File: changelog

package info (click to toggle)
krb5 1.15-1+deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 54,220 kB
  • ctags: 32,381
  • sloc: ansic: 310,596; cpp: 16,220; exp: 13,350; python: 7,990; makefile: 7,223; sh: 6,185; perl: 3,518; asm: 1,460; yacc: 1,006; xml: 503; awk: 396; csh: 147; lisp: 104; sed: 43
file content (2469 lines) | stat: -rw-r--r-- 102,952 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
krb5 (1.15-1+deb9u1) stretch; urgency=high

  * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
    Closes: #869260
  * Upstream patches to fix startup if getaddrinfo() returns a wildcard v6
    address, and to fix handling of explicitly specified v4 wildcard
    address; regression over previous versions, Closes: #860767
  * Fix SRV lookups to respect udp_preference_limit, regression over
    previous versions with OTP, Closes: #856307

 -- Sam Hartman <hartmans@debian.org>  Wed, 09 Aug 2017 12:19:50 -0400

krb5 (1.15-1) unstable; urgency=medium

  [ Benjamin Kaduk ]
  * New upstream version
    - Make zap() more reliable and use it more consistently; the
      previous version could be optimized out by gcc 5.1 or later
    - Update license statement in ccapi/common/win/OldCC/autolock.hxx,
      Closes: #846088
  * Update Debian-HURD-compatibility.patch, Closes: #845381
  * Bump debhelper compat level to 9

  [ Sam Hartman ]
  * Actually build and ship German translations, Closes: #842497

 -- Benjamin Kaduk <kaduk@mit.edu>  Sun, 04 Dec 2016 15:37:57 -0500

krb5 (1.15~beta1-1) unstable; urgency=low

  [ Benjamin Kaduk ]
  * New upstream version
    - Upstream's tarball is now DFSG-free
    - Builds against openssl 1.1.0, Closes: #828369
    - Add support for the AES-SHA2 enctypes
    - Add support to kadmin for remote extraction of current keys
      and principal attributes to prevent such extraction
    - Add DNS auto-discovery using URI records in addition to SRV records
    - Improve LDAP backend to contain some features previously only
      present in the BDB backend
    - Use the getrandom system call on supported Linux kernels
    - Use SHA256 instead of MD5 for hashing authenticators in the replay cache
      * The symbol gssrpc_svcauth_gss_creds was removed upstream from
    libgssrpc; no soname bump because this is an internal API never in a
    public header
  [ Sam Hartman ]
  * Update standards version to 3.9.8

 -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 02 Nov 2016 00:12:46 -0400

krb5 (1.14.3+dfsg-2) unstable; urgency=medium

  * Fix gcc -O3, thanks Ben Kaduk/Steve Langasek, Closes: #833798
  * Fix kdb5_util create on 32-bit platforms, thanks Greg Hudson, Closes:
    #834035

 -- Sam Hartman <hartmans@debian.org>  Mon, 05 Sep 2016 21:03:14 -0400

krb5 (1.14.3+dfsg-1) unstable; urgency=medium

  * New upstream version
    - includes fix for CVE-2016-3120, Closes: #832572
  * build-dep-indep on texlive-generic-extra to pick up iftex.sty after
    a reshuffle, Closes: #828946
  * Comment out supported_enctypes in kdc.conf to avoid including
    single-DES enctypes, Closes: #806928
  * Spell Build-Depends-Indep properly, Closes: #829196

 -- Benjamin Kaduk <kaduk@mit.edu>  Sat, 30 Jul 2016 22:42:39 -0400

krb5 (1.14.2+dfsg-1) unstable; urgency=low

  * New upstream version
      - Includes fix for CVE-2016-3119: remote DOS with ldap for
    authenticated attackers, Closes: #819468
  * Fix short descriptions capitalization, Thanks Laura Arjona Reina,
    Closes: #821021
  * New German translation, Thanks Chris Leick, Closes: #816548


 -- Sam Hartman <hartmans@debian.org>  Mon, 30 May 2016 13:12:02 -0400

krb5 (1.14+dfsg-1) experimental; urgency=medium

  * New upstream version, Closes: #812131
  * Apply upstream patches:
    - upstream/0010-Fix-mechglue-gss_acquire_cred_impersonate_name.patch
    - 0011-Correctly-use-k5_wrapmsg-in-ldap_principal2.c.patch
    - upstream/0012-Set-TL_DATA-mask-flag-for-master-key-operations.patch
    - upstream/0013-Check-context-handle-in-gss_export_sec_context.patch
    - upstream/0014-Check-internal-context-on-init-context-errors.patch
    - upstream/0015-Fix-interposed-gss_accept_sec_context.patch
    - upstream/0016-Work-around-uninitialized-warning-in-cc_kcm.c.patch
    - upstream/0017-Increase-hostname-length-in-ipropd_svc.c.patch
    - upstream/0018-Make-ksu-work-with-prompting-clpreauth-modules.patch
    - upstream/0019-Fix-memory-leak-in-SPNEGO-gss_init_sec_context.patch
    - upstream/0020-Fix-EOF-check-in-kadm5.acl-line-processing.patch
    - upstream/0021-Fix-iprop-server-stub-error-management.patch
  - upstream/0022-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
    - upstream/0023-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
    -upstream/0024-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
        - Use blocking lock for db promote, Closes: #815677
  * Verify decoded kadmin C strings [CVE-2015-8629]
    CVE-2015-8629: An authenticated attacker can cause kadmind to read
    beyond the end of allocated memory by sending a string without a
    terminating zero byte. Information leakage may be possible for an
    attacker with permission to modify the database. (Closes: #813296)
  * Check for null kadm5 policy name [CVE-2015-8630]
    CVE-2015-8630: An authenticated attacker with permission to modify a
    principal entry can cause kadmind to dereference a null pointer by
    supplying a null policy value but including KADM5_POLICY in the mask.
    (Closes: #813127)
  * Fix leaks in kadmin server stubs [CVE-2015-8631]
    CVE-2015-8631: An authenticated attacker can cause kadmind to leak
    memory by supplying a null principal name in a request which uses one.
    Repeating these requests will eventually cause kadmind to exhaust all
    available memory. (Closes: #813126)

  * Remove all references to libkrb53, Closes: #708175
  * Merge patch for kpropd service, introducing a new stub package for now
    that will contain the binaries in stretch+1.  We don't want to move
    the binaries now because we'd either break existing installations or
    we'd need krb5-kdc to depend on the new package, which would cause
    kpropd to start in cases where we don't want it, thanks  Mark Proehl
    and Michael Weiser, Closes: #775277

 -- Sam Hartman <hartmans@debian.org>  Mon, 15 Feb 2016 15:49:06 -0500

krb5 (1.13.2+dfsg-4) unstable; urgency=high

  * Import upstream patches fixing regressions in the previous upload:
    - CVE-2015-2698: the patch for CVE-2015-2696 caused memory corruption
      for applications calling gss_export_sec_context() on contexts
      established using the IAKERB mechanism.
    - Supply gss_import_sec_context implementations for SPNEGO and IAKERB,
      which were not implemented due to the erroneous belief that the
      exported context tokens would be tagged with the underlying
      context's mechanism.

