4) unstable; urgency=high
* cve-2009-3295, MIT-KRB5-SA-2009-003: KDC crash when failing to find
the realm of a host., Thanks 2Jakob Haufe for the report to Debian
-- Sam Hartman <hartmans@debian.org> Mon, 28 Dec 2009 10:42:32 -0500
krb5 (1.7+dfsg-3) unstable; urgency=low
* Fix typo in control file
* Exclude usr/lib/krb5/plugins from dh_makeshlibs call to deal with
behavior change in dh_makeshlibs, Closes: #558719
-- Sam Hartman <hartmans@debian.org> Sun, 29 Nov 2009 23:24:01 -0500
krb5 (1.7+dfsg-2) unstable; urgency=low
* Only picked up part of the upstream fix to #557979; upstream fully
reverted to 1.6.
-- Sam Hartman <hartmans@debian.org> Sun, 29 Nov 2009 19:34:44 -0500
krb5 (1.7+dfsg-1) unstable; urgency=low
* New upstream version, Closes: #554225 * Several fixes applied after the 1.7 release: - 6506: correctly handle keytab vs stash file - 6508: kadmind ACL parsing could reference uninitialized memory - 6509: kadmind can reference null pointer on ACL error - 6511: uninitialized memory passed to krb5_free_error in change password client path - 6514: none replay cache memory leak - 6515: profile library mutex performance improvements - 6541: memory leak in PAC verify code - 6542: Check for null characters in pkinit certs - 6543: login vs user order in ftpd sometimes wrong - 6551: Memory leak in spnego accept_sec_context error path * libkrb5-dev depends on libkadm5clnt6 (LP: #472080) * Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP: #489418)
-- Sam Hartman <hartmans@debian.org> Sun, 29 Nov 2009 17:29:26 -0500
krb5 (1.7dfsg~beta3-2) UNRELEASED; urgency=low
* Update to policy 3.8.2 (no changes)
-- Sam Hartman <hartmans@debian.org> Sat, 20 Jun 2009 06:32:22 -0400
krb5 (1.7dfsg~beta3-1) unstable; urgency=low
* New upstream release
* Revert relaxation of Debian symbol versions introduced in
1.7dfsg~beta1-3
* Fix kproplog's manpage (LP: #374819)
-- Sam Hartman <hartmans@debian.org> Wed, 27 May 2009 21:15:41 -0400
krb5 (1.7dfsg~beta2-4) unstable; urgency=low
* Upstream fixes to RT #6490, Closes: #528729 - Use MS usage 9 not 8 for tgs-rep encrypted in subkey - Do not use keyed checksum with RC4; WS2003 expects it to be encrypted in the subsession key, everyone else expects the session key. Note that a keyed checksum for RC4 would work against WS2008. * Patch from Marc Dequ?nes (Duck) for HURD portability, Closes: #528828
-- Sam Hartman <hartmans@debian.org> Wed, 20 May 2009 08:57:53 -0400
krb5 (1.7dfsg~beta2-3) unstable; urgency=low
* Use correct enctype identifier in lucid security context export,
Closes: #528514
-- Sam Hartman <hartmans@debian.org> Mon, 18 May 2009 14:59:46 -0400
krb5 (1.7dfsg~beta2-2) unstable; urgency=low
* Apply upstream patch from ticket 6488 intended to fix
gss_krb5_export_lucid_sec_context and thus NFS; hopefully fixes
#528514
* Apply patch from ticket 6489 to fix UCS2 handling in RC4 string to
key and PAC routines
-- Sam Hartman <hartmans@debian.org> Thu, 14 May 2009 16:21:48 -0400
krb5 (1.7dfsg~beta2-1) unstable; urgency=low
* New Upstream release including FAST support for DES and 3DES. * Remove non-free content accidentally reintroduced in beta1, Closes: #528555 * Add strict dependency from libgssapi-krb5-2 to libkrb5-3 as discussed in #528514
-- Sam Hartman <hartmans@debian.org> Wed, 13 May 2009 14:09:31 -0400
krb5 (1.7dfsg~beta1-4) unstable; urgency=low
* When decrypting the TGS response fails with the subkey, try with the
session key to work around Heimdal bug, Closes: #527353
-- Sam Hartman <hartmans@debian.org> Thu, 07 May 2009 16:16:34 -0400
krb5 (1.7dfsg~beta1-3) unstable; urgency=low
* Relax symbol versions of symbols that exist in krb5 1.6.dfsg.2 to
1.6.dfsg.2. No software currently in Debian uses the new
functionality, and this will ease the transition because it allows
krb5 to move independently of packages that are being rebuilt. This
change will be reverted before the end of May, 2009.
-- Sam Hartman <hartmans@debian.org> Tue, 05 May 2009 09:01:17 -0400
krb5 (1.7dfsg~beta1-2) unstable; urgency=low
* Upload to unstable with permission of release team; note that this
upload will make anything that depends on libkrb53 uninstallable in
unstable. The release team will make binary only NMUs to rebuild any
such packages and they will depend on the new libraries. Packages
built since 1.6.dfsg.4~beta1-9 entered unstable should not be affected.
* Upstream change: return PREAUTH_REQUIRED not PREAUTH_FAILED on unknown
preauth type in the KDC.
* Remove a bunch of patches applied ustream from debian/patches
-- Sam Hartman <hartmans@debian.org> Mon, 04 May 2009 16:19:09 -0400
krb5 (1.7dfsg~beta1-1) experimental; urgency=low
* New upstream release
- kadmin and related commands moved to /usr/bin, Closes: #477296
- Kadmin headers are Public: Closes: #191616
- KDC supports loopback address, Closes: #478425
-- Sam Hartman <hartmans@debian.org> Wed, 22 Apr 2009 09:53:15 -0400
krb5 (1.7dfsg~alpha1-1) experimental; urgency=low
* New upstream version
-- Sam Hartman <hartmans@debian.org> Sun, 05 Apr 2009 20:46:14 -0400
krb5 (1.6.dfsg.4~beta1-13) unstable; urgency=high
* MITKRB5-SA-2009-001: Fix read-beyond-end-of-buffer DOS in SPNEGO, an
SPNEGO null pointer dereference, and incorrect length validation in
an ASN.1 decoder. (CVE-2009-0844, CVE-2009-0845, CVE-2009-0847)
* MITKRB5-SA-2009-002: ASN.1 general time decoder can free uninitialized
pointer. (CVE-2009-0846)
* Add dependency on libkrb53 from libkrb5-dev. This should make it
significantly more difficult for buildds to get out of sync. I don't
think we can do better within the constraints of this transition,
Closes: #522469
-- Sam Hartman <hartmans@debian.org> Tue, 07 Apr 2009 14:58:31 -0400
krb5 (1.6.dfsg.4~beta1-12) unstable; urgency=low
* Translation updates:
- Romanian, thanks Eddy Petrișor. (Closes: #519660)
- Finnish, thanks Esko Arajärvi. (Closes: #519741)
- Russian, thanks Sergey Alyoshin. (Closes: #519744)
- Spanish, thanks Francisco Javier Cuadrado. (Closes: #519808)
-- Russ Allbery <rra@debian.org> Fri, 27 Mar 2009 11:24:28 -0700
krb5 (1.6.dfsg.4~beta1-11) unstable; urgency=low
* Upload from the partial-krb4 branch not the master branch so we don't
break unstable.
- Restore libkrb53 and libkadm55
* Resync the aes test files from upstream to fix a line ending problem
and significantly shrink the debian diff
-- Sam Hartman <hartmans@debian.org> Fri, 13 Mar 2009 10:19:42 -0400
krb5 (1.6.dfsg.4~beta1-10) unstable; urgency=low
* Add Homepage control field.
* Add ${misc:Depends} to dependencies for all packages.
* Expand the packages that satisfy the libkrb5-dbg dependency.
