Package: heimdal / 7.1.0+dfsg-13+deb9u2

Metadata

Package Version Patches format
heimdal 7.1.0+dfsg-13+deb9u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
nfs_des | (download)

kdc/kerberos5.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---
021_debian | (download)

doc/setup.texi | 2 1 + 1 - 0 !
kdc/kdc.8 | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

---
022_openafs | (download)

lib/krb5/keytab_keyfile.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
025_krb5 config paths | (download)

tools/krb5-config.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
025_pthreads | (download)

cf/pthreads.m4 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
030_pkg config paths | (download)

tools/heimdal-gssapi.pc.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
installsh | (download)

po/Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---
041_hurd_maxhostnamelen | (download)

appl/gssmask/gssmask.c | 4 2 + 2 - 0 !
appl/kf/kfd.c | 2 1 + 1 - 0 !
appl/test/tcp_server.c | 2 1 + 1 - 0 !
lib/gssapi/spnego/accept_sec_context.c | 2 1 + 1 - 0 !
lib/krb5/get_addrs.c | 2 1 + 1 - 0 !
lib/krb5/get_host_realm.c | 4 2 + 2 - 0 !
lib/krb5/krbhst-test.c | 2 1 + 1 - 0 !
lib/krb5/krbhst.c | 2 1 + 1 - 0 !
lib/krb5/principal.c | 8 4 + 4 - 0 !
lib/krb5/test_plugin.c | 2 1 + 1 - 0 !
lib/krb5/verify_init.c | 2 1 + 1 - 0 !
lib/roken/getaddrinfo_hostspec.c | 2 1 + 1 - 0 !
12 files changed, 17 insertions(+), 17 deletions(-)

---
042_hurd_path_max | (download)

lib/sl/slc-gram.y | 28 19 + 9 - 0 !
1 file changed, 19 insertions(+), 9 deletions(-)

---
046_hurd_sundevdata | (download)

lib/kafs/afssys.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

---
047_link_gssapi | (download)

kadmin/Makefile.am | 1 1 + 0 - 0 !
kdc/Makefile.am | 4 4 + 0 - 0 !
kpasswd/Makefile.am | 1 1 + 0 - 0 !
lib/hdb/Makefile.am | 1 1 + 0 - 0 !
lib/kadm5/Makefile.am | 2 2 + 0 - 0 !
5 files changed, 9 insertions(+)

 link against just build gssapi, instead of the system one
 this resolves FTBFS when gssapi adds new symbols.
060_no_build_string | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove hostname and build time from version as they make the build unreproducible
parallel build | (download)

lib/kadm5/Makefile.am | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

---
check_iprop_races | (download)

lib/kadm5/ipropd_slave.c | 12 9 + 3 - 0 !
tests/kdc/check-iprop.in | 124 95 + 29 - 0 !
2 files changed, 104 insertions(+), 32 deletions(-)

---
disable_iprop | (download)

tests/kdc/Makefile.am | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

---
canonical_host | (download)

tools/krb5-config.in | 17 1 + 16 - 0 !
1 file changed, 1 insertion(+), 16 deletions(-)

 disable use of @canonical_host@, which is not reproducible.
Status: not forwarded upstream (not applicable)
Bug: https://github.com/heimdal/heimdal/issues/237

CVE 2017 6594 | (download)

kdc/krb5tgs.c | 12 10 + 2 - 0 !
tests/kdc/check-kdc.in | 17 17 + 0 - 0 !
tests/kdc/krb5.conf.in | 4 4 + 0 - 0 !
3 files changed, 31 insertions(+), 2 deletions(-)

---
0018 Add back in base64_encode and base64_decode.patch | (download)

lib/roken/base64.c | 12 12 + 0 - 0 !
lib/roken/base64.h | 6 6 + 0 - 0 !
lib/roken/version-script.map | 2 2 + 0 - 0 !
3 files changed, 20 insertions(+)

 add back in base64_encode and base64_decode

These functions were removed upstream. See
https://github.com/heimdal/heimdal/issues/107

Unfortunately the SONAME was not incremented for libroken.  This could
cause breakage. This change reintroduces the old names until the SONAME
can be incremented.

CVE 2017 11103 Orpheus Lyre KDC REP service name val.patch | (download)

lib/krb5/ticket.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] cve-2017-11103: orpheus' lyre kdc-rep service name validation

In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

CVE 2017 17439 KDC remote DoS.patch | (download)

kdc/kerberos5.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 security: avoid null structure pointer member dereference