 -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 04 Nov 2015 22:47:22 -0500

krb5 (1.13.2+dfsg-3) unstable; urgency=high

  * Import upstream patches for three CVEs:
    - CVE-2015-2695: SPNEGO context aliasing during establishment
    - CVE-2015-2696: IAKERB context aliasing during establishment
    - CVE-2015-2697: unsafe string handling in TGS processing

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 26 Oct 2015 14:03:52 -0400

krb5 (1.13.2+dfsg-2) unstable; urgency=medium

  * No-change rebuild to target unstable

 -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 25 Jun 2015 17:10:03 -0400

krb5 (1.13.2+dfsg-1) experimental; urgency=medium

  * New upstream release:
    - Fix importing GSS composite export names
    - Fix kadm5.acl wildcard matching when early lines have partial matches
    - Disable principal renames for LDAP; they do not work properly and are
      hard to fix
    - Fix LDAP ticket policies on big-endian LP64 systems
    - Fix memory leak in DB2 iteration
    - Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
  * Add python to build-depends-indep, since we call it manually during
    the documentation build, Closes: #746395

 -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 14 May 2015 13:38:58 -0400

krb5 (1.13.1+dfsg-1) experimental; urgency=low

  * New upstream release:
    - Make the KDC default to listening on TCP (as well as UDP)
    - Bump DAL major version for krb5_db_iterate() API change; KDB modules
      will need to be rebuilt
    - Let ksu use any keytab entry to verify the obtained TGT
    - Improve kadm5_randkey_principal interop with Solaris KDCs
    - Export symbols for some public gss interfaces
    - Allow the logger to work with redirected stderr
    - Remove length limit on PKINIT PKCS#12 prompts

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 16 Mar 2015 14:23:06 -0400

krb5 (1.12.1+dfsg-20) unstable; urgency=high

  * Import upstream patch for CVE-2015-2694, Closes: #783557
  * Bump Standards-Version to 3.9.6 (no changes needed)

 -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 13 May 2015 14:40:36 -0400

krb5 (1.12.1+dfsg-19) unstable; urgency=medium

  * mark systemd unit directories as optional, Closes: #780831

 -- Sam Hartman <hartmans@debian.org>  Fri, 20 Mar 2015 16:22:33 -0400

krb5 (1.12.1+dfsg-18) unstable; urgency=high

  * Import upstream patch for CVE-2014-5355, Closes: #778647

 -- Benjamin Kaduk <kaduk@mit.edu>  Wed, 18 Feb 2015 12:52:14 -0500

krb5 (1.12.1+dfsg-17) unstable; urgency=high

  * MITKRB5-SA-2015-001
    - CVE-2014-5352: gss_process_context_token() incorrectly frees context
    - CVE-2014-9421: kadmind doubly frees partial deserialization results
    - CVE-2014-9422: kadmind incorrectly validates server principal name  
      - CVE-2014-9423: libgssrpc server applications leak uninitialized bytes

 -- Sam Hartman <hartmans@debian.org>  Tue, 03 Feb 2015 10:29:35 -0500

krb5 (1.12.1+dfsg-16) unstable; urgency=medium

  * Import upstream patches for CVE-2014-5353 and CVE-2014-5354,
    Closes: #773226, Closes: #773228

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 15 Dec 2014 16:18:26 -0500

krb5 (1.12.1+dfsg-15) unstable; urgency=medium

  * Also apply slapd-before-kdc.conf to krb5-admin-server.service.d,
    Closes: #769710

 -- Benjamin Kaduk <kaduk@mit.edu>  Fri, 21 Nov 2014 12:36:08 -0500

krb5 (1.12.1+dfsg-14) unstable; urgency=medium

  * The upstream patch in 1.12.1+dfsg-13 was incomplete; pull in
    another upstream patch upon which it depended, to fix the
    kfreebsd build, Closes: #768379

 -- Benjamin Kaduk <kaduk@mit.edu>  Fri, 07 Nov 2014 13:17:36 -0500

krb5 (1.12.1+dfsg-13) unstable; urgency=medium

  * Remove the ExecReload line added in 1.12.1+dfsg-12; it is not
    a regression from the SysV init script and therefore not suitable
    for jessie post-freeze
  * Apply upstream patch to fix build on FreeBSD 10.1, Closes: #768379

 -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 06 Nov 2014 18:08:26 -0500

krb5 (1.12.1+dfsg-12) unstable; urgency=medium

  * Fix typo in krb5-kdc EnvironmentFile name, Closes: #768344
  * Add an ExecReload line to krb5-kdc.service to help with log rotation

 -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 06 Nov 2014 15:30:44 -0500

krb5 (1.12.1+dfsg-11) unstable; urgency=medium

  * Provide systemd service units for krb5-kdc, Partially affects: #734161
  * Provide systemd overrides to start  slapd first when krb5-kdc-ldap is
    installed, Thanks Michael Biebl, Closes: #758992
  * Provide kadmind service unit, Closes: #734161
  * Drop support for RUN_KADMIND in favor of update-rc.d disable
  * In krb5_newrealm, use service rather than calling init scripts directly

 -- Sam Hartman <hartmans@debian.org>  Mon, 20 Oct 2014 16:51:09 -0400

krb5 (1.12.1+dfsg-10) unstable; urgency=medium

  * Import upstream's patch for CVE-2014-5351, Closes: #762479

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 22 Sep 2014 14:53:33 -0400

krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low

  [ Jelmer Vernooij ]
  * Reintroduce changes to move krb5-config into krb5-multidev:
   + Provide -L and -I flags from krb5-config. Closes: #730837
   + Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
   + Provide -L and -I flags from pkg-config files. Closes: #750041
  * Use -isystem for include paths, to prevent the compiler from warning
    about problems in them. Closes: #751760

  [ Sam Hartman ]
  * Reintroduce patches and accept proposed patches
  * Update lintian source overrides because some of the BCP 78 hits are
    false positives. We need to investigate cmac.c.

  [ Benjamin Kaduk ]
  * New upstream prerelease:
    - Add support for accessing KDCs via an https proxy using the MS-KKDCP
      protocol, using a plugin provided by the new krb5-k5tls package, which
      uses openssl for the TLS implementation.  The openssl-using code is
      confined to a separate, runtime-loadable, plugin module, in a separate
      package, to ameliorate concerns about GPL code that links libkrb5 running
      into issues with the openssl license.  The Kerberos license is both
    GPL and OpenSSL compatible.  There might be an issue if an application
    was GPL licensed and someone used the OpenSSL plugin with that
    application.  Even that is probably fine provided that no one
    distributes a combination that tends to encourage such usage.  There's
    an existing krb5-pkinit plugin that also links to OpenSSL, but at time
    of integration into Debian no GPLed applications in the archive called
    APIs that would cause that plugin to be loaded.
    - Add support for hierarchical incremental propagation.
    - Add support to the LDAP KDB module for binding to the LDAP server
      using SASL.
    - Add client support for the Kerberos Cache Manager protocol, allowing
      caches served by a Heimdal kcm daemon to be accessed using the KCM:
      cache type.
    - Add support for performing unlocked database dumps to the DB2 KDC
      back end, allowing the KDC and kadmind to continue accessing the
      database during lengthy database dumps.
    - The default location of the socket used by the OTP plugin has moved
      from /etc/krb5kdc to /run/krb5kdc/.
  * Break old versions of libraries that consume libkrb5support0, which
    had its export symbol list change in 1.12 without the dependencies
    changing to reflect that.  Closes: #758288, Closes: #760149
  * Fix the documentation build by explicitly mapping krb5.hin as a C file.
    Closes: #759954

