| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
License-Update: Copyright year updated to 2019.
Remove one backported patch.
Fix below do_package issue:
ERROR: krb5-1.17-r0 do_package: QA Issue: krb5: Files/directories were installed but not shipped in any package:
/usr/lib/krb5/plugins/preauth/spake.so
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fix CVE-2018-20217
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Update LIC_FILES_CHKSUM as license file NOTICE
update copyright years to 2018
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
bison-native is required for the build:
| yacc getdate.y
| make[2]: yacc: Command not found
| make[2]: *** [<builtin>: getdate.c] Error 127
In most cases, this dependency comes indirectly via toolchain
dependencies, specifically binutils-cross, which pulls
bison-native.
Different setups, such as with external toolchains, or an
upcoming change to OE-core for avoiding exactly this
unnoticed dependency expose this problem, since the correct
dependency is not marked explicitly.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Let krb5 support environment setting on systemd startup.
Here is one requirement of environment setting from upstream krb5
...
https://web.mit.edu/kerberos/krb5-1.16/doc/admin/conf_files/kdc_conf.html
|Normally, the kdc.conf file is found in the KDC state directory,
LOCALSTATEDIR/krb5kdc. You can override the default location by
setting the environment variable KRB5_KDC_PROFILE.
...
The fix of (krb5-admin-server.service/krb5-kdc.service) refers ubuntu 1604
Variable RUN_KADMIND is sysvinit, move it out from default/krb5-admin-server
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Fixes
QA Issue: krb5: configure was passed unrecognised options: --with-pkinit-crypto-impl [unknown-configure-option]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This is not defined by gcc for risc-v, probably a bug in
gcc but until then insulate ourselves
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
* --with-pkinit-crypto-impl option was removed in 1.16 by this commit;
https://github.com/krb5/krb5/commit/3e2344a14fad828dee624af0ae7ba2d12aec2c81#diff-f543b6d8715dcf859ebec297c750c370
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
1.Upgrade krb5 from 1.15.1 to 1.16
2.Update the checksum of LIC_FILES_CHKSUM, since krb5 has been changed. But lincese remains the same.just modify the following.
-Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2017 by the Massachusetts Institute of Technology.
-The KCM Mach RPC definition file used on OS X has the following
+The KCM Mach RPC definition file used on macOS has the following
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to
have unspecified impact via vectors involving automatic deletion of
security contexts on error.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-11462
Upstream patch:
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Backport patch to fix CVE-2017-11368 for krb5.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
It is used in NVD database for CVE's like:
https://nvd.nist.gov/vuln/detail/CVE-2016-3120
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
1) Upgrade krb5 from 1.13.6 to 1.15.1.
2) License checksum changed,since the copyright years were updated.
3) Fix error in the step of do_configure.
| ERROR: krb5-1.15.1-r0 do_package: QA Issue: krb5: Files/directories were installed but not shipped in any package:
| /usr/lib/krb5/plugins/preauth/test.so
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Split libraries and plugins into their own packages. Create packages
for admin-server, kdc, user and examples. Remove some unneeded binaries.
Enable daemons on boot.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Fixes errors on x86_64 e.g.
errors.so: relocation R_X86_64_PC32 against symbol `k5_vset_error' can not be used when making a shared object; recompile with -fPIC
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* fix CVEs: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631
* update LIC_FILES_CHKSUM, only Copyright changed in NOTICE file:
-Copyright (C) 1985-2015 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2016 by the Massachusetts Institute of Technology.
* remove useless functions: krb5_do_unpack(), do_unpack()
* remove patches that included by new release:
- 0001-Work-around-uninitialized-warning-in-cc_kcm.c.patch
- Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
- Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
- Fix-build_principal-memory-bug-CVE-2015-2697.patch
- Fix-IAKERB-context-export-import-CVE-2015-2698.patch
- krb5-CVE-2016-3119.patch
- krb5-CVE-2016-3120.patch
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
This is CVE-2016-3120
The validate_as_request function in kdc_util.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before
1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect
client data structure, which allows remote authenticated users to cause
a denial of service (NULL pointer dereference and daemon crash) via an
S4U2Self request.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Remove superfluous "+=", then manually add necessary leading space.
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
On some targets clang erroniously detects an uninitialized variable.
Backport the fix from upstream.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Backport <commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99> from krb5
upstream <https://github.com/krb5/krb5> to fix CVE-2016-3119
avoid remote authenticated users to cause a denial of service (NULL pointer
dereference and daemon crash) via a crafted request to modify a principal.
Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
base_contains() is a compatibility wrapper and may warn in the future, so
replace all instances with bb.utils.contains().
