src/clients/ksu/ksu.h | 4 4 + 0 - 0 !
src/include/k5-int.h | 3 3 + 0 - 0 !
src/kadmin/ktutil/ktutil_funcs.c | 4 4 + 0 - 0 !
src/lib/gssapi/spnego/spnego_mech.c | 3 3 + 0 - 0 !
src/lib/krb5/os/sn2princ.c | 4 4 + 0 - 0 !
src/plugins/kdb/db2/libdb2/include/db-int.h | 4 4 + 0 - 0 !
src/slave/kprop_util.c | 4 4 + 0 - 0 !
src/tests/resolve/resolve.c | 4 4 + 0 - 0 !
8 files changed, 30 insertions(+)

 debian: hurd compatibility

HURD has no MAXPATHLEN or MAXHOSTLEN.

Patch-Category: debian-local

src/build-tools/krb5-config.in | 14 9 + 5 - 0 !
1 file changed, 9 insertions(+), 5 deletions(-)

 debian: suppress multi-arch paths in krb5-config

Just match anything that starts with /usr/lib, since that's managed
by the system; don't require an exact match.

Also include --deps in the usage output, since it is a valid argument.

Patch-Category: debian-local

src/include/osconf.hin | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 debian: osconf.hin path changes

Patch-Category: debian-local

src/plugins/kdb/ldap/Makefile.in | 1 1 + 0 - 0 !
src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 debian: install ldap library in subdirectory

Debian received a request to install the internal ldap library not in
the main lib directory.

We are changing SHLIB_DIRS from the default that upstream sets in the
makefile includes; assign unconditionally the full value.

Patch-Category: debian-local

src/lib/gssapi/mechglue/g_initialize.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 gssapi: never unload mechanisms

It turns out that many GSSAPI mechanisms link to the main gss-api
library creating a circular reference. Depending on how the linker
breaks the cycle at process exit time, the linker may unload the GSS
library after unloading the mechanisms. The explicit dlclose from the
GSS library tends to cause a libdl assertion failure at that
point. So, never unload plugins. They are refcounted, so dlopen
handles will not leak, although obviously the memory from the plugin
is never reclaimed.

ticket: 7135

Patch-Category: debian-local

src/doc/Makefile.in | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 add substpdf target

Akin to substhtml, so that we can build PDF documents without
overwriting the upstream-provided versions and causing debian/rules clean
to not return to the original state.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-client.pc.in | 4 2 + 2 - 0 !
src/build-tools/kadm-server.pc.in | 4 2 + 2 - 0 !
src/build-tools/kdb.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 4 2 + 2 - 0 !
src/build-tools/mit-krb5.pc.in | 4 2 + 2 - 0 !
6 files changed, 12 insertions(+), 12 deletions(-)

 fix pkg-config library/include paths

Include library and include flags in pkg-config files, so they work when the
symlinks provided by libkrb5-dev are not installed.

Patch-Category: debian-local

src/build-tools/gssrpc.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-client.pc.in | 2 1 + 1 - 0 !
src/build-tools/kadm-server.pc.in | 2 1 + 1 - 0 !
src/build-tools/kdb.pc.in | 2 1 + 1 - 0 !
src/build-tools/krb5-config.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5-gssapi.pc.in | 2 1 + 1 - 0 !
src/build-tools/mit-krb5.pc.in | 2 1 + 1 - 0 !
7 files changed, 7 insertions(+), 7 deletions(-)

 use -isystem for include paths

 This is necessary so Kerberos headers files are classified as "system headers"
 by the compiler, and thus not subject to the same strict warnings as
 other headers (which breaks compilation if -Werror is specified).
 .
 This fixes the build of folks using -Werror and including Kerberos headers
 when the latter are installed in a non-standard location (e.g.
 /usr/include/tuple/mit-krb5, as Debian is doing).
(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232)

src/build-tools/krb5-config.in | 14 3 + 11 - 0 !
1 file changed, 3 insertions(+), 11 deletions(-)

 fix krb5-config paths

Include library and include flags in krb5-config, so they
work when the symlinks provided by libkrb5-dev are not
installed.

(cherry picked from commit 33c4b2ebf6688af9cdb71d3795187ddc1601b849)
Patch-Category: debian-local

src/po/Makefile.in | 2 1 + 1 - 0 !
src/po/de.po | 9301 9301 + 0 - 0 !
2 files changed, 9302 insertions(+), 1 deletion(-)

 initial german translations

Thanks, Chris Leick <c.leick@vollbio.de>

modified 2016-11-04 to actually build the German catalogue.

src/lib/apputils/net-server.c | 16 13 + 3 - 0 !
1 file changed, 13 insertions(+), 3 deletions(-)

 fix kdc/kadmind startup on some ipv4-only systems

getaddrinfo(NULL, ...) may yield an IPv6 wildcard address on IPv4-only
systems, and creating a socket for that address may result in an
EAFNOSUPPORT error.  Tolerate that error as long as we can bind at
least one socket for the address.

(cherry picked from commit 04c2bb56f5203b296b24314810eca02f5dc7e491)

ticket: 8531
version_fixed: 1.15.1

(cherry picked from commit 552a129fb857e7f6fa734011d69785ad912b3fc5)
Patch-Category: upstream

src/lib/apputils/net-server.c | 13 12 + 1 - 0 !
1 file changed, 12 insertions(+), 1 deletion(-)

 use pktinfo for explicit udp wildcard listeners

In net-server.c, use pktinfo on UDP server sockets if they are bound
to wildcard addresses, whether that is explicit or implicit in the
address specification.

(cherry picked from commit d005beaa72c70bc28b2b0b49b9d83eff160ca8f1)

ticket: 8530
version_fixed: 1.15.1

(cherry picked from commit e23d062471bf9071072aaf2df39054508fe74cc1)

Patch-Category: upstream

src/lib/krb5/os/sendto_kdc.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 fix udp_preference_limit with srv records

In sendto_kdc:resolve_server() when resolving a server entry with a
specified transport, defer the resulting addresses if the strategy
dictates that the specified transport is not preferred.  Reported by
Jochen Hein.

(cherry picked from commit bc7594058011c2f9711f24af4fa15a421a8d5b62)

ticket: 8554
version_fixed: 1.15.1

(cherry picked from commit 59a3449f13c63048b44f56cad2d528c0805d3627)

Patch-Category: upstream

src/kdc/do_as_req.c | 4 2 + 2 - 0 !
src/kdc/do_tgs_req.c | 3 2 + 1 - 0 !
src/kdc/kdc_util.c | 10 8 + 2 - 0 !
3 files changed, 12 insertions(+), 5 deletions(-)

 prevent kdc unset status assertion failures

Assign status values if S4U2Self padata fails to decode, if an
S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
uses an evidence ticket which does not match the canonicalized request
server principal name.  Reported by Samuel Cabrero.

If a status value is not assigned during KDC processing, default to
"UNKNOWN_REASON" rather than failing an assertion.  This change will
prevent future denial of service bugs due to similar mistakes, and
will allow us to omit assigning status values for unlikely errors such
as small memory allocation failures.

CVE-2017-11368:

In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.

  CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

ticket: 8599 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup

Patch-Category: upstream