 -- Sam Hartman <hartmans@debian.org>  Thu, 11 Sep 2014 18:00:35 -0400

krb5 (1.12.1+dfsg-9) unstable; urgency=high

  [ Jelmer Vernooij ]
  * Reintroduce changes to move krb5-config into krb5-multidev:
   + Provide -L and -I flags from krb5-config. Closes: #730837
   + Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
   + Provide -L and -I flags from pkg-config files. Closes: #750041
  * Use -isystem for include paths, to prevent the compiler from warning
    about problems in them. Closes: #751760

  [ Sam Hartman ]
  * Reintroduce patches and accept proposed patches
  * Update lintian source overrides because some of the BCP 78 hits are
    false positives. We need to investigate cmac.c.

 -- Sam Hartman <hartmans@debian.org>  Wed, 03 Sep 2014 23:14:34 -0400

krb5 (1.12.1+dfsg-7) unstable; urgency=high

  * Apply upstream's patch for CVE-2014-4345 (MITKRB5-SA-2014-001), buffer
    overrun in kadmind with LDAP backend, Closes: #757416

 -- Benjamin Kaduk <kaduk@mit.edu>  Thu, 07 Aug 2014 18:33:37 -0400

krb5 (1.12.1+dfsg-6) unstable; urgency=medium

  [ Benjamin Kaduk ]
  * Apply upstream's patch to switch to TAILQ macros instead of CIRCLEQ macros,
    to work around an issue with certain gcc versions.  This is expected to
    resolve Ubuntu bug (LP: #1347147).

  [ Sam Hartman ]
  * Include a quick and dirty patch so we build cleanly with -O3 fixing
    incorrect may be uninitialized warnings.

 -- Benjamin Kaduk <kaduk@mit.edu>  Tue, 29 Jul 2014 17:05:37 -0400

krb5 (1.12.1+dfsg-5) unstable; urgency=high

  * Apply upstream patches for CVE-2014-4343, CVE-2014-4344, Closes: #755520,
    Closes: #755521

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 21 Jul 2014 17:27:10 -0400

krb5 (1.12.1+dfsg-4) unstable; urgency=high

  * Apply upstream patch for CVE-2014-4341, CVE-2014-4342, Closes: #753624,
    Closes: #753625

 -- Benjamin Kaduk <kaduk@mit.edu>  Fri, 11 Jul 2014 13:43:19 -0400

krb5 (1.12.1+dfsg-3) unstable; urgency=high

  * High urgency to revert some changes in the previous version that got
    into testing.  Unfortunately moving krb5-config into krb5-multidev
    breaks some -Werror builds, so we'll revert until we can work out what
    to do, Closes: #751760
  * Revert krb5-config to krb5-multidev, reintroduces: #745322
  * Remove -I and -L from krb5-config, Reintroduces: #730837
  * Remove pkgconfig paths that  include mit-kerberos, Reintroduces: #750041

 -- Sam Hartman <hartmans@debian.org>  Mon, 16 Jun 2014 08:28:33 -0400

krb5 (1.12.1+dfsg-2) unstable; urgency=low

  [ Jelmer Vernooij ]
  * Provide -L and -I flags from krb5-config. Closes: #730837
  * Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
  * Provide -L and -I flags from pkg-config files. Closes: #750041

  [ Sam Hartman ]
  * Include upstream patch to load gss mechanisms from /etc/gss/mech.d,
    Closes: #673680
  * Sysconfdir explicitly set to /etc
  * Include ubuntu change to permit libverto-libevent1 (not currently
    built in Debian) as an alternative for the KDC.  For now just
    reduces diff with Ubuntu.  Next libverto upload will probably start
    building that for Debian too.
  * Do not cause endless loop when a mechanism fails to include
    gss_add_cred_from or other new methods (upstream #7926)
  * Include /etc/gss/mech.d/README
  * Low urgency to give extra time in unstable
  * Update symbols for gss_indicate_mechs

 -- Sam Hartman <hartmans@debian.org>  Wed, 04 Jun 2014 12:09:56 -0400

krb5 (1.12.1+dfsg-1) unstable; urgency=low

  [ Sam Hartman ]
  * New upstream version
  * Move gbp.conf to debian

  [ Benjamin Kaduk ]
  * Pull in upstream patch to put OTP sockets in /run by default
  * Pull in upstream patch to avoid duplicate "/etc/krb5.conf" in profile
    path, so we can safely set sysconfdir to /etc

 -- Sam Hartman <hartmans@debian.org>  Thu, 20 Feb 2014 20:54:53 -0500

krb5 (1.12+dfsg-2) unstable; urgency=low

  * Split out libkrad-dev into its own package, Closes: #735323

 -- Sam Hartman <hartmans@debian.org>  Mon, 27 Jan 2014 09:29:42 -0500

krb5 (1.12+dfsg-1) experimental; urgency=low

  [ Benjamin Kaduk ]
  * New upstream release (closes: #730085, #728845, #637662, #729291).
  * Update HURD compatibility patch (closes: #729191).
  * Move pkgconfig files to krb5-multidev and avoid conflicts with
    heimdal (closes: #730267).
    
 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 02 Dec 2013 12:25:43 -0500

krb5 (1.12~alpha1+dfsg-1) experimental; urgency=low

  [ Benjamin Kaduk ]
  * New upstream release, Closes: #694988, #697954
  * Build-depend on python-lxml, Closes: #725596
  * Remove Debian versions from symbols
  * Add myself to uploaders

  [ Sam Hartman ]
  * Build-depend on libverto-dev 0.2.4 to get verto_set_flags

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 28 Oct 2013 16:12:52 -0400

krb5 (1.11.3+dfsg-3+nmu1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Add python-lxml build dependency (closes: #725596).
  * Fix cve-2013-1417: KDC daemon crash condition (closes: #730085).
  * Fix cve-2013-1418: null pointer dereference issue (closes: #728845).