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
add native and nativesdk extend, curl-native/nativesdk need them.
replace the hardcode /etc with ${sysconfdir}, /var with ${localstatedir}
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
remove extra "/"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c
in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly
accesses a certain pointer, which allows remote authenticated users
to cause a denial of service (memory corruption) or possibly have
unspecified other impact by interacting with an application that calls
the gss_export_sec_context function. NOTE: this vulnerability exists
because of an incorrect fix for CVE-2015-2696.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT
Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users
to cause a denial of service (out-of-bounds read and KDC crash) via
an initial '\0' character in a long realm field within a TGS request.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14
relies on an inappropriate context handle, which allows remote
attackers to cause a denial of service (incorrect pointer read and
process crash) via a crafted IAKERB packet that is mishandled during
a gss_inquire_context call.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/e04f0283516e80d2f93366e0d479d13c9b5c8c2a
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before
1.14 relies on an inappropriate context handle, which allows remote
attackers to cause a denial of service (incorrect pointer read and
process crash) via a crafted SPNEGO packet that is mishandled during
a gss_inquire_context call.
Backport upstream commit to fix it:
https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Upgrade to include the CVE fixes: [CVE-2014-5354] [CVE-2014-5353]...
Remove the 0001-Return-only-new-keys-in-randkey-CVE-2014-5351.patch
Regenerate the /var/run/krb5kdc dir
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c
in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a
response to a -randkey -keepold request, which allows remote authentic-
ated users to forge tickets by leveraging administrative access.
This back-ported patch fixes CVE-2014-5351.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
As this recipe doesn't inherit update-rc.d, we need to add to its
runtime dependency initscripts-functions ourselves. Otherwise, we
would spot errors in systemd systems when we execute commands like
`systemctl start krb5-kdc'.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Otherwise do_unpack failed when multilib:
tar (child): /path/to/lib32-krb5-1.12.2.tar.gz: Cannot open: No such file or directory
And do_patch error:
ERROR: Command Error: exit status: 1 Output:
Applying patch 0001-aclocal-Add-parameter-to-disable-keyutils-detection.patch
can't find file to patch at input line 15
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Changed:
* Add init scripts and default configs based on debian
* Add a patch for crosscompile nm
* Add a patch to suppress /usr/lib in krb5-config
* Add DESCRIPTION
* Remove blacklist and inherit autotools-brokensep
* Add PACKAGECONFIG for ldap and readline
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Fixed SRC_URI:
* ${PN} -> ${BPN}, use ${BP} if it was ${PN}-${PV}
* ${P} -> ${BP}
Otherwise we would meet do_fetch errors when we do the multilib, native
or nativesdk build.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Changes:
- rename SUMMARY with length > 80 to DESCRIPTION
- rename DESCRIPTION with length < 80 to (non present tag) SUMMARY
- drop final point character at the end of SUMMARY string
- remove trailing whitespace of SUMMARY line
Note: don't bump PR
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* 1.11 is often failing with:
| common.o: file not recognized: File truncated
| collect2: ld returned 1 exit status
| make[2]: *** [t_export_name] Error 1
when higher parallelism is used
1.11.2 and newer have fix for that:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7587
* LIC_FILES_CHKSUM is only from year update
< Copyright (C) 1985-2012 by the Massachusetts Institute of Technology.
---
> Copyright (C) 1985-2013 by the Massachusetts Institute of Technology.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* it's autodetected from sysroot
* add PACKAGECONFIG to make it deterministic
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Krb5 needs libcom_err from e2fsprogs to be built. It looks like
in some cases if e2fsprogs was built before krb5 this would
silently pass.
* add that e2fsprogs dependency explicitly.
* added back the PR and updated its value to r1.
Signed-off-by: Ian Reinhart Geiser <igeiser@devonit.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
krb5 needs reconfigure, since the current config.sub included doesn't
include aarch64.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* drop PR
* fix FILES_${PN}-doc
* fix QA warnings:
WARNING: QA Issue: krb5: Files/directories were installed but not
shipped
/usr/share/gnats
/usr/share/gnats/mit
and RPATH entries
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
Qi.Chen@windriver.com
Mingli Yu
Wenlin Kang
Changqing Li
André Draszik
Hongxu Jia
Andreas Müller
Khem Raj
Martin Jansa
Huang Qiyu
Catalin Enache
Kai Kang
Mikko Rapeli
Andreas Oberritter
Wenzong Fan
Alexandru Moise
Robert P. J. Day
Daniel McGregor
Zhixiong Chi
Ross Burton
Roy Li
Armin Kuster
Robert Yang
Jackie Huang
Matthieu CRAPET
Ian Reinhart Geiser
Riku Voipio