krb5 commit [krb5-1.14]: Updates for krb5-1.14-beta2

Tom Yu tlyu at mit.edu
Thu Nov 12 23:22:46 EST 2015


https://github.com/krb5/krb5/commit/102087ab0ce9f8661be09f905ca546c4d471bac5
commit 102087ab0ce9f8661be09f905ca546c4d471bac5
Author: Tom Yu <tlyu at mit.edu>
Date:   Thu Nov 12 16:17:48 2015 -0500

    Updates for krb5-1.14-beta2

 README              |   28 ++++++++++++++++++++++++++++
 src/patchlevel.h    |    4 ++--
 src/po/mit-krb5.pot |    4 ++--
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/README b/README
index 1137515..691fb04 100644
--- a/README
+++ b/README
@@ -125,6 +125,15 @@ Administrator experience:
 * Add support for the err_fmt profile parameter, which can be used to
   generate custom-formatted error messages.
 
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+  could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+  [CVE-2015-2698]
+
+* Fix build_principal memory bug that could cause a KDC
+  crash. [CVE-2015-2697]
+
 Developer experience:
 
 * Change gss_acquire_cred_with_password() to acquire credentials into
@@ -183,6 +192,12 @@ Performance:
   full resync, and do not require two full resyncs after the master
   KDC's log file is reset.
 
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+  but within clock skew tolerances, rather than rejecting them
+  immediately after the server's view of the ticket expiration time.
+
 
 krb5-1.14 changes by ticket ID
 ------------------------------
@@ -234,16 +249,27 @@ krb5-1.14 changes by ticket ID
 8236    Update SPNEGO hintName value to current spec
 8242    Improve PKINIT OpenSSL error reporting
 8243    Add tabular dump capability to kdb5_util
+8244    SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
 8245    kerberos.ldif file has malformed entries
 8246    Fix error mappings for IOV MIC mechglue funcs
 8251    Fix kadmin with e2fsprogs libss
+8252    Fix build_principal memory bug [CVE-2015-2697]
 8253    Fix minor utf8-to-ucs2s read overrun bug
+8254    use appropriate default for krb5_cv_sys_rcdir when cross-compiling
 8255    Define error status GSS_S_BAD_MIC
 8256    Fix typo in GSS_S_UNAUTHORIZED error message
 8257    Fix gss_inquire_names_for_mech() on MS krb5 mech
 8258    Correct GSS major code for non-default QOP values
 8259    Check output params on GSS OID set functions
 8260    Fix gss_store_cred() minor code on acceptor cred
+8262    Set plugin_base_dir for kadmin tests
+8264    kdb_check test target uses installed message catalog
+8266    Installed krb5.conf files can affect test suite
+8267    unsetenv() returns void
+8268    krb5 gss_accept_sec_context() does not allow clock skew
+8269    Accept new passwords as const char pointers
+8271    Zap secure cookie contents when freeing
+8273    Fix IAKERB context export/import [CVE-2015-2698]
 
 
 Acknowledgements
@@ -346,6 +372,7 @@ reports, suggestions, and valuable resources:
     David Bantz
     Alex Baule
     David Benjamin
+    Thomas Bernard
     Adam Bernstein
     Arlene Berry
     Jeff Blaine
@@ -388,6 +415,7 @@ reports, suggestions, and valuable resources:
     Bill Fellows
     JC Ferguson
     Remi Ferrand
+    Paul Fertser
     William Fiveash
     Ákos Frohner
     Sebastian Galiano
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 262f6f9..48afcda 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -52,6 +52,6 @@
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 14
 #define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "beta1-postrelease"
+#define KRB5_RELTAIL "beta2"
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.14"
+#define KRB5_RELTAG "krb5-1.14-beta2"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index f46b9fb..07b9417 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: mit-krb5 1.14-beta1-postrelease\n"
+"Project-Id-Version: mit-krb5 1.14-beta2\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-11-12 16:01-0500\n"
+"POT-Creation-Date: 2015-11-12 16:30-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
 "Language-Team: LANGUAGE <LL at li.org>\n"


More information about the cvs-krb5 mailing list