 -- Michael Gilbert <mgilbert@debian.org>  Sat, 16 Nov 2013 23:40:00 +0000

krb5 (1.11.3+dfsg-3) unstable; urgency=low


  [ Benjamin Kaduk ]
  * Update config.sub and config.guess, patch from upstream, Closes: #717840
  * Update Brazillian Portugese Translation, thanks Fernando Ike,
    Closes: #719726
  * Bump the version of the gssrpc_clnt_create symbol.  The routine itself
    was changed in a backwards-compatible way, but callers from the kadm5
    libraries were changed to rely on the new behavior, Closes: #718275
  * Add symbols files for the kadm5 libraries.  The KADM5 API version number
    was increased for the 1.11 release but the corresponding library sonames
    were not, so we must indicate the behavior change ourself, Closes: #716772

  [ Sam Hartman ]
  * krb5-kdc depends on libverto-libev1, work around for #652699
  * Remove krb5-kdc conflict since it's more than one release cycle old
  * Add Benjamin Kaduk to uploaders

 -- Sam Hartman <hartmans@debian.org>  Sun, 25 Aug 2013 16:48:53 -0400

krb5 (1.11.3+dfsg-2) experimental; urgency=low

  * Run autoreconf to update configure based on aclocal patch

 -- Sam Hartman <hartmans@debian.org>  Sat, 08 Jun 2013 22:00:50 -0400

krb5 (1.11.3+dfsg-1) experimental; urgency=low

  *  New upstream version
      - Turns out 1.11.2+dfsg didn't include the pingpong fix, but this
    does , Closes: #

 -- Sam Hartman <hartmans@debian.org>  Fri, 07 Jun 2013 21:31:03 -0400

krb5 (1.11.2+dfsg-2) experimental; urgency=low

  * Import upstream's patch to not warn or error on variadic macros,
    Closes: #709824

 -- Benjamin Kaduk <kaduk@mit.edu>  Sat, 25 May 2013 16:06:48 -0400

krb5 (1.11.2+dfsg-1) experimental; urgency=low

  * New upstream version, Closes: #697662
      - By not depending on texinfo, we avoid FTBFSing from its changes,
      Closes: #708711
  * Fix "usage of keytabs gives "Generic preauthentication failure while
    getting initial credentials"" via upstream change to prefer keys in
    the keytab
    (Closes: #698534)
  * Fixed upstream "kerberos password policy attributes missing from
    kerberos.schema"  (Closes:
    #655381)
  * Remove arch-dep and arch-indep dependency in rules  (Closes: #708973)

 -- Sam Hartman <hartmans@debian.org>  Thu, 23 May 2013 21:56:23 -0400

krb5 (1.10.1+dfsg-5) unstable; urgency=low

  * Import workaround for getaddrinfo bug from upstream.  Described in
    upstream's RT 7124, addresses the main concern of #697662
  * Correct CVE number for CVE-2012-1016 in changelog and patches, Closes:
    #703457

 -- Benjamin Kaduk <kaduk@mit.edu>  Mon, 25 Mar 2013 11:50:07 -0400

krb5 (1.10.1+dfsg-4+nmu1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cve-2012-1016: null pointer derefence when handling a draft9 request
    (closes: #702633).

 -- Michael Gilbert <mgilbert@debian.org>  Fri, 15 Mar 2013 04:15:27 +0000

krb5 (1.10.1+dfsg-4) unstable; urgency=high

  * KDC null pointer dereference with PKINIT, CVE-2013-1415

 -- Benjamin Kaduk <kaduk@mit.edu>  Fri, 15 Feb 2013 16:07:53 -0500

krb5 (1.10.1+dfsg-3) unstable; urgency=low

  * Kadmind crash only triggered by admin users, cve-2012-1013, Closes:
    #687647
  * Don't unload GSS-API plugins to avoid crashing applications that use
    GSS-API on systems with plugins installed, Closes: #693741

 -- Sam Hartman <hartmans@debian.org>  Mon, 19 Nov 2012 17:35:04 -0500

krb5 (1.10.1+dfsg-2) unstable; urgency=high

  * MITKRB5-SA-2012-001 [CVE-2012-1014 CVE-2012-1015] KDC frees
    uninitialized pointers
  * Break libgssglue1 << 0.2-2 for multiarch, Closes: #680612
  * Don't free caller's principal in verify_init_creds, Closes: #512410

 -- Sam Hartman <hartmans@debian.org>  Tue, 31 Jul 2012 08:20:09 -0400

krb5 (1.10.1+dfsg-1) unstable; urgency=low

  *  New Upstream Version
    - Set display_name in gss_get_name_attribute, Closes: #658514
  * Fix use counts on preauthentication, Closes: #670457
  * Fix kadmin access controls, Closes: #670918
  * Accept NMU with longer hostname, Closes: #657027
  * Fix history from old databases, Closes: #660869
  * Fix gcc 4.6.2 may be used uninitialized warnings/errors, Closes: #672075
  * Check all keys in keytab for verifying credentials, Possibly fixes:
    #669127
  * Avoid multi-arch libpath in krb5-config, Closes: #642229
      * Debconf translations:
    - Turkish debconf Translation, Thanks Atila KOC, Closes: #659072
    - Polish, thanks Michal/ Kul/ach, Closes: #658437

 -- Sam Hartman <hartmans@debian.org>  Thu, 10 May 2012 16:32:13 -0400

krb5 (1.10+dfsg~beta1-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Apply patch from Svante Signell to fix FTBFS on hurd-i386, Closes: #657027.

 -- Samuel Thibault <sthibault@debian.org>  Thu, 26 Apr 2012 00:52:37 +0200

krb5 (1.10+dfsg~beta1-2) unstable; urgency=low

  * Oops, actually fix build flags, Closes: #655248

 -- Sam Hartman <hartmans@debian.org>  Fri, 13 Jan 2012 17:39:34 -0500

krb5 (1.10+dfsg~beta1-1) unstable; urgency=low

  * New Upstream version
  * Fix hardening flags and pre-dpkg-buildflags support, Closes: #655248
  * Update some symbols files for enhanced functions in 1.10

 -- Sam Hartman <hartmans@debian.org>  Fri, 13 Jan 2012 17:11:39 -0500

krb5 (1.10+dfsg~alpha2-1) unstable; urgency=low

  * New upstream Version

 -- Sam Hartman <hartmans@debian.org>  Tue, 27 Dec 2011 06:02:35 -0500

krb5 (1.10+dfsg~alpha1-7) unstable; urgency=high

  * Merge in github/krb5-1-10 branch up through 12/16/2010: many new
    upstream changes
  * Includes fix for MITKRB5-SA-2011-007 KDC null pointer
    dereference in TGS handling [CVE-2011-1530]
    , Closes: #651226

 -- Sam Hartman <hartmans@debian.org>  Fri, 16 Dec 2011 15:30:18 -0500

krb5 (1.10+dfsg~alpha1-6) unstable; urgency=low

  * Fix segfault with unknown hostnames in krb5_sname_to_principal,
    Closes: #650671
  * Indicate that this library breaks libsmbclient versions that depend on
    krb5_locate_kdc, Closes: #650603, #650611

 -- Sam Hartman <hartmans@debian.org>  Thu, 01 Dec 2011 19:34:41 -0500

krb5 (1.10+dfsg~alpha1-5) unstable; urgency=low

  * Add texinfo back to build depends: policy has been subverted by the
    evil forces of wishful thinking and forward progress
  * Conflict: with libkrb53 again. The transition is over and we no longer
    need that package.

