lp:~peter-pearse/ubuntu/natty/krb5/bootstrap1

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

34. By Peter Pearse on 2011-02-23

Stage 1 build for bootstrapping - debian staging mechanism not implemented.

33. By Steve Beattie on 2011-02-11

* SECURITY UPDATE: kpropd denial of service via invalid network input
  - src/slave/kpropd.c: don't return on kpropd child exit; applied
    inline.
  - CVE-2010-4022
  - MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  attackers
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

32. By Sam Hartman on 2010-12-14

Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925

31. By Sam Hartman on 2010-11-20

* MITKRB5-SA-2010-007
      * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
      content into an existing GSS connection that appears to be integrity
      protected from the legitimate peer under some circumstances
    * GSS applications may accept a PAC produced by an attacker as if it
      were signed by a KDC
    * CVE-2010-1323: attackers have a 1/256 chance of being able to
      produce krb_safe messages that appear to be from legitimate remote
      sources. Other than use in KDC database copies this may not be a
      huge issue only because no one actually uses krb_safe
      messages. Similarly, an attacker can force clients to display
      challenge/response values of the attacker's choice.
    * CVE-2010-4020: An attacker may be able to generate what is
      accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
      probability
* New Vietnamese debconf translations, Thanks Clytie Siddall,
  Closes: #601533
* Update standards version to 3.9.1 (no changes required

30. By Sam Hartman on 2010-10-13

* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
  kdc_authdata.c leading to KDC crash, Closes: #599237
* Fix two memory leaks in krb5_get_init_creds path; one of these memory
  leaks is quite common for any application such as PAM or kinit that
  gets initial credentials, thanks Bastian Blank, Closes: #598032
* Install doc/CHANGES only in krb5-doc, not in all packages, saves
  several megabytes on most Debian systems, Closes: #599562

29. By Kees Cook on 2010-10-04

* SECURITY UPDATE: remote authenticated user denial of service.
  - src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
  - CVE-2010-1322, MITKRB5-SA-2010-006

28. By Sam Hartman on 2010-05-27

* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
  (LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494

27. By Sam Hartman on 2010-05-19

* CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
  #582261
* Force use of bash for build, Closes: #581473
* Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
  #582122

26. By Sam Hartman on 2010-04-12

Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490

25. By Kees Cook on 2010-03-23

* SECURITY UPDATE: unauthenticated remote service crash.
  - src/lib/gssapi/spnego/spnego_mech.c: back-ported upstream fixes
    from krb5 1.8.1.
  - MITKRB5-SA-2010-002 (CVE-2010-0628)