* Include a few more details about the differences between the various
library packages in their long descriptions and fix some whitespace
inconsistencies. Thanks, Gerfried Fuchs. (Closes: #519403)
* Remove empty usr/include/kerberosIV directory in libkrb5-dev.
* Use set -e instead of #!/bin/sh -e for all maintainer scripts.
* Use which without a path to check for update-inetd.
* Improve the leading comment in /etc/default/krb5-kdc.
* Remove unnecessary section override for krb5-pkinit.
* Update to debhelper compatibility level V7.
- Use dh_lintian to install Lintian overrides.
- Use dh_prep instead of dh_clean -k.
* Update standards version to 3.8.1 (no changes required).
* Fix superfluous space in the krb5-kdc debconf templates and unfuzzy
translations. Thanks, Helge Kreutzmann. (Closes: #518403)
* Translation updates:
- French, thanks Christian Perrier. (Closes: #518221)
- Japanese, thanks TANAKA Atushi. (Closes: #518345)
- Swedish, thanks Martin Bagge. (Closes: #518347)
- German, thanks Helge Kreutzmann. (Closes: #518402)
- Czech, thanks Miroslav Kure. (Closes: #518993)
- Portuguese, thanks Miguel Figueiredo. (Closes: #519000)
- Italian, thanks Luca Monducci. (Closes: #519178)
- Galician, thanks Marce Villarino. (Closes: #519481)
-- Russ Allbery <rra@debian.org> Thu, 12 Mar 2009 18:00:31 -0700
krb5 (1.6.dfsg.4~beta1-9) unstable; urgency=medium
* Fix typo in downgrade instructions in NEWS file. * Fix override for libkadm55 * Upload to unstable.
-- Sam Hartman <hartmans@debian.org> Sun, 01 Mar 2009 15:33:58 -0500
krb5 (1.6.dfsg.4~beta1-8) experimental; urgency=low
* Re-introduce libkrb53 and libkadm55 based on discussion on
debian-devel; in this version, libkrb53 contains only libkrb4. Both
libkrb53 and libkadm55 depend on the split library packages. These
dependencies are unversioned; that means that before any symbols are
added the shlibs files need to be repointed away from libkrb53 and
libkadm55. Any version of the split library packages can satisfy the
symbols needed by the libraries previously shipped in libkrb53.
* Perform two builds; one without krb4 and one with krb4 for the only
warnings; they will go away when the shlibs files are repointed.
* Remove krb4 support from debconf and init scripts.
* Remove the krb4 migration guide from doc-base
* Fix up replaces in control file so that libraries that used to be in
libkadm55 claim to replace libkadm55
* Only use parallel builds on the krb5 build; it breaks krb4 enabled
builds.
* Used versioned replaces; this seems to make it harder to get a system
into a broken state if you remove the new packages, Closes: #517483
-- Sam Hartman <hartmans@debian.org> Sat, 28 Feb 2009 00:42:51 -0500
krb5 (1.6.dfsg.4~beta1-7) experimental; urgency=low
* Do not build krb4 support; this is being removed upstream with 1.7 and
it is strongly desirable to examine the debian implications.
* As a result, the libraries which were previously all in libkrb53 need
to change package names as we are dropping some libraries. So, split
out the libraries into lib<libraryname>-<soname> per policy. The old
format was consistent with policy when it was written 8 years ago, and
has lasted well. As a result, a significant number of new library
packages are introduced.
* Use dpkg-gensymbols support for .symbols files for better version tracking
* Update to policy 3.8.0
- Support parallel=
-- Sam Hartman <hartmans@debian.org> Fri, 20 Feb 2009 16:57:43 -0500
krb5 (1.6.dfsg.4~beta1-6) unstable; urgency=low
* In the krb5-install info pages, document the need to create an empty
database on new slaves before the first database propagation to work
around a bug in kdb5_util. This is a workaround for Bug#512670, which
won't be fixed in time for the lenny release.
-- Russ Allbery <rra@debian.org> Sun, 01 Feb 2009 10:07:37 -0800
2008
krb5 (1.6.dfsg.4~beta1-5) unstable; urgency=low
* Correct the actions of krb5_newrealm in its man page. It doesn't
create a keytab for kadmind since kadmind no longer needs one.
Mention that it does create a stash file and that it starts the KDC
and kadmind daemons. Thanks, David Medberry. (Closes: #504126)
* Translation updates:
- Spanish, thanks Ignacio Mondino. (Closes: #504766)
-- Russ Allbery <rra@debian.org> Mon, 29 Dec 2008 22:21:21 -0800
krb5 (1.6.dfsg.4~beta1-4) unstable; urgency=low
[ Russ Allbery ]
* Translation updates:
- Swedish, thanks Martin Bagge. (Closes: #487669, #491774)
- Italian, thanks Luca Monducci. (Closes: #493962)
[ Sam Hartman ]
* Translation Updates:
- Dutch, Thanks Vincent Zweije, Closes: #495733
-- Sam Hartman <hartmans@debian.org> Thu, 21 Aug 2008 10:41:41 -0400
krb5 (1.6.dfsg.4~beta1-3) unstable; urgency=low
* Set length to 0 on no-salt ldap keys so they do not crash; uupstream
ticket 5545, Closes: #480523
* Swedish translations, thanks Martin Bagge, Closes: #487563
-- Sam Hartman <hartmans@debian.org> Sun, 22 Jun 2008 23:00:37 -0400
krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low
[ Russ Allbery ]
* Translation updates:
- Japanese, thanks TANAKA, Atushi.
- Russian, thanks Sergey Alyoshin. (Closes: #485473)
- Brazilian Portuguese, thanks Eder L. Marques. (Closes: #485613)
- Romanian, thanks Eddy Petrișor. (Closes: #484996)
[ Sam Hartman ]
* Upload 1.6.4 beta 1 to unstable. As best I can tell evaluating the
changes this is a strict improvement over 1.6.3 even though it is
still a beta version. There is not an ABI change ; backing out would
be relatively easy.
* Patch from Bryan Kadzban to look inside spnego union_creds when
looking for a specific mechanism cred. This allows spnego creds to be
used when copying out to a ccache after delegation, Closes: #480434
* Ksu now calls krb5_verify_init_creds rather than using its own custom
logic because that is correct and so it can take advantage of the
following change.
* krb5_verify_init_creds uses the default realm if it gets a referral
realm as input for server, Closes: #435427
* Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at
the request of Moritz Muehlenhoff ; he was unsure that adding these
flags on other platforms would be a good idea. I'd be happy to expand
the list at the request of port maintainers, Closes: #484371
* Fix KDC purge code introduced in previous revision.
-- Sam Hartman <hartmans@debian.org> Mon, 16 Jun 2008 09:29:00 -0400
krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low
[ Russ Allbery ]
* Do not translate the Kerberos v4 modes. They are literal strings
passed to the Kerberos KDC as arguments to the -4 option. Comment
mentions of those strings in the debconf template so that
translators know this.
* Rather than prompting at installation time for whether the KDC
database should be deleted on purge, prompt in prerm when the package
is being removed for whether the database should be deleted.
* Translation updates:
- Galician, thanks Jacobo Tarrio. (Closes: #482324)
- French, thanks Christian Perrier. (Closes: #482326)
- Vietnamese, thanks Clytie Siddall. (Closes: #482362)
- Basque, thanks Piarres Beobide. (Closes: #482376)
- Czech, thanks Miroslav Kure. (Closes: #482428)
- German, thanks Helge Kreutzmann. (Closes: #482366)
- Spanish, thanks Diego D'Onofrio.
- Finnish, thanks Esko Arajärvi. (Closes: #482682)
- Portuguese, thanks Miguel Figueiredo. (Closes: #483049)
[ Sam Hartman ]
* Remove extra space in debian/rules so upstream configure scripts can
work.