 -- Sam Hartman <hartmans@debian.org>  Wed, 30 Nov 2011 09:09:55 -0500

krb5 (1.10+dfsg~alpha1-4) unstable; urgency=low

  * Add kadmind and krb5kdc pidfiles, Closes: #550781
  * Respect locale in time display, Closes: #138430
  * Status action for init scripts, Thanks Yukio Shiiya, Closes: #645363,
    #645364
  * Fix dependencies for krb5-kdc
  * Add dpkg-buildflags support
  * Initial build-arch and build-indep support: currently build-indep
    depends on build-arch but that's OK as a starting point

 -- Sam Hartman <hartmans@debian.org>  Tue, 29 Nov 2011 20:34:03 -0500

krb5 (1.10+dfsg~alpha1-3) unstable; urgency=low

  * Build depend on pkg-config


 -- Sam Hartman <hartmans@debian.org>  Tue, 29 Nov 2011 17:35:48 -0500

krb5 (1.10+dfsg~alpha1-2) unstable; urgency=low

  * LDAP plugin depends on ldap library for parallel builds

 -- Sam Hartman <hartmans@debian.org>  Tue, 29 Nov 2011 17:35:30 -0500

krb5 (1.10+dfsg~alpha1-1) unstable; urgency=low

  * New upstream release
  
    - mit-krb5-sa-2011-006, Closes: #646367
    - Install k5login.5 not just .k5login.5, Closes: #623068
      - Fixes LDAP file descriptor leak, Closes: #561176
  * Updated translations:
      - French, Thanks Christian Perrier, Closes: #630827
      - Catalan, Thanks Innocent De Marchi, Closes: #632208
    * Update to krb5-1-10 branch of 2011-11-28

 -- Sam Hartman <hartmans@debian.org>  Tue, 29 Nov 2011 13:05:17 -0500

krb5 (1.9.1+dfsg-3) unstable; urgency=low

  * New function gss_localname from trunk

 -- Sam Hartman <hartmans@debian.org>  Wed, 21 Sep 2011 16:53:47 -0400

krb5 (1.9.1+dfsg-2) unstable; urgency=low

  * Revert incorrect Danish translations
  * Multiarch support, Thanks Steve  Langasek, Closes: #634121
  * Use linux-any in debian/control instead of explicit exclusions,
    Closes: #634311
  * Apply upstream r24977 in order to fix problems where a name exists
    for v6 but not v4, Closes: #532536
  * Apply upstream tickets 6916 and 6917 to fi x referrals behavior with
    old KDCs, Closes: #631106

 -- Sam Hartman <hartmans@debian.org>  Tue, 09 Aug 2011 11:52:04 -0400

krb5 (1.9.1+dfsg-1) unstable; urgency=low

  * New upstream version
  * Fix g_make_token_header when no token type is passed
  * Support absolute paths for GSS-API mechanisms
  * Add gss_authorize_localname, gss_userok,  gss_pname_to_uid
  * Fix gss_acquire_cred handling with empty mech set; fix
    accept_sec_context handling in this case too
  * Permit importing anonymous name with empty buffer
      * New Translations:
    - Dutch: Thanks  Vincent Zweije, Closes: #624173
    - Danish, Thanks  Joe Dalton, Closes: #626530
  * Fix kadmin free of null pointer on change password, Closes: #622681

 -- Sam Hartman <hartmans@debian.org>  Thu, 02 Jun 2011 10:57:10 -0400

krb5 (1.9+dfsg-2) unstable; urgency=low

  * In the interest of testing other GSS-API mechanisms it is desirable to
    install the gss-server and gss-client application. These are useful to
    people developing new GSS-API mechanisms within Debian.

 -- Sam Hartman <hartmans@debian.org>  Wed, 04 May 2011 16:07:42 -0400

krb5 (1.9+dfsg-1) unstable; urgency=low

  * New upstream version
  *  Pull in krb5 1.9 branch as of 03/16/2011
    - Include updates in 1.8.3+dfsg-4, 1.8.3+dfsg-5, 1.8.3+dfsg-6
    - Include fixes for trace logging
  * Since Debian does not and will not ever build with edirectory
    support, remove documentation of edirectory commands from the man
    page. Closes: #580502
  * Includes IPv6 support for kadmind, Closes: #595796
  * Upstream 1.9 supports hooks for password change and synchronization,
    Closes: #588968
  * LDAP now supports stash creation after db cretaion, Closes: #484808
  * Krb5 1.9 supports including files from krb5.conf, Closes: #429692

 -- Sam Hartman <hartmans@debian.org>  Thu, 17 Mar 2011 20:54:04 -0400

krb5 (1.9+dfsg~beta2-1) experimental; urgency=low

  * New upstream release
  * Fix default location of kpropd.acl in kpropd.M (LP: #688464)
  * Ignore PACs without a server signature generated by OS X Open
    Directory rather than failing authentication, Closes: #604925
  * New exported API: krb5_tkt_creds_get

 -- Sam Hartman <hartmans@debian.org>  Fri, 10 Dec 2010 14:30:35 -0500

krb5 (1.9+dfsg~beta1-1) experimental; urgency=low

  * New upstream release
  * No longer use symbols files for libkadm5 ad libkdb5: these libraries
    change very rapidly and tend to change soname each major release.
    Symbols files will be introduced if they make sense again.
  * Update symbols for libkrb5-3: note that several internal functions
    have disappeared. These functions were not part of the public ABI
    which remains stable
  * Update library package names based on soname changes

 -- Sam Hartman <hartmans@debian.org>  Sun, 21 Nov 2010 17:31:55 -0500
krb5 (1.8.3+dfsg-6) unstable; urgency=low

  * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
  * Updated Danish debconf translations, thanks  Joe Dalton, Closes:
    #584282

 -- Sam Hartman <hartmans@debian.org>  Wed, 16 Mar 2011 10:10:55 -0400

krb5 (1.8.3+dfsg-5) unstable; urgency=low

  * KDC/LDAP DOS    (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
    Closes: #613487
  * Fix delegation of credentials against Windows servers; significant
    interoperability issue, Closes: #611906
  * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
    #616429
  * Don't fail authentication when PAC verification fails; support hmac-
    md5 checksums even for non-RC4 keys, Closes: #616728

 -- Sam Hartman <hartmans@debian.org>  Sun, 06 Mar 2011 18:08:35 -0500

krb5 (1.8.3+dfsg-4) unstable; urgency=medium

  * Ignore PACs without a server signature generated by OS X Open
    Directory rather than failing authentication, Closes: #604925

 -- Sam Hartman <hartmans@debian.org>  Tue, 14 Dec 2010 11:53:26 -0500

krb5 (1.8.3+dfsg-3) unstable; urgency=emergency

  * MITKRB5-SA-2010-007
        * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
        content into an existing GSS connection that appears to be integrity
        protected from the legitimate peer under some circumstances
      * GSS applications may accept a PAC produced by an attacker as if it
        were signed by a KDC
      * CVE-2010-1323: attackers have a 1/256 chance of being able to
        produce krb_safe messages that appear to be from legitimate remote
        sources. Other than use in KDC database copies this may not be a
        huge issue only because no one actually uses krb_safe
        messages. Similarly, an attacker can force clients to display
        challenge/response values of the attacker's choice.
      * CVE-2010-4020: An attacker may be able to generate what is
        accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
        probability
  * New   Vietnamese debconf translations, Thanks Clytie Siddall,
    Closes: #601533
  * Update standards version to 3.9.1 (no changes required

