Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2021-03-02 14:41:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "krb5" Tue Mar 2 14:41:25 2021 rev:151 rq:873782 version:1.19.1 Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2020-12-16 10:58:43.931466437 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new.2378/krb5-mini.changes 2021-03-02 15:18:13.493661750 +0100 @@ -1,0 +2,47 @@ +Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabr...@suse.de> + +- Update to 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. + +------------------------------------------------------------------- +Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabr...@suse.de> + +- Update to 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). + +------------------------------------------------------------------- krb5.changes: same change Old: ---- krb5-1.18.3.tar.gz krb5-1.18.3.tar.gz.asc New: ---- krb5-1.19.1.tar.gz krb5-1.19.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.q9RTXQ/_old 2021-03-02 15:18:14.333662298 +0100 +++ /var/tmp/diff_new_pack.q9RTXQ/_new 2021-03-02 15:18:14.337662300 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,13 +24,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5-mini -Version: 1.18.3 +Version: 1.19.1 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT -URL: https://web.mit.edu/kerberos/www/ -Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz.asc +URL: https://kerberos.org/dist/ +Source0: https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.q9RTXQ/_old 2021-03-02 15:18:14.353662311 +0100 +++ /var/tmp/diff_new_pack.q9RTXQ/_new 2021-03-02 15:18:14.357662314 +0100 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,13 +21,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: krb5 -Version: 1.18.3 +Version: 1.19.1 Release: 0 Summary: MIT Kerberos5 implementation License: MIT -URL: https://web.mit.edu/kerberos/www/ -Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz.asc +URL: https://kerberos.org/dist/ +Source0: https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.19/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf ++++++ 0001-ksu-pam-integration.patch ++++++ --- /var/tmp/diff_new_pack.q9RTXQ/_old 2021-03-02 15:18:14.369662321 +0100 +++ /var/tmp/diff_new_pack.q9RTXQ/_new 2021-03-02 15:18:14.373662325 +0100 @@ -1,4 +1,4 @@ -From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001 +From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Tue, 23 Aug 2016 16:29:58 -0400 Subject: [PATCH 1/8] ksu pam integration @@ -30,10 +30,10 @@ create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 2394f7e33..53f8b6fb7 100644 +index 024d6370c..43eed3b87 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then +@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then OPENLDAP_PLUGIN=yes fi ])dnl @@ -144,11 +144,11 @@ clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 4f03dd8ed..21a4d02bb 100644 +index af1286172..931f05404 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ - * KSU was writen by: Ari Medvinsky, a...@isi.edu + * KSU was written by: Ari Medvinsky, a...@isi.edu */ +#include "autoconf.h" @@ -174,7 +174,7 @@ /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -535,6 +541,23 @@ main (argc, argv) +@@ -536,6 +542,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -198,7 +198,7 @@ /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -595,6 +618,24 @@ main (argc, argv) +@@ -596,6 +619,24 @@ main (argc, argv) exit(1); } @@ -223,7 +223,7 @@ } if( some_rest_copy){ -@@ -652,6 +693,30 @@ main (argc, argv) +@@ -653,6 +694,30 @@ main (argc, argv) exit(1); } @@ -254,7 +254,7 @@ /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -749,7 +814,7 @@ main (argc, argv) +@@ -750,7 +815,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -263,7 +263,7 @@ execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -779,16 +844,35 @@ main (argc, argv) +@@ -780,16 +845,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -759,10 +759,10 @@ +void appl_pam_cleanup(void); +#endif diff --git a/src/configure.ac b/src/configure.ac -index 234f4281c..d1f576124 100644 +index 4eb080784..693f76a81 100644 --- a/src/configure.ac +++ b/src/configure.ac -@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION]) +@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -772,5 +772,5 @@ if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.25.0 +2.30.0 ++++++ krb5-1.18.3.tar.gz -> krb5-1.19.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/krb5/krb5-1.18.3.tar.gz /work/SRC/openSUSE:Factory/.krb5.new.2378/krb5-1.19.1.tar.gz differ: char 5, line 1