Author: Michael Vogt
Revision Date: 2014-04-30 14:27:28 UTC

* Merge from Debian unstable. Remaining changes:
  - Add alternate dependency on libverto-libevent1 as that's the
    package ABI name in ubuntu.
  - debian/rules: force -O2 to work around build failure with -O3.
* drop transitional libkadm5srv-mit8 package

Author: Sam Hartman
Revision Date: 2014-08-12 11:31:13 UTC

* SECURITY UPDATE: denial of service via invalid tokens
  - debian/patches/CVE-2014-4341-4342.patch: handle invalid tokens in
    src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c.
  - CVE-2014-4341
  - CVE-2014-4342
* SECURITY UPDATE: denial of service via double-free in SPNEGO
  - debian/patches/CVE-2014-4343.patch: fix double-free in
    src/lib/gssapi/spnego/spnego_mech.c.
  - CVE-2014-4343
* SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor
  - debian/patches/CVE-2014-4344.patch: validate REMAIN in
    src/lib/gssapi/spnego/spnego_mech.c.
  - CVE-2014-4344
* SECURITY UPDATE: denial of service and possible code execution in
  kadmind with LDAP backend
  - debian/patches/CVE-2014-4345.patch: fix off-by-one in
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
  - CVE-2014-4345

Author: Michael Vogt
Revision Date: 2014-04-09 11:11:43 UTC

Add transitional libkadm5srv-mit8 package to help libapt
calculating the upgrade (LP: #1304403) to trusty.
This transitional package can be dropped once trusty is
released.

Author: Michael Vogt
Revision Date: 2014-04-30 14:27:28 UTC

* Merge from Debian unstable. Remaining changes:
  - Add alternate dependency on libverto-libevent1 as that's the
    package ABI name in ubuntu.
  - debian/rules: force -O2 to work around build failure with -O3.
* drop transitional libkadm5srv-mit8 package

Author: Michael Vogt
Revision Date: 2014-04-30 14:27:28 UTC

* Merge from Debian unstable. Remaining changes:
  - Add alternate dependency on libverto-libevent1 as that's the
    package ABI name in ubuntu.
  - debian/rules: force -O2 to work around build failure with -O3.
* drop transitional libkadm5srv-mit8 package

Author: Michael Vogt
Revision Date: 2014-04-30 14:27:28 UTC

* Merge from Debian unstable. Remaining changes:
  - Add alternate dependency on libverto-libevent1 as that's the
    package ABI name in ubuntu.
  - debian/rules: force -O2 to work around build failure with -O3.
* drop transitional libkadm5srv-mit8 package

Author: Michael Vogt
Revision Date: 2014-04-09 11:11:43 UTC

Add transitional libkadm5srv-mit8 package to help libapt
calculating the upgrade (LP: #1304403) to trusty.
This transitional package can be dropped once trusty is
released.

Author: Sam Hartman
Revision Date: 2013-10-05 10:37:40 UTC

Never unload gss-api mechanisms to avoid crash at process exit.

Author: Matthias Klose
Revision Date: 2013-07-23 22:15:04 UTC

Update config.{guess,sub} for Aarch64.

Author: Matthias Klose
Revision Date: 2013-07-23 22:15:04 UTC

Update config.{guess,sub} for Aarch64.

Author: Michael Gilbert
Revision Date: 2013-03-15 04:15:27 UTC

* Non-maintainer upload by the Security Team.
* Fix cve-2013-1016: null pointer derefence when handling a draft9 request
  (closes: #702633).

Author: Michael Gilbert
Revision Date: 2013-03-15 04:15:27 UTC

* Non-maintainer upload by the Security Team.
* Fix cve-2013-1016: null pointer derefence when handling a draft9 request
  (closes: #702633).

Author: Adam Stokes
Revision Date: 2012-09-18 17:14:55 UTC

Fix two memory leaks in krb5_get_init_creds path; one of these memory
leaks is quite common for any application such as PAM or kinit that
gets initial credentials, thanks Bastian Blank, Closes: #598032, (LP: #988055)

Author: Steve Beattie
Revision Date: 2012-07-26 14:29:35 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - debian/patches/MITKRB5-SA-2012-001.patch: initialize pointers both
    at allocation and assignment time
  - CVE-2012-1015, CVE-2012-1014
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - debian/patches/krb5-CVE-2012-1013.patch: check for null password
  - CVE-2012-1013
* SECURITY UPDATE: insufficient ACL checking on get_strings/set_string
  - debian/patches/krb5-CVE-2012-1012.patch: make the access
    controls for get_strings/set_string mirror those of
    get_principal/modify_principal
  - CVE-2012-1012

Author: Steve Beattie
Revision Date: 2012-07-23 22:14:04 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Steve Beattie
Revision Date: 2012-07-23 22:15:03 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Steve Beattie
Revision Date: 2012-07-23 22:16:20 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Sam Hartman
Revision Date: 2012-07-31 08:20:09 UTC

* MITKRB5-SA-2012-001 [CVE-2012-1014 CVE-2012-1015] KDC frees
  uninitialized pointers
* Break libgssglue1 << 0.2-2 for multiarch, Closes: #680612
* Don't free caller's principal in verify_init_creds, Closes: #512410

Author: Steve Beattie
Revision Date: 2012-07-26 14:29:35 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - debian/patches/MITKRB5-SA-2012-001.patch: initialize pointers both
    at allocation and assignment time
  - CVE-2012-1015, CVE-2012-1014
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - debian/patches/krb5-CVE-2012-1013.patch: check for null password
  - CVE-2012-1013
* SECURITY UPDATE: insufficient ACL checking on get_strings/set_string
  - debian/patches/krb5-CVE-2012-1012.patch: make the access
    controls for get_strings/set_string mirror those of
    get_principal/modify_principal
  - CVE-2012-1012

Author: Stéphane Graber
Revision Date: 2012-07-18 17:41:48 UTC

Re-introduce libkrb53 as a transitional package to libkrb5-3.
Also revert the Conflicts against libkrb53 to the old versioned
Break/Replaces. (LP: #1007314)

Author: Steve Beattie
Revision Date: 2012-07-23 22:16:20 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Steve Beattie
Revision Date: 2012-07-23 22:15:03 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Steve Beattie
Revision Date: 2012-07-23 22:14:04 UTC

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

Author: Sam Hartman
Revision Date: 2012-01-13 17:39:34 UTC

Oops, actually fix build flags, Closes: #655248

Author: Steve Langasek
Revision Date: 2011-10-18 18:40:10 UTC

src/lib/krb5/krb/get_creds.c: cherry pick an upstream fix to allow
clients to work against older versions of KDCs that don't support the
"canonicalize" option. LP: #874130.

Author: Steve Beattie
Revision Date: 2011-10-11 06:52:39 UTC

* SECURITY UPDATE: fix multiple kdc DoS issues:
  - db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
    ldap/libkdb_ldap/lockout.c:
    + more strict checking for null pointers
    + disable assert and return when db is locked
    + applied inline from upstream
  - CVE-2011-1528 and CVE-2011-1529
  - MITKRB5-SA-2011-006

Author: Steve Beattie
Revision Date: 2011-10-11 06:52:39 UTC

* SECURITY UPDATE: fix multiple kdc DoS issues:
  - db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
    ldap/libkdb_ldap/lockout.c:
    + more strict checking for null pointers
    + disable assert and return when db is locked
    + applied inline from upstream
  - CVE-2011-1528 and CVE-2011-1529
  - MITKRB5-SA-2011-006

Author: Chuck Short
Revision Date: 2011-06-04 07:43:48 UTC

* Merge from debian unstable. Remaining changes:
  - Build for multiarch, with pre-depends on multi-arch support virtual package.
  - Add Breaks: on old versions fo external packages (i.e., ssd) using
    /usr/lib/krb5 due to the path tranisition

Author: Kees Cook
Revision Date: 2011-04-18 15:40:41 UTC

* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
  pointer.
  - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
  - CVE-2011-0285
  - MITKRB5-SA-2011-004

Author: Kees Cook
Revision Date: 2011-04-18 15:40:41 UTC

* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
  pointer.
  - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
  - CVE-2011-0285
  - MITKRB5-SA-2011-004

Author: Steve Langasek
Revision Date: 2011-03-19 11:15:32 UTC

releasing version 1.8.3+dfsg-5ubuntu2

Author: Steve Langasek
Revision Date: 2011-03-15 22:52:31 UTC

releasing version 1.8.3+dfsg-5ubuntu1+multiarch.2

Author: Peter Pearse
Revision Date: 2011-02-23 15:22:55 UTC

Stage 1 build for bootstrapping - debian staging mechanism not implemented.

Author: Steve Beattie
Revision Date: 2011-02-09 15:53:42 UTC

* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  attackers
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

Author: Steve Beattie
Revision Date: 2011-02-09 15:53:42 UTC

* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  attackers
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

Author: Marc Deslauriers
Revision Date: 2010-12-08 10:39:39 UTC

* SECURITY UPDATE: message forgery and privilege escalation via
  unacceptable checksums
  - src/lib/crypto/krb/dk/derive.c, src/lib/crypto/krb/keyed_checksum_types.c,
    src/lib/krb5/krb/mk_safe.c, src/lib/krb5/krb/preauth2.c,
    src/plugins/preauth/pkinit/pkinit_srv.c: patched inline, thanks to
    upstream.
  - CVE-2010-1323
  - MITKRB5-SA-2010-007

Author: Marc Deslauriers
Revision Date: 2010-12-08 10:39:39 UTC

* SECURITY UPDATE: message forgery and privilege escalation via
  unacceptable checksums
  - src/lib/crypto/krb/dk/derive.c, src/lib/crypto/krb/keyed_checksum_types.c,
    src/lib/krb5/krb/mk_safe.c, src/lib/krb5/krb/preauth2.c,
    src/plugins/preauth/pkinit/pkinit_srv.c: patched inline, thanks to
    upstream.
  - CVE-2010-1323
  - MITKRB5-SA-2010-007

Author: Thierry Carrez
Revision Date: 2010-06-01 14:55:50 UTC

src/lib/gssapi/spnego/spnego_mech.c: Ignore duplicate token sent in
mechListMIC from Windows 2000 SPNEGO (LP: #551901)

Author: Sam Hartman
Revision Date: 2010-05-27 20:49:13 UTC

* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
  (LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494

Author: Kees Cook
Revision Date: 2010-05-18 15:46:35 UTC

* SECURITY UPDATE: unauthenticated remote attacker can crash kadmind.
  - debian/patches/MITKRB5-SA-2010-005: applied upstream fixes inline
  - CVE-2010-1321

Author: Kees Cook
Revision Date: 2010-05-18 15:46:35 UTC

* SECURITY UPDATE: unauthenticated remote attacker can crash kadmind.
  - debian/patches/MITKRB5-SA-2010-005: applied upstream fixes inline
  - CVE-2010-1321

Author: Sam Hartman
Revision Date: 2010-04-12 13:08:35 UTC

Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490

Author: Kees Cook
Revision Date: 2010-04-06 18:00:29 UTC

* SECURITY UPDATE: unauthenticated remote KDC service crash.
  - debian/patches/MITKRB5-SA-2010-003 applied inline.

Author: Kees Cook
Revision Date: 2010-04-06 18:00:29 UTC

* SECURITY UPDATE: unauthenticated remote KDC service crash.
  - debian/patches/MITKRB5-SA-2010-003 applied inline.

Author: Evan Broder
Revision Date: 2010-01-07 21:28:45 UTC

 * Cherry-pick various fixes from Debian:
    - libkrb5-dev depends on libkrb5client6 (LP: #472080)
    - Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979 (LP:
      #489418)
    - 6506: correctly handle keytab vs stash file
    - 6508: kadmind ACL parsing could reference uninitialized memory
    - 6509: kadmind can reference null pointer on ACL error
    - 6511: uninitialized memory passed to krb5_free_error in change
      password client path
    - 6514: none replay cache memory leak
    - 6515: profile library mutex performance improvements
    - 6541: memory leak in PAC verify code
    - 6542: Check for null characters in pkinit certs
    - 6543: login vs user order in ftpd sometimes wrong
    - 6551: Memory leak in spnego accept_sec_context error path

Author: Sam Hartman
Revision Date: 2009-05-27 21:15:41 UTC

* New upstream release
* Revert relaxation of Debian symbol versions introduced in
  1.7dfsg~beta1-3
* Fix kproplog's manpage (LP: #374819)

Author: Kees Cook
Revision Date: 2009-04-07 12:47:50 UTC

* SECURITY UPDATE: denial of service via buffer overflows.
  - src/lib/gssapi/spnego/spnego_mech.c, src/lib/krb5/asn.1/asn1buf.c:
    GSS-API could be crashed remotely (MITKRB5-SA-2009-001: CVE-2009-0844,
    CVE-2009-0845, CVE-2009-0847).
  - src/lib/krb5/asn.1/asn1_decode.c: ASN.1 decoder freed uninitialized
    pointers (MITKRB5-SA-2009-002: CVE-2009-0846).

Author: Sam Hartman
Revision Date: 2008-06-22 23:00:37 UTC

* Set length to 0 on no-salt ldap keys so they do not crash; uupstream
  ticket 5545, Closes: #480523
* Swedish translations, thanks Martin Bagge, Closes: #487563

Author: Kees Cook
Revision Date: 2008-03-18 11:07:13 UTC

* SECURITY UPDATE: arbitrary code execution via freed pointer and memory
  overflows.
* src/kdc/{kerberos_v4,dispatch,network}.c: upstream fixes patched inline
  (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
* src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline
  (MITKRB5-SA-2008-002: CVE-2008-0947)

Author: Kees Cook
Revision Date: 2009-04-07 12:47:50 UTC

* SECURITY UPDATE: denial of service via buffer overflows.
  - src/lib/gssapi/spnego/spnego_mech.c, src/lib/krb5/asn.1/asn1buf.c:
    GSS-API could be crashed remotely (MITKRB5-SA-2009-001: CVE-2009-0844,
    CVE-2009-0845, CVE-2009-0847).
  - src/lib/krb5/asn.1/asn1_decode.c: ASN.1 decoder freed uninitialized
    pointers (MITKRB5-SA-2009-002: CVE-2009-0846).

Author: Kees Cook
Revision Date: 2009-04-07 12:47:50 UTC

* SECURITY UPDATE: denial of service via buffer overflows.
  - src/lib/gssapi/spnego/spnego_mech.c, src/lib/krb5/asn.1/asn1buf.c:
    GSS-API could be crashed remotely (MITKRB5-SA-2009-001: CVE-2009-0844,
    CVE-2009-0845, CVE-2009-0847).
  - src/lib/krb5/asn.1/asn1_decode.c: ASN.1 decoder freed uninitialized
    pointers (MITKRB5-SA-2009-002: CVE-2009-0846).

Author: LaMont Jones
Revision Date: 2007-10-02 06:32:45 UTC

Trigger rebuild for hppa.

Author: Kees Cook
Revision Date: 2008-03-18 11:07:13 UTC

* SECURITY UPDATE: arbitrary code execution via freed pointer and memory
  overflows.
* src/kdc/{kerberos_v4,dispatch,network}.c: backported upstream fixes
  patched inline (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
* src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline
  (MITKRB5-SA-2008-002: CVE-2008-0947)

Author: Kees Cook
Revision Date: 2008-03-18 11:07:13 UTC

* SECURITY UPDATE: arbitrary code execution via freed pointer and memory
  overflows.
* src/kdc/{kerberos_v4,dispatch,network}.c: backported upstream fixes
  patched inline (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
* src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline
  (MITKRB5-SA-2008-002: CVE-2008-0947)

Author: Kees Cook
Revision Date: 2007-04-03 15:34:58 UTC

* SECURITY UPDATE: arbitrary login via telnet, arbitrary code execution
  via syslog buffer overflows, and heap corruption via GSS api.
* src/appl/telnet/telnetd/{state,sys_term}.c: MIT-SA-2007-1 fix from
  upstream (CVE-2007-0956).
* src/lib/kadm5/logger.c: MIT-SA-2007-2 fix from Debian, based on
  upstream fixes (CVE-2007-0957).
* src/lib/gssapi/krb5/k5unseal.c: MIT-SA-2007-3 fix from upstream
  (CVE-2007-1216).

Author: Kees Cook
Revision Date: 2008-03-18 11:07:13 UTC

* SECURITY UPDATE: arbitrary code execution via freed pointer and memory
  overflows.
* src/kdc/{kerberos_v4,dispatch,network}.c: backported upstream fixes
  patched inline (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
* src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline
  (MITKRB5-SA-2008-002: CVE-2008-0947)

Author: Kees Cook
Revision Date: 2008-03-18 11:07:13 UTC

* SECURITY UPDATE: arbitrary code execution via freed pointer and memory
  overflows.
* src/kdc/{kerberos_v4,dispatch,network}.c: backported upstream fixes
  patched inline (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
* src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline
  (MITKRB5-SA-2008-002: CVE-2008-0947)

Author: Martin Pitt
Revision Date: 2006-09-20 13:01:25 UTC

src/include/k5-thread.h: Define__USE_GNU when #include'ing pthread.h so
that src/util/support/threads.c has pthread_mutexattr_setrobust_np()
available. Fixes FTBFS.