 -- Sam Hartman <hartmans@debian.org>  Sat, 20 Nov 2010 14:50:54 -0500

krb5 (1.8.3+dfsg-2) unstable; urgency=high

  * MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
    kdc_authdata.c leading to KDC crash, Closes: #599237
  * Fix two memory leaks in krb5_get_init_creds path; one of these memory
    leaks is quite common for any application such as PAM or kinit that
    gets initial credentials, thanks Bastian Blank, Closes: #598032
  * Install doc/CHANGES only in krb5-doc, not in all packages, saves
    several megabytes on most Debian systems, Closes: #599562

 -- Sam Hartman <hartmans@debian.org>  Wed, 13 Oct 2010 10:41:19 -0400

krb5 (1.8.3+dfsg-1) unstable; urgency=low

  * New Upstream release; only change is version bump from beta1 to final 
  * Bring back a libkrb53 oldlibs package. Note that this is technically a
    policy violation because it doesn't provide libdes425.so.3 or
    libkrb4.so.2 and thus provides a different ABI. However, some
    packages, such as postgres8.4 require the lenny version to be present
    for the squeeze transition, so we cannot force the removal of
    libkrb53's reverse dependencies. We can conflict or break with lenny
    packages that will not work with this libkrb53, but we may break
    out-of-archive packages without notice. Absent someone coming up with
    a patch to the modern libk5crypto-3 that allows it to work with the
    lenny libkrb53 (a weekend's worth of work proved this would be quite
    difficult), this is the best solution we've come up with, Closes: #596678

 -- Sam Hartman <hartmans@debian.org>  Sun, 19 Sep 2010 14:59:46 -0400

krb5 (1.8.3+dfsg~beta1-2) unstable; urgency=low

  * Remove documentation that has moved to the krb5-appl package and is
    not shipped upstream from Debian diff

 -- Sam Hartman <hartmans@debian.org>  Tue, 10 Aug 2010 15:33:15 -0400

krb5 (1.8.3+dfsg~beta1-1) unstable; urgency=low

  * New Upstream version
  * Add breaks with libkrb53 because libdes425 cannot work with new
    libk5crypto3 (Closes: #557929)
  * You want this version: it fixes an incompatibility with how PACs are
    verified with Windows 2008
  * As a result of libkrb53 breaks, we no longer get into problems with
    krb5int_hmac, Closes: #566988 
  * Note that libkdb5-4 breaks rather than conflicts libkadm5srv6, Closes:
    #565429
  * Start kdc  before x display managers, Closes: #588536

 -- Sam Hartman <hartmans@debian.org>  Thu, 05 Aug 2010 12:15:50 -0400

krb5 (1.8.1+dfsg-5) unstable; urgency=low

  * Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
    (LP: #551901)
  * krb5-admin-server starts after krb5-kdc, Closes: #583494

 -- Sam Hartman <hartmans@debian.org>  Wed, 04 Aug 2010 16:10:02 -0400

krb5 (1.8.1+dfsg-4) unstable; urgency=low

  * fix prerm script (Closes: #577389), thanks Harald Dunkel


 -- Sam Hartman <hartmans@debian.org>  Thu, 20 May 2010 12:33:43 -0400

krb5 (1.8.1+dfsg-3) unstable; urgency=high

  * CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
    #582261
  * Force use of bash for build, Closes: #581473
  * Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
    #582122


 -- Sam Hartman <hartmans@debian.org>  Wed, 19 May 2010 16:37:36 -0400

krb5 (1.8.1+dfsg-2) unstable; urgency=high

  * Fix crash in renewal and validation, Thanks Joel Johnson for such a
    prompt bug report, Closes: #577490

 -- Sam Hartman <hartmans@debian.org>  Mon, 12 Apr 2010 13:08:35 -0400

krb5 (1.8.1+dfsg-1) unstable; urgency=high

  * New upstream release
  * Fixes significant ABI incompatibility between Heimdal and MIT in the
    init_creds_step API; backward incompatible change in the meaning of
    the flags API.  Since this was introduced in 1.8 and since no better
    solution was found, it's felt that getting 1.8.1 out everywhere that
    had 1.8 very promptly is the right approach.  Otherwise software build
    against 1.8 will be broken in the future.
  * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
    Kerberos and Microsoft Kerberos; resolve this incompatibility.  As a
    result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
    produce undesirable results for constrained delegation.  Again,
    another reason to replace 1.8 with 1.8.1 as soon as possible.
  * Acknowledge security team upload, thanks for picking up the slack and
    sorry it was necessary

 -- Sam Hartman <hartmans@debian.org>  Sun, 11 Apr 2010 10:12:59 -0400

krb5 (1.8+dfsg-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
    via an invalid packet that triggers incorrect preparation of an error
    token. (Closes: 575740)
  * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)

 -- Giuseppe Iuculano <iuculano@debian.org>  Fri, 09 Apr 2010 19:11:50 +0200

krb5 (1.8+dfsg-1) unstable; urgency=low

  * New upstream version
  * Include new upstream notice file in docs
  * Update symbols files
  * Include upstream ticket 6676: fix handling of cross-realm tickets
    issued by W2K8R2
  * Add ipv6 support to kprop,  Michael Stapelberg, Closes: #549476
  * New Brazilian Portuguese translations, Thanks Eder L. Marques,
    Closes: #574149

 -- Sam Hartman <hartmans@debian.org>  Wed, 17 Mar 2010 15:51:54 -0400

krb5 (1.8+dfsg~alpha1-7) unstable; urgency=high

  * MITKRB5-SA-2010-001: Avoid an assertion failure leading to a denial of
    service in the KDC by doing better input validation.  (CVE-2010-0283)
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 16 Feb 2010 12:20:51 -0800

krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium

  * Import upstream fixes including:
     - A non-conformance with RFC 4120 that causes  enc_padata to be
    included when the client may not support it
      - Weak crypto acts as a filter and does not reject if DES is
    included in krb5.conf, fixes Samba net ads join, Closes: #566977
    * Medium urgency because of the samba bug fix.  If the samba maintainers
    request the release team to bump to high I'd support that.
  * Update libkdb5 symbols for new upstream internal interface

 -- Sam Hartman <hartmans@debian.org>  Fri, 12 Feb 2010 12:24:26 -0500

krb5 (1.8+dfsg~alpha1-5) unstable; urgency=high

  [ Sam Hartman ]
  * New API to allow an application to enable weak crypto
  * Rename libkadm5clnt and libkadm5srv to libkadm5clnt_mit and
    libkadm5srv_mit in order to avoid conflicts with Heimdal packages.
    Sorry for the second trip through new, but we needed to coordinate
    with upstream  on the ABI issues involved with this change.
  * Medium urgency in order to get a fix for openafs-krb5 weak crypto into
    testing sooner
  * Include fix for pam-krb5 segfault with wrong password; bump urgency to
    high.

  [ Russ Allbery ]
  * Change libkrb5-dbg to only depend on libkrb5-3, libk5crypto3, or
    libkrb5support0.  All of the other packages for which it provides
    debugging symbols also depend on one of those packages and always
    will, so listing the disjunction of every library package is
    overkill.  Remove from the Depends several obsolete library packages
    no longer included.
  * Drop obsolete Replaces for libkadm5srv-mit7 and libkadm5clnt-mit7.
  * Wrap krb5-multidev dependencies and description and shorten the short
    description.
  * Reformat NEWS.Debian to avoid using a bulleted list per devref.