* Upgrade to 1.6.4 beta 1.
* Upstream includes several fixes to bugs that were assigned CVE
numbers; upstream does not actually consider these security issues and
no advisory was issued, but they are included here for the benefit of
the security team in case anyone asks. Closes: #454974
- fix CVE-2007-5972: double fclose() in krb5_def_store_mkey()
- fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
- fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
- fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs()
- fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
-- Sam Hartman <hartmans@debian.org> Sat, 31 May 2008 10:53:21 -0400
krb5 (1.6.dfsg.3-2) unstable; urgency=low
* kdc.conf was previously in krb5-doc, not uninstalled. Properly
handle moving it to the krb5-kdc package. (Closes: #480452)
* Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private
directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an
RPATH in kdb5_ldap_util and the plugin to find the library. Drop the
libkdb-ldap1 library package. This library isn't intended to be used
by any software outside of the KDC plugin and utility. Thanks,
Bastian Blank. (Closes: #479384)
* Load defaults for debconf configuration of krb5-admin-server and
krb5-kdc from the /etc/default files if they exist. Thanks, Bastian
Blank. (Closes: #479404)
* Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and
/etc/default/krb5-kdc even if debconf configuration is enabled.
* Don't require that a stash file be created in /etc/init.d/krb5-kdc.
Stash files are optional. (Closes: #479457)
* Error out instead of silently existing if debconf's confmodule cannot
be loaded. Given that we depend on debconf, if this fails, something
serious went wrong and we shouldn't ignore it.
* Use /bin/which instead of command -v to check for update-inetd.
* Unconditionally remove kpropd's inetd.conf entry in the postrm of
krb5-kdc rather than special-casing remove and deconfigure.
* Add 256-bit AES and RC4 keys to the default kdc.conf, the first
because it's the strongest enctype currently supported and the second
for Windows compatibility. Improve the README.KDC enctype
documentation.
* Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as
documentation. Thanks, Bastian Blank. (Closes: #479239)
-- Russ Allbery <rra@debian.org> Fri, 09 May 2008 20:27:16 -0700
krb5 (1.6.dfsg.3-1) unstable; urgency=low
* Final upstream 1.6.3 release.
* Package the LDAP plugin for the KDC, which allows one to use an LDAP
server to store the KDC database. Install the krb5-kdc-ldap package
for the plugin. (Closes: #453113)
* If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
so that the kdc.conf will at least be syntactically valid (but will
still require editing). (Closes: #474741)
* krb5-kdc explicitly depends on krb5-config since it relies on debconf
variables set by that package.
* Always stop krb524d on /etc/init.d/krb5-kdc stop even if the
configuration has been changed to no longer run it. Thanks, Bastian
Blank. (Closes: #477294)
* Install the kdc.conf man page. (Closes: #477307)
* krb5-kdc no longer depends on update-inetd and inet-superserver and
instead just suggests openbsd-inetd | inet-superserver and
conditionally adds the commented-out kpropd example if update-inetd is
available. krb5-admin-server doesn't need inet-superserver at all.
Thanks, Bastian Blank. (Closes: #477301)
* Change the doc-base sections to System/Security.
* Correctly mangle the version in the watch file.
* Remove conflicts with packages already not present in oldstable.
* Remove versioned build-dependencies satisfied by oldstable.
* Remove versioned Replaces for versions older than oldstable.
-- Russ Allbery <rra@debian.org> Sun, 27 Apr 2008 20:39:36 -0700
krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency
* MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
malformed messages may result in NULL pointer use, double-frees, or
exposure of information. (CVE-2008-0062, CVE-2008-0063)
* MITKRB5-SA-2008-002: If the file descriptor limit is larger than
FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
array overrun and memory corruption may result. (CVE-2008-0947)
-- Russ Allbery <rra@debian.org> Fri, 07 Mar 2008 18:53:59 -0800
krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low
* Apply cross-build patch from Neil Williams. (Closes: #465294) * Document in comments that configuration management via debconf should be disabled before making manual changes to /etc/default/krb5-kdc and /etc/default/krb5-admin-server. (Closes: #443326) * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind. Thanks, Dwayne Litzenberger. (Closes: #443331) * Don't stop the servers in runlevel S. This isn't a real runlevel and cannot be switched to, so the links are extraneous. * Use binary:Version instead of Source-Version in debian/control. * Depend on openbsd-inetd | inet-superserver instead of on update-inetd, since inetd implementations may provide their own update-inetd. * Improve quoting and formatting in the postinsts for krb5-kdc and krb5-admin-server. Error on failure to load debconf, since we do depend on it. Support reconfigure. * Fix file locations in the krb524 doc-base control file. * Add the info documentation to all doc-base control files. * Fix a variety of man page errors uncovered by man --warnings. * Wrap Depends and Conflicts fields in debian/control. * dpkg-dev now compresses duplicate relations, so no need for lintian overrides. * Add an override for the empty plugin directory in libkrb53. * Update standards version to 3.7.3 (no changes required). * Translation updates: - Finnish, thanks Esko Arajärvi. (Closes: #451146) - Dutch, thanks Vincent Zweije. (Closes: #460589)
-- Russ Allbery <rra@debian.org> Mon, 18 Feb 2008 20:53:08 -0800
2007
krb5 (1.6.dfsg.3~beta1-2) unstable; urgency=low
* Move pkinit into a new package krb5-pkinit. We don't want pkinit to
always be installed because this pulls in an openssl dependency and
most people don't need it. However we want the plugin available when
needed, Closes: #444938
* I had hoped to wait for the upstream release, but that is being a bit slow.
-- Sam Hartman <hartmans@debian.org> Thu, 18 Oct 2007 17:03:27 -0400
krb5 (1.6.dfsg.3~beta1-1) unstable; urgency=low
* New Upstream release
- Fix krb5_set_default_tgs_enctypes, Closes: #413838
-- Sam Hartman <hartmans@debian.org> Mon, 01 Oct 2007 21:21:59 -0400
krb5 (1.6.dfsg.1-7) unstable; urgency=emergency
* mit-sa-2007-6:
- CVE 2007-3999 rpc library buffer overflow
- CVE 2007-uninitialized kadmin pointer
-- Sam Hartman <hartmans@debian.org> Tue, 04 Sep 2007 15:06:51 -0400
krb5 (1.6.dfsg.1-6) unstable; urgency=low
* Don't depend on libkeyutils-dev on non-Linux architectures. Thanks,
Petr Salinger. (Closes: #430215)
* Restore support for the RUN_KADMIND setting as written by debconf.
Thanks, Christoph Neerfeld. (Closes: #429535)
* Wrap the build-depends line now that dpkg in oldstable supports this.
* Update debconf templates and debian/control long package descriptions
as suggested by the debian-l10n-english team as part of the Smith
review project. Thanks to Christian Perrier for the coordination
work. (Closes: #428195)
* Debconf translation updates:
- Galician, thanks Jacobo Tarrio. (Closes: #429511)
- Portuguese, thanks Miguel Figueiredo. (Closes: #429592)
- Basque, thanks Piarres Beobide. (Closes: #429637)
- Japanese, thanks TANAKA, Atushi. (Closes: #429844)
- Vietnamese, thanks Clytie Siddall. (Closes: #429907)
- German, thanks Helge Kreutzmann. (Closes: #430561)
- Czech, thanks Miroslav Kure. (Closes: #431203)
- Russian, thanks Yuri Kozlov. (Closes: #431247)
- French, thanks Christian Perrier.
