krb5 commit [krb5-1.14]: Updates for krb5-1.14-beta2
Tom Yu
tlyu at mit.edu
Thu Nov 12 23:22:46 EST 2015
https://github.com/krb5/krb5/commit/102087ab0ce9f8661be09f905ca546c4d471bac5
commit 102087ab0ce9f8661be09f905ca546c4d471bac5
Author: Tom Yu <tlyu at mit.edu>
Date: Thu Nov 12 16:17:48 2015 -0500
Updates for krb5-1.14-beta2
README | 28 ++++++++++++++++++++++++++++
src/patchlevel.h | 4 ++--
src/po/mit-krb5.pot | 4 ++--
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/README b/README
index 1137515..691fb04 100644
--- a/README
+++ b/README
@@ -125,6 +125,15 @@ Administrator experience:
* Add support for the err_fmt profile parameter, which can be used to
generate custom-formatted error messages.
+Code quality:
+
+* Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+
+* Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+
Developer experience:
* Change gss_acquire_cred_with_password() to acquire credentials into
@@ -183,6 +192,12 @@ Performance:
full resync, and do not require two full resyncs after the master
KDC's log file is reset.
+User experience:
+
+* Make gss_accept_sec_context() accept tickets near their expiration
+ but within clock skew tolerances, rather than rejecting them
+ immediately after the server's view of the ticket expiration time.
+
krb5-1.14 changes by ticket ID
------------------------------
@@ -234,16 +249,27 @@ krb5-1.14 changes by ticket ID
8236 Update SPNEGO hintName value to current spec
8242 Improve PKINIT OpenSSL error reporting
8243 Add tabular dump capability to kdb5_util
+8244 SPNEGO and IAKERB context aliasing bugs [CVE-2015-2695][CVE-2015-2696]
8245 kerberos.ldif file has malformed entries
8246 Fix error mappings for IOV MIC mechglue funcs
8251 Fix kadmin with e2fsprogs libss
+8252 Fix build_principal memory bug [CVE-2015-2697]
8253 Fix minor utf8-to-ucs2s read overrun bug
+8254 use appropriate default for krb5_cv_sys_rcdir when cross-compiling
8255 Define error status GSS_S_BAD_MIC
8256 Fix typo in GSS_S_UNAUTHORIZED error message
8257 Fix gss_inquire_names_for_mech() on MS krb5 mech
8258 Correct GSS major code for non-default QOP values
8259 Check output params on GSS OID set functions
8260 Fix gss_store_cred() minor code on acceptor cred
+8262 Set plugin_base_dir for kadmin tests
+8264 kdb_check test target uses installed message catalog
+8266 Installed krb5.conf files can affect test suite
+8267 unsetenv() returns void
+8268 krb5 gss_accept_sec_context() does not allow clock skew
+8269 Accept new passwords as const char pointers
+8271 Zap secure cookie contents when freeing
+8273 Fix IAKERB context export/import [CVE-2015-2698]
Acknowledgements
@@ -346,6 +372,7 @@ reports, suggestions, and valuable resources:
David Bantz
Alex Baule
David Benjamin
+ Thomas Bernard
Adam Bernstein
Arlene Berry
Jeff Blaine
@@ -388,6 +415,7 @@ reports, suggestions, and valuable resources:
Bill Fellows
JC Ferguson
Remi Ferrand
+ Paul Fertser
William Fiveash
Ãkos Frohner
Sebastian Galiano
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 262f6f9..48afcda 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -52,6 +52,6 @@
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 14
#define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "beta1-postrelease"
+#define KRB5_RELTAIL "beta2"
/* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.14"
+#define KRB5_RELTAG "krb5-1.14-beta2"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index f46b9fb..07b9417 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: mit-krb5 1.14-beta1-postrelease\n"
+"Project-Id-Version: mit-krb5 1.14-beta2\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-11-12 16:01-0500\n"
+"POT-Creation-Date: 2015-11-12 16:30-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
"Language-Team: LANGUAGE <LL at li.org>\n"
More information about the cvs-krb5
mailing list