  [ Sam Hartman ]
  * Link libkadm5{clnt,srv}.so specially so that the links work without
    libkrb5-dev installed

 -- Sam Hartman <hartmans@debian.org>  Fri, 22 Jan 2010 23:35:09 -0500

krb5 (1.8+dfsg~alpha1-4) unstable; urgency=high

  * Add replaces to deal with moving files from krb5-multidev to
    libkrb5-dev, Closes: #565217 
  * This is definitely the getting all the conflicts combinations right is
    tricky series of releases.  Sorry about the wasted cycles.

 -- Sam Hartman <hartmans@debian.org>  Wed, 13 Jan 2010 19:00:37 -0500

krb5 (1.8+dfsg~alpha1-3) unstable; urgency=high

  * Move files to avoid overlap between heimdal-dev and krb5-multidev,
    Closes: #565132 

 -- Sam Hartman <hartmans@debian.org>  Wed, 13 Jan 2010 04:18:32 -0500

krb5 (1.8+dfsg~alpha1-2) unstable; urgency=high

  * While Kerberos 1.8 is not vulnerable to CVE-2009-4212 (the vulnerable
    code was removed during the 1.8 release process for code
    simplification and code size reasons), this is urgency high to get a
    version of Kerberos that fixes that integer underflow in the AES and
    RC4 code  into testing.
  * For now,  heimdal and MIT shared libraries for kadm5 will conflict;
    discussions of how to fix this are ongoing upstream, Closes: #564666
  * New translations; sorry about missing them in the last upload
      - Vietnamese,  Thanks Clytie Siddall, Closes: #548204
      - Basque, Thanks Piarres Beobide, Closes: #534284
  * Update standards version (no changes required)
  * Pull upstream changes made since alpha1 into the package.  In
    particular this includes a fix to a bug where unkeyed checksums are
    accepted by the FAST KDC backend.  That bug was introduced between 1.7
    and 1.8 alpha1 so is only present in prior Debian packages of 1.8. See
    upstream tickets 6632 and 6633.

 -- Sam Hartman <hartmans@debian.org>  Tue, 12 Jan 2010 19:26:09 -0500

krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low

  * Include symlinks in libkrb5-dev too
  * New upstream release
  * Fix .so symlinks in krb5-multidev

 -- Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 2010 22:41:23 -0500

krb5 (1.8+dfsg~aa+r23527-1) experimental; urgency=low

  * MIT krb5 trunk prior to 1.8 branch
  * Remove krb5-telnet, krb5-ftpd, krb5-clients, krb5-rsh-server, no
    longer provided upstream.  These are provided now in a separate source
    distribution. 
  * Bring back functions needed by Samba, Closes: #531635
  * I know that the symbols revisions are generating lintian warnings;
    that will be cleaned up when upstream actually makes an alpha release 
  * Implement krb5-multidev similar to heimdal-multidev so that packages
    can be built against both MIT Kerberos and Heimdal 

 -- Sam Hartman <hartmans@debian.org>  Sun, 03 Jan 2010 17:54:04 -0500

krb5 (1.7+dfsg-4) unstable; urgency=high


  * cve-2009-3295, MIT-KRB5-SA-2009-003: KDC crash when failing to find
    the realm of a host., Thanks 2Jakob Haufe for the report to Debian

 -- Sam Hartman <hartmans@debian.org>  Mon, 28 Dec 2009 10:42:32 -0500

krb5 (1.7+dfsg-3) unstable; urgency=low

  * Fix typo in control file
  * Exclude usr/lib/krb5/plugins from  dh_makeshlibs call to deal with
    behavior change in dh_makeshlibs, Closes: #558719

 -- Sam Hartman <hartmans@debian.org>  Sun, 29 Nov 2009 23:24:01 -0500

krb5 (1.7+dfsg-2) unstable; urgency=low

  * Only picked up part of the upstream fix to #557979; upstream fully
    reverted to 1.6. 

 -- Sam Hartman <hartmans@debian.org>  Sun, 29 Nov 2009 19:34:44 -0500

krb5 (1.7+dfsg-1) unstable; urgency=low

  * New upstream version, Closes: #554225
  * Several fixes applied after the 1.7 release:
      - 6506: correctly handle keytab vs stash file
    - 6508: kadmind ACL parsing could reference uninitialized memory
    - 6509: kadmind can reference null pointer on ACL error
    - 6511: uninitialized memory passed to krb5_free_error in change
    password client path
    - 6514: none replay cache memory leak
    - 6515: profile library mutex performance improvements
    - 6541: memory leak in PAC verify code
    - 6542: Check for null characters in pkinit certs
    - 6543: login vs user order in ftpd sometimes wrong
    - 6551: Memory leak in spnego accept_sec_context error path
  * libkrb5-dev depends on libkadm5clnt6 (LP: #472080)
  *  Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP:
    #489418)

 -- Sam Hartman <hartmans@debian.org>  Sun, 29 Nov 2009 17:29:26 -0500

krb5 (1.7dfsg~beta3-2) UNRELEASED; urgency=low

  * Update to policy 3.8.2 (no changes)

 -- Sam Hartman <hartmans@debian.org>  Sat, 20 Jun 2009 06:32:22 -0400

krb5 (1.7dfsg~beta3-1) unstable; urgency=low

  * New upstream release
  * Revert relaxation of Debian symbol versions introduced in
    1.7dfsg~beta1-3 
  * Fix kproplog's manpage (LP: #374819)

 -- Sam Hartman <hartmans@debian.org>  Wed, 27 May 2009 21:15:41 -0400

krb5 (1.7dfsg~beta2-4) unstable; urgency=low

  * Upstream fixes to RT #6490, Closes: #528729
      - Use MS  usage 9 not 8 for tgs-rep encrypted in subkey
      - Do not use keyed checksum with RC4; WS2003  expects it to be
    encrypted in the subsession key, everyone else expects the session
    key.  Note that a keyed checksum for RC4 would work against WS2008.
  * Patch from Marc Dequ?nes (Duck)   for HURD portability, Closes:
    #528828 

 -- Sam Hartman <hartmans@debian.org>  Wed, 20 May 2009 08:57:53 -0400

krb5 (1.7dfsg~beta2-3) unstable; urgency=low

  * Use correct enctype identifier in lucid security context export,
    Closes: #528514 

 -- Sam Hartman <hartmans@debian.org>  Mon, 18 May 2009 14:59:46 -0400

krb5 (1.7dfsg~beta2-2) unstable; urgency=low

  * Apply upstream patch from ticket 6488  intended to fix
    gss_krb5_export_lucid_sec_context and thus NFS; hopefully fixes
    #528514 
  *  Apply patch from ticket 6489 to fix UCS2 handling in RC4 string to
    key and PAC routines

 -- Sam Hartman <hartmans@debian.org>  Thu, 14 May 2009 16:21:48 -0400

krb5 (1.7dfsg~beta2-1) unstable; urgency=low

  * New Upstream release including FAST support for DES and 3DES.
  * Remove non-free content accidentally reintroduced in beta1, Closes: #528555
  * Add strict dependency from libgssapi-krb5-2 to libkrb5-3 as discussed
    in #528514

 -- Sam Hartman <hartmans@debian.org>  Wed, 13 May 2009 14:09:31 -0400

krb5 (1.7dfsg~beta1-4) unstable; urgency=low

  * When  decrypting the TGS response fails with the subkey, try with the
    session key to work around Heimdal bug, Closes: #527353 

 -- Sam Hartman <hartmans@debian.org>  Thu, 07 May 2009 16:16:34 -0400

krb5 (1.7dfsg~beta1-3) unstable; urgency=low

  * Relax symbol versions of symbols that exist in krb5 1.6.dfsg.2 to
    1.6.dfsg.2.  No software currently in Debian uses the new
    functionality, and this will ease the transition because it allows
    krb5 to move independently of packages that are being rebuilt.  This
    change will be reverted before the end of May, 2009.