Author: Sam Hartman
Revision Date: 2005-12-25 21:59:47 UTC

* Configure with --enable-shared --enable-static so that libkrb5-dev
  gets static libraries.
* Fix double free in getting credentials, Closes: #344543

Author: Kees Cook
Revision Date: 2007-04-03 15:53:47 UTC

* SECURITY UPDATE: arbitrary login via telnet, arbitrary code execution
  via syslog buffer overflows, and heap corruption via GSS api.
* src/appl/telnet/telnetd/{state,sys_term}.c: MIT-SA-2007-1 fix from
  upstream (CVE-2007-0956).
* src/lib/kadm5/logger.c: MIT-SA-2007-2 fix from Debian, based on
  upstream fixes (CVE-2007-0957).
* src/lib/gssapi/krb5/k5unseal.c: MIT-SA-2007-3 fix from upstream
  (CVE-2007-1216).
* References
  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt
  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt
  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt

Author: Sam Hartman
Revision Date: 2005-07-12 15:45:14 UTC

* Fix a mistake in variable names that caused the package to be built
  without optimization.
* Allow whitespace before comments in krb5.conf. Thanks, Jeremie
  Koenig. (Closes: #314609)
* GCC 4.0 compile fixes, thanks Daniel Schepler. (Closes: #315618)
* Avoid "say yes" in debconf templates. (Closes: #306883)
* Update Czech translation, thanks Miroslav Kure.
* Update French translation, thanks Christian Perrier. (Closes: #307748)
* Update Portuguese (Brazil) translation, thanks André Luís Lopes.
* New Vietnamese translation, thanks Clytie Siddall. (Closes: #312172)
* Update standards version to 3.6.2 (no changes required).
* DAK can now handle not repeating maintainers in uploaders.
* Fix double free in krb5_recvauth; critical because it is in the code
  path for kpropd and may allow arbitrary code
  execution. (can-2005-1689)
* For the record, most of the changes in this version were made by Russ,
  but I'm doing the upload because of the security fix.
* krb5_unparse_name overflows allocated storage by one byte on 0 element
  principal name (CAN-2005-1175, VU#885830)
* Do not free unallocated storage in the KDC's TCP request handling
  path (CAN-2005-1174, VU#259798)

Author: Kees Cook
Revision Date: 2006-08-10 11:58:05 UTC

* SECURITY UPDATE: root privilege escalation in systems which restrict the
  number of per-user processes.
* Added: debian/patch.setuid_fixes
  - verify return from setuid family of calls.
  - applied patch inline (debian/rules does not apply patches automatically)
* CVE-2006-3083, CVE-2006-3084

Author: Sam Hartman
Revision Date: 2005-01-02 15:55:25 UTC

* New upstream version
* Changing a password afwter the size of password history has been
    reduced may double free or write past end of an arry; fix
        (CAN-2004-1189/ CERT VU#948033)
     * Conflict between krb5-kdc and kerberos4kth-kdc; also deals with
  krb5-admin-server conflict indirectly, Closes: #274763

Author: Martin Pitt
Revision Date: 2005-12-05 16:06:37 UTC

* SECURITY UPDATE: Multiple buffer overflows.
* Fix buffer overflow in env_opt_add() in telnet clients. [CVE-2005-0468]
* Fix buffer overflow in in the handling of the LINEMODE suboptions in
  telnet clients. [CVE-2005-0469]
* Fix double free in krb5_recvauth(). [CVE-2005-1689]
* krb5_unparse_name overflows allocated storage by one byte on 0 element
  principal name. [CVE-2005-1175, VU#885830]
* Do not free unallocated storage in the KDC's TCP request handling
  path. [CVE-2005-1174, VU#259798]

Author: Sam Hartman
Revision Date: 2004-08-31 13:04:51 UTC

* Initial Czech translations thanks to Miroslav Kure, Closes: #264366
* Updated French debconf translation, thanks Martin Quinson, Closes: #264941
* KDC and clients double-free on error conditions (CAN-2004-0642 VU#795632)
*krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT
  VU#866472 )
* ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and
  earlier allows unauthenticated remote attackers to induce
  infinite loop, causing denial of service, including in KDC
  code (CAN-2004-0644 , CERT VU#550464)
* Fix double free in krb524d handling of encrypted ticket contents
  (CAN-2004-0772)