Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/natty/krb5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

37. By Steve Langasek

releasing version 1.8.3+dfsg-5ubuntu2

36. By Steve Langasek

* FFe LP: #733501
* Build for multiarch, with pre-depends on multiarch-support virtual
* Add Breaks: on old versions of external packages (i.e., sssd) using
  /usr/lib/krb5 due to the path transition.

35. By Steve Beattie

* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
  capability is used.
  - src/kdc/do_as_req.c: clear fields on allocation; applied inine,
    thanks to upstream
  - CVE-2011-0284
  - MITKRB5-SA-2011-003

34. By Sam Hartman

* KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
  Closes: #613487
* Fix delegation of credentials against Windows servers; significant
  interoperability issue, Closes: #611906
* Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
* Don't fail authentication when PAC verification fails; support hmac-
  md5 checksums even for non-RC4 keys, Closes: #616728

33. By Steve Beattie

* SECURITY UPDATE: kpropd denial of service via invalid network input
  - src/slave/kpropd.c: don't return on kpropd child exit; applied
  - CVE-2010-4022
  - MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

32. By Sam Hartman

Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925

31. By Sam Hartman

* MITKRB5-SA-2010-007
      * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
      content into an existing GSS connection that appears to be integrity
      protected from the legitimate peer under some circumstances
    * GSS applications may accept a PAC produced by an attacker as if it
      were signed by a KDC
    * CVE-2010-1323: attackers have a 1/256 chance of being able to
      produce krb_safe messages that appear to be from legitimate remote
      sources. Other than use in KDC database copies this may not be a
      huge issue only because no one actually uses krb_safe
      messages. Similarly, an attacker can force clients to display
      challenge/response values of the attacker's choice.
    * CVE-2010-4020: An attacker may be able to generate what is
      accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
* New Vietnamese debconf translations, Thanks Clytie Siddall,
  Closes: #601533
* Update standards version to 3.9.1 (no changes required

30. By Sam Hartman

* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
  kdc_authdata.c leading to KDC crash, Closes: #599237
* Fix two memory leaks in krb5_get_init_creds path; one of these memory
  leaks is quite common for any application such as PAM or kinit that
  gets initial credentials, thanks Bastian Blank, Closes: #598032
* Install doc/CHANGES only in krb5-doc, not in all packages, saves
  several megabytes on most Debian systems, Closes: #599562

29. By Kees Cook

* SECURITY UPDATE: remote authenticated user denial of service.
  - src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
  - CVE-2010-1322, MITKRB5-SA-2010-006

28. By Sam Hartman

* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
  (LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.