 -- Sam Hartman <hartmans@debian.org>  Tue, 05 May 2009 09:01:17 -0400

krb5 (1.7dfsg~beta1-2) unstable; urgency=low

  * Upload to unstable  with permission of release team; note that this
    upload will make anything that depends on libkrb53 uninstallable in
    unstable.  The release team will make binary only NMUs to rebuild any
    such packages and they will depend on the new libraries.  Packages
    built since 1.6.dfsg.4~beta1-9 entered unstable should not be affected.
  * Upstream change: return PREAUTH_REQUIRED not PREAUTH_FAILED on unknown
    preauth type in the KDC.
  * Remove a bunch of patches applied ustream from debian/patches

 -- Sam Hartman <hartmans@debian.org>  Mon, 04 May 2009 16:19:09 -0400

krb5 (1.7dfsg~beta1-1) experimental; urgency=low

  * New upstream release
    - kadmin and related commands moved to /usr/bin, Closes: #477296
    - Kadmin headers are Public: Closes: #191616 
    - KDC supports loopback address, Closes: #478425
  
 -- Sam Hartman <hartmans@debian.org>  Wed, 22 Apr 2009 09:53:15 -0400

krb5 (1.7dfsg~alpha1-1) experimental; urgency=low

  * New upstream version

 -- Sam Hartman <hartmans@debian.org>  Sun, 05 Apr 2009 20:46:14 -0400

krb5 (1.6.dfsg.4~beta1-13) unstable; urgency=high

  * MITKRB5-SA-2009-001: Fix read-beyond-end-of-buffer DOS in SPNEGO, an
    SPNEGO null pointer dereference, and incorrect length validation in
    an ASN.1 decoder.  (CVE-2009-0844, CVE-2009-0845, CVE-2009-0847)
  * MITKRB5-SA-2009-002: ASN.1 general time decoder can free uninitialized
    pointer.  (CVE-2009-0846)
  * Add dependency on libkrb53 from libkrb5-dev.  This should make it
    significantly more difficult for buildds to get out of sync.  I don't
    think we can do better within the constraints of this transition,
    Closes: #522469

 -- Sam Hartman <hartmans@debian.org>  Tue, 07 Apr 2009 14:58:31 -0400

krb5 (1.6.dfsg.4~beta1-12) unstable; urgency=low

  * Translation updates:
    - Romanian, thanks Eddy Petrișor.  (Closes: #519660)
    - Finnish, thanks Esko Arajärvi.  (Closes: #519741)
    - Russian, thanks Sergey Alyoshin.  (Closes: #519744)
    - Spanish, thanks Francisco Javier Cuadrado.  (Closes: #519808)

 -- Russ Allbery <rra@debian.org>  Fri, 27 Mar 2009 11:24:28 -0700

krb5 (1.6.dfsg.4~beta1-11) unstable; urgency=low

  * Upload from the partial-krb4 branch not the master branch so we don't
    break unstable. 
      - Restore libkrb53 and libkadm55 
  * Resync the aes test files from upstream to fix a line ending problem
    and significantly shrink the debian diff 

 -- Sam Hartman <hartmans@debian.org>  Fri, 13 Mar 2009 10:19:42 -0400

krb5 (1.6.dfsg.4~beta1-10) unstable; urgency=low

  * Add Homepage control field.
  * Add ${misc:Depends} to dependencies for all packages.
  * Expand the packages that satisfy the libkrb5-dbg dependency.
  * Include a few more details about the differences between the various
    library packages in their long descriptions and fix some whitespace
    inconsistencies.  Thanks, Gerfried Fuchs.  (Closes: #519403)
  * Remove empty usr/include/kerberosIV directory in libkrb5-dev.
  * Use set -e instead of #!/bin/sh -e for all maintainer scripts.
  * Use which without a path to check for update-inetd.
  * Improve the leading comment in /etc/default/krb5-kdc.
  * Remove unnecessary section override for krb5-pkinit.
  * Update to debhelper compatibility level V7.
    - Use dh_lintian to install Lintian overrides.
    - Use dh_prep instead of dh_clean -k.
  * Update standards version to 3.8.1 (no changes required).
  * Fix superfluous space in the krb5-kdc debconf templates and unfuzzy
    translations.  Thanks, Helge Kreutzmann.  (Closes: #518403)
  * Translation updates:
    - French, thanks Christian Perrier.  (Closes: #518221)
    - Japanese, thanks TANAKA Atushi.  (Closes: #518345)
    - Swedish, thanks Martin Bagge.  (Closes: #518347)
    - German, thanks Helge Kreutzmann.  (Closes: #518402)
    - Czech, thanks Miroslav Kure.  (Closes: #518993)
    - Portuguese, thanks Miguel Figueiredo.  (Closes: #519000)
    - Italian, thanks Luca Monducci.  (Closes: #519178)
    - Galician, thanks Marce Villarino.  (Closes: #519481)

 -- Russ Allbery <rra@debian.org>  Thu, 12 Mar 2009 18:00:31 -0700
krb5 (1.6.dfsg.4~beta1-9) unstable; urgency=medium

  * Fix typo in downgrade instructions in NEWS file.
  * Fix override for libkadm55
  * Upload to unstable.

 -- Sam Hartman <hartmans@debian.org>  Sun, 01 Mar 2009 15:33:58 -0500

krb5 (1.6.dfsg.4~beta1-8) experimental; urgency=low

  * Re-introduce libkrb53 and libkadm55 based on discussion on
    debian-devel; in this version, libkrb53 contains only libkrb4.  Both
    libkrb53 and libkadm55 depend on  the split library packages.  These
    dependencies are unversioned; that means that before any symbols are
    added the shlibs files need to be repointed away from libkrb53 and
    libkadm55.  Any version of the split library packages can satisfy the
    symbols needed by the libraries previously shipped in libkrb53.
  * Perform two builds; one without krb4 and one with krb4 for the only
    warnings; they will go away when the shlibs files are repointed.
  * Remove krb4 support from  debconf and init scripts.
  * Remove the krb4 migration guide from doc-base
  * Fix up replaces in control file so that libraries that used to be in
    libkadm55 claim to replace libkadm55 
  * Only use parallel builds on the krb5 build; it breaks krb4  enabled
    builds. 
  * Used versioned replaces; this seems to make it harder to get a system
    into a broken state if you remove the new packages, