lp:ubuntu/oneiric/krb5

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

40. By Chuck Short on 2011-06-04

* Merge from debian unstable. Remaining changes:
  - Build for multiarch, with pre-depends on multi-arch support virtual package.
  - Add Breaks: on old versions fo external packages (i.e., ssd) using
    /usr/lib/krb5 due to the path tranisition

39. By Chuck Short on 2011-05-02

* Merge from debian unstable. Remaining changes:
  - Build for multiarch, with pre-depends on multi-arch support virtual package.
  - Add Breaks: on old versions fo external packages (i.e., ssd) using
    /usr/lib/krb5 due to the path tranisition.

38. By Kees Cook on 2011-04-18

* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
  pointer.
  - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
  - CVE-2011-0285
  - MITKRB5-SA-2011-004

37. By Steve Langasek on 2011-03-19

releasing version 1.8.3+dfsg-5ubuntu2

36. By Steve Langasek on 2011-03-19

* FFe LP: #733501
* Build for multiarch, with pre-depends on multiarch-support virtual
  package.
* Add Breaks: on old versions of external packages (i.e., sssd) using
  /usr/lib/krb5 due to the path transition.

35. By Steve Beattie on 2011-03-15

* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
  capability is used.
  - src/kdc/do_as_req.c: clear fields on allocation; applied inine,
    thanks to upstream
  - CVE-2011-0284
  - MITKRB5-SA-2011-003

34. By Sam Hartman on 2011-03-06

* KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
  Closes: #613487
* Fix delegation of credentials against Windows servers; significant
  interoperability issue, Closes: #611906
* Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
  #616429
* Don't fail authentication when PAC verification fails; support hmac-
  md5 checksums even for non-RC4 keys, Closes: #616728

33. By Steve Beattie on 2011-02-11

* SECURITY UPDATE: kpropd denial of service via invalid network input
  - src/slave/kpropd.c: don't return on kpropd child exit; applied
    inline.
  - CVE-2010-4022
  - MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  attackers
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
    src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

32. By Sam Hartman on 2010-12-14

Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925

31. By Sam Hartman on 2010-11-20

* MITKRB5-SA-2010-007
      * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
      content into an existing GSS connection that appears to be integrity
      protected from the legitimate peer under some circumstances
    * GSS applications may accept a PAC produced by an attacker as if it
      were signed by a KDC
    * CVE-2010-1323: attackers have a 1/256 chance of being able to
      produce krb_safe messages that appear to be from legitimate remote
      sources. Other than use in KDC database copies this may not be a
      huge issue only because no one actually uses krb_safe
      messages. Similarly, an attacker can force clients to display
      challenge/response values of the attacker's choice.
    * CVE-2010-4020: An attacker may be able to generate what is
      accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
      probability
* New Vietnamese debconf translations, Thanks Clytie Siddall,
  Closes: #601533
* Update standards version to 3.9.1 (no changes required