-- Russ Allbery <rra@debian.org> Sun, 15 Jul 2007 20:58:07 -0700
krb5 (1.6.dfsg.1-5) unstable; urgency=emergency
* MIT-SA-2007-4: The kadmin RPC library can free an uninitialized
pointer or write past the end of a stack buffer. This may lead to
execution of arbitrary code. (CVE-2007-2442, CVE-2007-2443)
* MIT-SA-2007-5: kadmind is vulnerable to a stack buffer overflow that
may lead to execution of arbitrary code. (CVE-2007-2798)
-- Russ Allbery <rra@debian.org> Wed, 13 Jun 2007 13:07:44 -0700
krb5 (1.6.dfsg.1-4) unstable; urgency=low
* Make --deps switch to krb5-config include dependent libraries; otherwise do not, Closes: #422985 * Include copyright statement for remaining IETF draft, Closes: #393380
-- Sam Hartman <hartmans@debian.org> Sun, 13 May 2007 16:28:56 -0400
krb5 (1.6.dfsg.1-3) unstable; urgency=low
* Upstream bug #5552: krb5_get_init_creds needs to not dereference
gic_opts if it is null. Instead, assume that it is default options,
Closes: #422687
-- Sam Hartman <hartmans@debian.org> Tue, 8 May 2007 14:46:55 -0400
krb5 (1.6.dfsg.1-2) unstable; urgency=low
* Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1 * Upload 1.6 to unstable
-- Sam Hartman <hartmans@debian.org> Thu, 3 May 2007 20:23:47 -0400
krb5 (1.6.dfsg.1-1) experimental; urgency=low
* Oops, I failed to understand how the version numbers work. Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series. We will use 1.6.dfsg.1 for 1.6.1. * Update to update-inetd dependency, Closes: #420748
-- Sam Hartman <hartmans@debian.org> Sun, 29 Apr 2007 08:59:28 -0400
krb5 (1.6.1.dfsg-1) experimental; urgency=low
* Depend on keyutils-lib-dev so we consistently get keyring cache support * New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318 * New Upstream release - Update shlibs for new API * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
-- Sam Hartman <hartmans@debian.org> Sat, 28 Apr 2007 16:21:03 -0400
krb5 (1.6.dfsg-1) experimental; urgency=low
* New 1.6 release from upstream. * Update copyright
-- Sam Hartman <hartmans@debian.org> Thu, 1 Feb 2007 22:26:08 -0500
2006
krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low
* New upstream release * Remove IETF RFCs, Closes: #393380 * Update copyright file based on new copyrights upstearm
-- Sam Hartman <hartmans@debian.org> Wed, 22 Nov 2006 10:28:13 -0500
krb5 (1.4.4-8) unstable; urgency=emergency
* MIT-SA-2007-1: telnet allows login as an arbitrary user when
presented with a specially crafted username; CVE-2007-0956
* krb5_klog_syslog has a trivial buffer overflow that can be exploited
by network data; CVE-2007-0957. The upstream patch is very intrusive
because it fixes each call to syslog to have proper length checking as
well as the actual krb5_klog_syslog internals to use vsnprintf rather
than vsprintf. I have chosen to only include the change to
krb5_klog_syslog for sarge. This is sufficient to fix the problem but
is much smaller and less intrusive. (MIT-SA-2007-2)
* MIT-SA-2007-3: The GSS-API library can cause a double free if
applications treat certain errors decoding a message as errors that
require freeing the output buffer. At least the gssapi rpc library
does this, so kadmind is vulnerable. Fix the gssapi library because
the spec allows applications to treat errors this way. CVE-2007-1216
* New Japanese translation, thanks TANAKA Atushi, Closes: #414382
-- Sam Hartman <hartmans@debian.org> Sun, 11 Mar 2007 19:08:52 -0400
krb5 (1.4.4-7) unstable; urgency=low
* Translation updates:
- New Portuguese translation, thanks Rui Branco. (Closes: #409318)
-- Russ Allbery <rra@debian.org> Wed, 21 Feb 2007 15:23:08 -0800
krb5 (1.4.4-6) unstable; urgency=emergency
* MIT-SA-2006-2: kadmind and rpc library call through function pointer
to freed memory (CVE-2006-6143). Null out xp_auth unless it is
associated with an rpcsec_gss connection.
-- Sam Hartman <hartmans@debian.org> Thu, 4 Jan 2007 16:07:02 -0500
krb5 (1.4.4-5) unstable; urgency=low
* Translation updates:
- New Spanish translation, thanks Fernando Cerezal. (Closes: #402986)
-- Russ Allbery <rra@debian.org> Sun, 17 Dec 2006 17:18:05 -0800
krb5 (1.4.4-4) unstable; urgency=low
* Remove the check for pthread_mutexattr_setrobust_np in the thread
initialization code. This was only needed on Solaris 9 and has been
removed upstream, and was causing FTBFS with glibc 2.5. Thanks,
Martin Pitt. (Closes: #396166)
* Translation updates:
- New Romanian translation, thanks stan ioan-eugen. (Closes: #395347)
-- Russ Allbery <rra@debian.org> Sun, 5 Nov 2006 21:32:17 -0800
krb5 (1.4.4-3) unstable; urgency=low
* Don't require the presence of debconf during the postrm. Thanks to
Bill Allombert for the report. (Closes: #388784)
* Fix uses of hyphens instead of minus signs in the man pages.
-- Russ Allbery <rra@debian.org> Fri, 22 Sep 2006 14:57:34 -0700
krb5 (1.4.4-2) unstable; urgency=low
* Patch from Alejandro R. Sedeno to allow 32-bit and 64-bit krb4 ticket
files to be used on the same system. Similar to a patch included in
MIT Kerberos 1.5 but backported because of missing byte order macros.
-- Sam Hartman <hartmans@debian.org> Wed, 20 Sep 2006 22:51:59 -0400
krb5 (1.4.4-1) unstable; urgency=low
* New upstream release.
* Stop using --exec to start and stop services since then services will
not be stopped properly during an upgrade. (Closes: #385039)
* Rewrite the init scripts to include LSB information and to use the LSB
logging functions. krb5-kdc and krb5-admin-server now depend on
lsb-base (>= 3.0-6) for the LSB functions.
-- Russ Allbery <rra@debian.org> Fri, 1 Sep 2006 20:45:59 -0700
krb5 (1.4.4~beta1-1) unstable; urgency=low
* New upstream version including several memory leak fixes * Install upstream changelog
-- Sam Hartman <hartmans@debian.org> Wed, 16 Aug 2006 16:45:56 -0400
krb5 (1.4.3-9) unstable; urgency=high
* Add error checking to setuid, setreuid to avoid local privilege
escalation ; fixes krb5-sa-2006-1, CVE-2006-3084, CVE-2006-3083
* Update standards version to 3.7.2 (no changes required).
* Translation updates.
- Russian, thanks Yuri Kozlov. (Closes: #380303)
-- Sam Hartman <hartmans@debian.org> Sun, 6 Aug 2006 17:12:40 -0400
krb5 (1.4.3-8) unstable; urgency=low
* Defer seeding of the random number generator in kadmind until after
forking and backgrounding, since otherwise blocking on /dev/random may
block system startup. (Closes: #364308)
* Update config.{guess,sub}. (Closes: #373727)
* Better fix for error handling of a zero-length keytab. Thanks,
Rainer Weikusat.
-- Russ Allbery <rra@debian.org> Sun, 16 Jul 2006 08:59:20 -0700
krb5 (1.4.3-7) unstable; urgency=low
* Fix double free caused by a zero-length keytab. Thanks, Steve
Langasek. (Closes: #344295)
* Fix segfault in krb5_kuserok if the local name doesn't correspond to a
local account. (Discovered in bug #354133.)
* Build a separate libkrb5-dbg package containing the detached debugging
information for libkrb53 and libkadm55.
* Update debhelper compatibility level to V5 since the dh_strip behavior
around debug packages changes in V5 and we should use the current
interface from the beginning.
* Translation updates.
- Dutch, thanks Vincent Zweije. (Closes: #360444)
- Galician, thanks Jacobo Tarrio. (Closes: #361809)
-- Russ Allbery <rra@debian.org> Sat, 15 Apr 2006 16:22:01 -0700
krb5 (1.4.3-6) unstable; urgency=low
* Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is
passed in. Fixes a segfault in racoon from ipsec-tools. Thanks,
Daniel Kahn Gillmor. (Closes: #351877)
* v5passwdd is gone, so remove the debconf template, the prompts, and
the code to start and stop it from the init script. Thanks, Greg
Folkert.
* Fix incorrect option names in krb5.conf(5). Thanks, Martin v.
Loewis. (Closes: #347643)
* Translation updates.
- Danish, thanks Claus Hindsgaul. (Closes: #350041)
-- Russ Allbery <rra@debian.org> Tue, 21 Feb 2006 23:25:34 -0800
2005
krb5 (1.4.3-5) unstable; urgency=medium
* Configure with --enable-shared --enable-static so that libkrb5-dev
gets static libraries.
* Fix double free in getting credentials, Closes: #344543
-- Sam Hartman <hartmans@debian.org> Sun, 25 Dec 2005 21:59:47 -0500
krb5 (1.4.3-4) unstable; urgency=high
* Fix problem when libpthreads is dynamically loaded into a program
causing mutexes to sometimes be used and sometimes not be used. If
the library starts out without threads support it will never start
using threads support; doing anything else causes hangs.
-- Sam Hartman <hartmans@debian.org> Fri, 16 Dec 2005 18:16:53 -0500
krb5 (1.4.3-3) unstable; urgency=low
* Additional internal pthread symbols have to be declared weak on Hurd.
Thanks, Michael Banck. (Closes: #341608)
* Build on GNU/kFreeBSD. Thanks, Petr Salinger. (Closes: #261712)
* Change the default KDC enctype to 3DES to match upstream (the
difference was probably a mismerge).
* Remove /etc/default/krb5-admin-server on purge. (Closes: #333161)
* Document the behavior of klogind and kshd if the user has no .k5login
file. Remove vestigial .rhosts references. (Closes: #250966)
* Document krb5-rsh-server authorization defaults in README.Debian.
* Enable kinit -a to match the man page. (Closes: #232431)
* Remove the patch to tightly bind libkrb4 to libdes425. This should no
longer be necessary with symbol versioning.
* Upstream has removed the file with questionable licensing, so the
upstream tarball is no longer repacked. Remove the get-orig-source
target in debian/rules and the notes in copyright and README.Debian.
* Add a watch file.
* Translation updates.
- German, thanks jens. (Closes: #330925)
-- Russ Allbery <rra@debian.org> Sun, 4 Dec 2005 11:37:40 -0800
krb5 (1.4.3-2) unstable; urgency=low
* Conflict with libauthen-krb5-perl (<< 1.4-5) because of krb5_init_ets.
* Update uploader address.
* Conflict with libapache-mod-auth-kerb because it accesses library
internals in a way that breaks.
-- Sam Hartman <hartmans@debian.org> Wed, 30 Nov 2005 22:33:47 -0500
krb5 (1.4.3-1) experimental; urgency=low
* New upstream release. * Install ac_check_krb5 for use by aclocal.
-- Sam Hartman <hartmans@debian.org> Sat, 19 Nov 2005 16:20:56 -0500
krb5 (1.4.2-1) UNRELEASED; urgency=low
* New upstream version. (Closes: #293077) - kadmind4, v5passwdd, and v5passwd are no longer included. - Increase the libkrb53 shlibs version dependency. Programs linked against this version will not work with an older libkrb53. - Rebuild should fix link problems on powerpc. (Closes: #329709) * Re-enable optimization on m68k to stop hiding the toolchain problem. * Don't build crypto code -O3. It uncovers too many gcc bugs. * Fix compilation on Hurd. Thanks, Michael Banck. (Closes: #324305) * Always initialize the output token in gss_init_sec_context, even with an unknown mechanism. (Closes: #311977) * rcp should fall back to /usr/bin/netkit-rcp, not /usr/bin/rpc. * Add the missing shared library depends for libkadm55. * Use dh_install rather than dh_movefiles and enable --fail-missing to be sure to pick up any new upstream files. * Avoid test -a in maintainer scripts. * Expand and reformat the documentation and sample kdc.conf file. * Add a doc-base file for the krb425 migration guide. * Ignore lintian warnings about the library package names. We'll fix them the next time upstream changes SONAMEs. * Conflict with packages that used internal symbols not part of the public ABI * Use "MIT Kerberos" rather than krb5 in the krb5-doc short description. * Remove the saved patches that have been applied upstream or are no longer applied to the package, update the remaining patches, and move them into debian/patches. * Break out the other patches of interest for ease submitting them upstream. * Translation updates. - Vietnamese, thanks Clytie Siddall. (Closes: #319704)
-- Russ Allbery <rra@stanford.edu> Thu, 22 Sep 2005 17:08:58 -0700
krb5 (1.3.6-5) unstable; urgency=high
* Disable optimization on m68k to attempt to work around a gcc 4.0 bug.
-- Russ Allbery <rra@stanford.edu> Sun, 14 Aug 2005 22:26:00 -0700
krb5 (1.3.6-4) unstable; urgency=high
[ Russ Allbery ]
* Fix a mistake in variable names that caused the package to be built
without optimization.
* Allow whitespace before comments in krb5.conf. Thanks, Jeremie
Koenig. (Closes: #314609)
* GCC 4.0 compile fixes, thanks Daniel Schepler. (Closes: #315618)
* Avoid "say yes" in debconf templates. (Closes: #306883)
* Update Czech translation, thanks Miroslav Kure.
* Update French translation, thanks Christian Perrier. (Closes: #307748)
* Update Portuguese (Brazil) translation, thanks André Luís Lopes.
* New Vietnamese translation, thanks Clytie Siddall. (Closes: #312172)
* Update standards version to 3.6.2 (no changes required).
* DAK can now handle not repeating maintainers in uploaders.
[ Sam Hartman ]
* Fix double free in krb5_recvauth; critical because it is in the code
path for kpropd and may allow arbitrary code execution.
(CAN-2005-1689)
* krb5_unparse_name overflows allocated storage by one byte on 0 element
principal name. (CAN-2005-1175, VU#885830)
* Do not free unallocated storage in the KDC's TCP request handling
path. (CAN-2005-1174, VU#259798)
-- Sam Hartman <hartmans@debian.org> Tue, 12 Jul 2005 15:45:14 -0400
krb5 (1.3.6-3) unstable; urgency=low
* krb5-kdc: Install a commented-out line for kpropd with update-inetd.
Add dependency on netbase for update-inetd. (Closes: #293182)
* krb5-kdc: Ask with debconf whether the user wishes to delete the KDC
database on purge, modelled after how postgresql handles the same
situation. (Closes: #289358)
* Close leak in the arcfour crypto support. Thanks, fumihiko kakuma.
(Closes: #244595)
* krb5-config should never return -I/usr/include. (Closes: #165521)
* Write manual pages for fakeka, krb524init, kadmind4, and v5passwdd.
Backport from upstream the manual pages for krb5-config and krb524d.
(Closes: #78953, #96437)
* Fix paths in manual pages to match the Debian defaults. Fix service
in the inetd.conf example in the kpropd man page to work with Debian
/etc/services. (Closes: #157736)
* Fix references to kerberos(1) in the rlogin and kinit man pages and
include kerberos.1 in krb5-doc. (Closes: #154381, #154384)
* Add more detailed information about each package to the extended
descriptions. (Closes: #135517)
* krb5-doc: Include info pages. (Closes: #292512)
* krb5-doc: Fix two minor variable name problems in the texinfo docs.
* Let dh_installdebconf set the debconf dependency.
* Update standards version to 3.6.1.
- Support noopt in DEB_BUILD_OPTIONS.
- Let debhelper take care of calling ldconfig appropriately.
- Remove calls to dh_undocumented.
- Remove lintian overrides for links to the undocumented man page.
- Install kdc.conf template in /usr/share/krb5-kdc rather than
/usr/share/krb5 (policy 10.7.3 states the directory should be named
after the package).
- Symlink the kdc.conf template to /usr/share/doc/krb5-kdc/examples
per policy 10.7.3 since it's also a useful example.
* Update debhelper compatibility level to V4.
- Remove all *.conffiles control files. They're no longer needed.
* rules generally cleaned up. Commented out and unused debhelper programs
removed as the set being run wasn't comprehensive anyway. Invocation
order now matches the debhelper examples.
* Removed (s) from copyright to make lintian happier.
* Removed unnecessary lintian override for libkrb53.
* Add lintian overrides for the duplicate dependencies on krb5 libraries.
-- Russ Allbery <rra@stanford.edu> Sat, 16 Apr 2005 14:12:08 -0700
krb5 (1.3.6-2) unstable; urgency=high
* Package priority to standard * Fix buffer overflow in slc_add_reply in telnet.c (CAN-2005-0469) * Fix telnet.c env_opt_add buffer overflow (CAN-2005-0468) * Note that both of these vulnerabilities are client-side vulnerabilities that can be exploited only by a server.
-- Sam Hartman <hartmans@debian.org> Sun, 3 Apr 2005 23:49:08 -0400
krb5 (1.3.6-1) unstable; urgency=medium
* New upstream version
* Changing a password afwter the size of password history has been
reduced may double free or write past end of an arry; fix
(CAN-2004-1189 / CERT VU#948033)
* Conflict between krb5-kdc and kerberos4kth-kdc; also deals with
krb5-admin-server conflict indirectly, Closes: #274763
-- Sam Hartman <hartmans@debian.org> Sun, 2 Jan 2005 15:55:25 -0500
2004
krb5 (1.3.5-1) unstable; urgency=low
* New pt_br debconf translation, Cluses: #278734 * New upstream version * Part of the fix to #261712: allow ftpd to build on gnu/bsd
-- Sam Hartman <hartmans@debian.org> Fri, 26 Nov 2004 18:44:02 -0500
krb5 (1.3.4-4) unstable; urgency=high
* Fix what is hopefully the last remnant of the patch to gettextize the
debconf without making the code consistent, thanks Thimo Neubauer,
Closes: #271456
* Fix krb5_newrealm man page to better describe dependencies, thanks
Rachel Elizabeth Dillon , Closes: #269685
-- Sam Hartman <hartmans@debian.org> Mon, 13 Sep 2004 11:36:38 -0400
krb5 (1.3.4-3) unstable; urgency=high
* Initial Czech translations thanks to Miroslav Kure, Closes: #264366 * Updated French debconf translation, thanks Martin Quinson, Closes: #264941 * KDC and clients double-free on error conditions (CAN-2004-0642 VU#795632) *krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT VU#866472 ) * ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and earlier allows unauthenticated remote attackers to induce infinite loop, causing denial of service, including in KDC code (CAN-2004-0644 , CERT VU#550464) * Fix double free in krb524d handling of encrypted ticket contents (CAN-2004-0772)
-- Sam Hartman <hartmans@debian.org> Tue, 31 Aug 2004 13:04:51 -0400
krb5 (1.3.4-2) unstable; urgency=low
* Fix doc-base files, Closes: #262916
-- Sam Hartman <hartmans@debian.org> Wed, 4 Aug 2004 13:08:53 -0400
krb5 (1.3.4-1) unstable; urgency=low
* New upstream version
* Update krb5-doc to include pointers to the right html documents,
Closes: #203321
* Patches to find res_search on amd64 and to include new Debian ports in
shared library building, Closes: #261712
* Install default file for krb5-admin-server, Closes: #262428
* Patch from Russ Allbery to only prompt for a password once in krb4
when null is passed in to krb_get_in_pw_tkt, Closes: #262192
* New pt_br translation, thanks Andre Luis Lopes, Closes: #254115
* New French translation, thanks Christian Perrier, closes: #253685
-- Sam Hartman <hartmans@debian.org> Sat, 31 Jul 2004 12:12:44 -0400
krb5 (1.3.3-2) unstable; urgency=high
* Fix buffer overflow in krb5_aname_to_localname; potential remote root
exploit in some fairly limited circumstances. You are not vulnerable
unless you have enabled aname_to_lname rules in krb5.conf (CAN-2004-0523)
* Fix kadmind template formatting, thanks Christian Perrier
-- Sam Hartman <hartmans@debian.org> Sat, 5 Jun 2004 16:57:44 -0400
krb5 (1.3.3-1) unstable; urgency=low
* New upstream version
* Gettextize my debconf templates, thanks Martin Quinson , Closes:
#236176
* Don't remove /etc/krb5.conf on libkrb53 purge
-- Sam Hartman <hartmans@debian.org> Tue, 13 Apr 2004 20:04:37 -0400
krb5 (1.3.2-2) unstable; urgency=low
* Don't check for /etc/krb5kdc/kadm5.keytab, Closes: #235966 * Fix dangling symlink, Closes: #203622
-- Sam Hartman <hartmans@debian.org> Sun, 14 Mar 2004 20:46:27 -0500
krb5 (1.3.2-1) unstable; urgency=low
* New Upstream Release, Closes: #223485 * Includes upstream patch to ignore unknown address families, Closes: #206851 * Include note that encrypted services are not enabled, Closes: #232115 * Up shlib deps because of new features in auth context
-- Sam Hartman <hartmans@debian.org> Sun, 29 Feb 2004 09:36:27 -0500
krb5 (1.3-3) unstable; urgency=low
* Don't clear the key schedule so krb4 callers can use it, Closes: #203566 * Use alternatives system for rcp, Closes: #218392
-- Sam Hartman <hartmans@debian.org> Tue, 3 Feb 2004 14:07:12 -0500
2003
krb5 (1.3-2) unstable; urgency=low
* Include patch to MIT Bug #1681, an incompatible change to etype_info2.
This change will break clients between 1.3 beta1 and 1.3-1 talking to
1.3-2 KDCs, but is necessary because of a protocol bug.
-- Sam Hartman <hartmans@debian.org> Thu, 24 Jul 2003 13:32:33 -0400
krb5 (1.3-1) unstable; urgency=medium
* New upstream version--finally 1.3 is released, Closes: #199573 * Don't depend on com_err in libcrypto, Closes: #201005 * Urgency is medium because the only code change is removing a single call to com_err and this package not being in testing is blocking other packages. The beta has been in unstable more than 10 days. * Update shlibs again to avoid long-term references to a beta in the archive
-- Sam Hartman <hartmans@debian.org> Sat, 19 Jul 2003 15:19:38 -0400
krb5 (1.2.99-1.3.beta5-1) unstable; urgency=low
* New upstream version
-- Sam Hartman <hartmans@debian.org> Sat, 5 Jul 2003 21:29:44 -0400
krb5 (1.2.99-1.3.beta4-1) unstable; urgency=low
* Fix rpath on generated binaries and in krb5-config, Closes: #198124 * Fix build-depends to require comerr-dev with correct shlibs, Closes: #197650 * New upstream version * Don't generate /etc/krb5kdc/kadm5.keytab as 1.3 does not require it except for kadmind4
-- Sam Hartman <hartmans@debian.org> Fri, 20 Jun 2003 17:37:15 -0400
krb5 (1.2.99-1.3.beta3-4) unstable; urgency=low
* Add replaces for libkadm55 on libkrb53
-- Sam Hartman <hartmans@debian.org> Wed, 11 Jun 2003 16:41:16 -0400
krb5 (1.2.99-1.3.beta3-3) unstable; urgency=low
* One more try at avoiding autoconf dependency
-- Sam Hartman <hartmans@debian.org> Wed, 11 Jun 2003 03:04:56 -0400
krb5 (1.2.99-1.3.beta3-2) unstable; urgency=low
* Touch some more files to defeat autoheader
-- Sam Hartman <hartmans@debian.org> Tue, 10 Jun 2003 23:55:08 -0400
krb5 (1.2.99-1.3.beta3-1) unstable; urgency=low
* Fix dh_makeshlibs call so dependencies are correct
* New upstream version
* Patch from Steve Langasek for versioned symbols; adapted to
better fit the build system and to work for all libraries
* This version builds with GCC 3.3, Closes: #195571
* Move the rest of the administration libraries into libkadm55 to reduce
space required by libkrb53.
* libkrb53 conflicts with current openafs-krb5 because of ABI changes in
krb524
-- Sam Hartman <hartmans@debian.org> Tue, 10 Jun 2003 20:56:33 -0400
krb5 (1.2.99-1.3.beta2-1) experimental; urgency=low
* New upstream version * Include a patch from upstream CVS (post beta2) to fix renewable tickets.
-- Sam Hartman <hartmans@debian.org> Sun, 1 Jun 2003 00:30:35 -0400
krb5 (1.2.99-1.3.beta1-1) experimental; urgency=low
* New upstream pre-release * Update copyright * Add db_stop calls to krb5-kdc.postinst and krb5-admin-server.postinst * Install a fakeka binary * Install libkrb524.a even though upstream does not * kdc defaults to no v4 support per upstream change.
-- Sam Hartman <hartmans@debian.org> Thu, 15 May 2003 11:37:10 -0400
krb5 (1.2.99-1.3.alpha3-1) experimental; urgency=low
* New upstream pre-release
- ftp no longer segfaults on wildcards, Closes: #175495
- Clock skew is returned on clock skew with preauth, Closes: #98855
- Preauthentication has been reworked to improve interoperability with
older implementations and to comply with Kerberos Clarifications,
Closes: #169014
- Typo in man page fixed, Closes: #127302
* Remove dangling symlink, Closes: #133244
* Depend on sufficiently new com_err and libss
* Build the crypto library -O9 as it seems to help performance a lot.
* Bump up shared library versions; all the public libraries have new
functions
-- Sam Hartman <hartmans@debian.org> Mon, 12 May 2003 02:22:37 -0400
krb5 (1.2.7-3) unstable; urgency=high
* Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in
Kerberos 4
- Add -X option to krb5kdc and krb524d. By default cross-realm is
no longer supported for krb4 as it is a security hole.
- Add protection to isolate krb5 keys from krb4 especially for the
TGS key
- Remove support for the MIT extension to krb4 to use 3DES keys as it
is insecure.
* Patch to various DOS issues where the KDC assumes principal names have
certain components. Fixes CAN-2003-0072
* VU#516825: Additional errors in XDR that may lead to denial of
service.
* Fix template bug in v5passwd template, Closes: #172565
-- Sam Hartman <hartmans@debian.org> Tue, 25 Mar 2003 08:03:00 -0500
krb5 (1.2.7-2) unstable; urgency=low
* Remove declaration of errno from krb.h
-- Sam Hartman <hartmans@debian.org> Mon, 6 Jan 2003 15:38:20 -0500
krb5 (1.2.7-1) unstable; urgency=high
* New upstream version
* Still urgency high until the kadmin4 fix gets into testing
* Don't declare errno so glibc will be happy; applying upstream as well,
Closes :#168528
* Remove pidfile argument from start-stop-daemon call for restarting
krb5kdc so it actually works, Closes: #174881
-- Sam Hartman <hartmans@debian.org> Sun, 5 Jan 2003 18:00:55 -0500
2002
krb5 (1.2.6-2) unstable; urgency=high
* Security fix for buffer overflow in kadmind4 (mitsa-2002-2)
* If bison is too good for yacc compatibility then we're to good for
bison, Closes: #165655
* Include readme.debian if we're going to reference it, Closes: #166399
* Fix readme.debian comments to be correct
-- Sam Hartman <hartmans@debian.org> Sat, 26 Oct 2002 17:18:41 -0400
krb5 (1.2.6-1) unstable; urgency=low
* New upstream version
* Important: upstream has introduced a new way of handling AFS tickets
within krb524d; long-term this may allow the use of ticket keys other
than DES with AFS, but short-term this will break AFS because OpenAFS
has not yet released servers that support the new mechanism. If you
run AFS servers and don't want them to break, please look at README.debian
* This includes a fix for 162794 as that is now in the upstream
* For now, libkrb5-dev is going to be priority extra. If anyone
complains I'll attempt to fight the comerr-dev dependency battle;
honestly I think comerr-dev is common enough and on enough systems
that it rates optional but the maintainer does not, Closes: #145165
* Fix restart to restart krb524d, Closes: #162477
-- Sam Hartman <hartmans@debian.org> Sun, 6 Oct 2002 16:40:44 -0400
krb5 (1.2.5-3) unstable; urgency=high
* Try to fix diversion handling for real this time, Closes: #155514
-- Sam Hartman <hartmans@debian.org> Mon, 5 Aug 2002 13:40:53 -0400
krb5 (1.2.5-2) unstable; urgency=high
* We are still installing a krb5.conf.template; don't as that is
kerberos-configs's job.
* The MIT KDC was not sending etype info padata; this couldcreate a
problem if you require preauth and have unusual salts; patch from
upstream CVS
* Add readme to krb5-user, Closes: #152670
* Fix typo in alternatives handling so man page symlinks are handled
correctely, Closes: #152707
* Include XDR encoding patch for krb5-sa-2002-01; same patch as the
woody security update
-- Sam Hartman <hartmans@debian.org> Sat, 3 Aug 2002 17:51:50 -0400
krb5 (1.2.5-1) unstable; urgency=low
* New upstream version; not really any patches that will actually
affect Debian at all, as we pulled them into 1.2.4 packages from
upstream CVS
* Stop shipping patches that upstream has accepted and released
* Update included upstream PGP signature
* Fix diversion handling; it was fairly broken in 1.2.4. All we divert
now is rcp
* Ftp should not be diverted, closes: #146171
* Fix overly small fixed length buffer in kuserok, closes: #145106
-- Sam Hartman <hartmans@debian.org> Sun, 2 Jun 2002 19:22:39 -0400
krb5 (1.2.4-5) unstable; urgency=low
* Pull up bugfix from 1.2.5 beta1 to src/lib/krb5/asn.1/asn1_get.c
* This should be the last thing we need from 1.2.5; Debian has all the
1.2.5 changes besides the API reorg. I'm not checking an API reorg
this close to woody release.
-- Sam Hartman <hartmans@debian.org> Fri, 12 Apr 2002 12:16:49 -0400
krb5 (1.2.4-4) unstable; urgency=low
* Suggest rather than recommend krb5-user from libkrb53, closes: #140116 * Fix null pointer dereference in krb5 library; pull patch from 1.2.5 beta1
-- Sam Hartman <hartmans@debian.org> Wed, 10 Apr 2002 14:19:49 -0400
krb5 (1.2.4-3) unstable; urgency=medium
* Move from non-us to main
-- Sam Hartman <hartmans@debian.org> Sat, 16 Mar 2002 15:04:44 -0500
krb5 (1.2.4-2) unstable; urgency=low
* Don't respect umask when writing out srvtabs; you always want them
0600 and if you don't you can chmod later, closes: #135988
* To work with Heimdal, accept encrypted creds in
gss_accept_sec_context, closes: #135962
* Fix kadmin ACL bug. Targets (a cool but undocumented ACL feature)
didn't work quite right. They do now.
-- Sam Hartman <hartmans@debian.org> Sun, 3 Mar 2002 18:53:40 -0500
krb5 (1.2.4-1) unstable; urgency=low
* Don't check address in krb5_rd_cred; upstream patch also applied to
their CVS, closes: #132226
* Patch from Ken Raeburn to improve over-the-wire errors from KDC,
included because I happened to be testing it and it seemed to work
* New upstream release
-- Sam Hartman <hartmans@debian.org> Fri, 1 Mar 2002 00:44:26 -0500
krb5 (1.2.3-2) unstable; urgency=low
* We want to be able to use krb4 and libssl's libcrypto in the same
program. To do this, we make libkrb4 bind libdes425 -Bsymbolic and we
allow krb_mk_priv and krb_rd_priv to take null schedule arguments.
-- Sam Hartman <hartmans@debian.org> Tue, 15 Jan 2002 12:17:40 -0500
krb5 (1.2.3-1) unstable; urgency=low
* New upstream version, closes: #110932 * Use alternatives for rsh, closes: #122710 * Major version of libkadm5 bumped; we no longer conflict with heimdal there
-- Sam hartman <hartmans@debian.org> Thu, 10 Jan 2002 06:59:13 -0500
2001
krb5 (1.2.2-8) unstable; urgency=low
* Oops, call htons around port numbers in kprop patch * Register with doc-base, closes: #100463 * Move krb5.conf and kdc.conf manpages into krb5-doc; krb5-doc now conflicts with heimdal-docs, closes: #121141
-- Sam Hartman <hartmans@debian.org> Sun, 25 Nov 2001 23:47:35 -0500
krb5 (1.2.2-7) unstable; urgency=low
* Forward only tickets we believe the remote side knows the enctype
of, closes: #99320
* Start krb5-kdc and krb5-admin-server before RPC services, thanks Hein
Roehrig, closes: #88604
* Install krb5.conf and kdc.conf man pages in krb5-user. This is not
ideal but installing them in krb5-config won't work as they are
implementation dependent, closes: #109522
* Install kprop manpage, thanks Steve Langasek, closes: #120040
* Fix FHS paths with kprop; store files in /var/lib/krb5kdc, thanks
again Steve, closes: #120050
* Telnet help should open a connection to the host help not give you a
usage message, thanks Graeme Mathieson <graeme@mathie.cx> for a patch
which will be sent upstream, closes: #118730
* Fix kprop handling of service name. If we can't find what we are
looking for in /etc/services default to the obvious correct answer;
thanks Steve, will commit upstream, closes: #120010
-- Sam Hartman <hartmans@debian.org> Sat, 24 Nov 2001 22:10:16 -0500
krb5 (1.2.2-6) unstable; urgency=high
* Include telnetd security patch for ring buffer issue from upstream * Conflict with the right Heimdal libs, closes: #103872
-- Sam Hartman <hartmans@debian.org> Wed, 1 Aug 2001 15:19:43 -0400
krb5 (1.2.2-5) unstable; urgency=low
* Use krb5-config; remove our own krb5.conf handling.. Note this is the
krb5-config package for /etc/krb5.conf, not the krb5-config library
helper command.
*
* Conflict with kerberos4kth-services, closes: #93303
* Update config.guess and config.sub, closes: #97585
* Have telnetd depend on krb5-rsh-server. I suspect this will make
people grumpy and we need a better fix. Really, Kerberized rlogin is
better than telnetd from a security standpoint, so I'm OK with it for
now. Closes: #96695
-- Sam Hartman <hartmans@debian.org> Wed, 16 May 2001 17:44:47 -0400
krb5 (1.2.2-4) unstable; urgency=low
* Fix shared libraries to build with gcc not ld to properly include
-lgcc symbols, closes: #94407
-- Sam Hartman <hartmans@debian.org> Fri, 20 Apr 2001 02:47:21 -0400
krb5 (1.2.2-3) unstable; urgency=high
* Fix vulnerability with glob call. CERT claims that Linux is not
vulnerable, but I believe the krb5 implementation is. The result of
glob was copied into a fixed-sized buffer. This fixes that
closes: #93689
* Provide ftp-server not ftpd, closes: #93531
* Do not link kadm5clnt against kdb5.
-- Sam Hartman <hartmans@debian.org> Wed, 11 Apr 2001 19:50:17 -0400
krb5 (1.2.2-2) unstable; urgency=low
* Work to provide an alternative for telnet and to be a telnet-client,
closes: 87914
* libkrb5-dev depends on comerr-dev, closes: #87489
* Make clean target remove configure-stamp
-- Sam Hartman <hartmans@debian.org> Mon, 5 Mar 2001 08:25:17 -0500
krb5 (1.2.2-1) unstable; urgency=low
* New Upstream version, Closes: #82546 * Depend on debconf, closes: #87490 * Fix debconf formatting issue, closes: #84447 * Create sample ACL file, closes: #84448 * Fix lintian warnings and override as appropriate * Upgrade to policy 3.5 moving stuff out of examples.
-- Sam Hartman <hartmans@debian.org> Fri, 2 Mar 2001 11:32:06 -0500
krb5 (1.2.1-9) unstable; urgency=low
* Do not use TIOCGLTC anywhere * Build without TCL, closes: #81977 * Fix krb5-admin-server restart, closes: #81070 * With the new dpkg-source, files get diffed in the wrong order for us to prevent autoconf from getting run just by mangling things and making sure we change every configure script. So, touch every configure script in debian/rules.
-- Sam Hartman <hartmans@debian.org> Sat, 13 Jan 2001 19:27:37 -0500
2000
krb5 (1.2.1-8) unstable; urgency=low
* Use separate build directory because the source tree supports it and
it works around failures in the upstream clean target, closes: #78954
* Make sure we modify all the configure scripts since we modify
aclocal.m4 so that time stamps don't cause autoconf to be run.
* Add bison and debhelper as build-depends, closes: #79643
* New maintainer address
-- Sam Hartman <hartmans@debian.org> Sat, 23 Dec 2000 16:20:24 -0500
krb5 (1.2.1-7) unstable; urgency=low
* Do not conflict with libss.a * Upload to Debian(Closes: BUG#78499)
-- Sam Hartman <hartmans@mit.edu> Mon, 4 Dec 2000 04:15:50 -0500
krb5 (1.2.1-6) unstable; urgency=low
* Fix kpasswd manpage. * Split out libkadm5 to avoid Heimdal conflict * Conflict with kerberos4kth. * Remove runpaths from libs and executables.
-- Sam Hartman <hartmans@mit.edu> Wed, 29 Nov 2000 12:18:22 -0500
krb5 (1.2.1-5) unstable; urgency=low
* If libkrb53 was preconfigured, then krb5.conf could overide explicit
user input.
-- Sam Hartman <hartmans@mit.edu> Sat, 25 Nov 2000 17:01:26 -0500
krb5 (1.2.1-4) unstable; urgency=low
* Write init.d scripts for kdc and admin server. * Ask what admin programs to run and what krb4 mode to use. * Populate initial kdc.conf if needed. * New script (krb5_newrealm) to set up a Kerberos realm * Document KDC issues. * Make libkrb53.config work again so libkrb53 installs
-- Sam Hartman <hartmans@mit.edu> Sat, 18 Nov 2000 17:22:16 -0500
krb5 (1.2.1-3) unstable; urgency=low
* Add KDC packages
* Install login.krb5 Sadly, it is needed to make forwarded credentials
work. This is unfortunate; it is not a good login program.
-- Sam Hartman <hartmans@mit.edu> Wed, 8 Nov 2000 16:10:13 -0500
krb5 (1.2.1-2) unstable; urgency=low
* Add copyright and README.debian * Ship kadmin in krb5-user. * Add services to inetd.conf * Add support for generating krb5.conf
-- Sam Hartman <hartmans@mit.edu> Thu, 2 Nov 2000 17:29:59 -0500
krb5 (1.2.1-1) unstable; urgency=low
* Initial Release.
-- Sam Hartman <hartmans@permabit.com> Thu, 19 Oct 2000 16:05:06 -0400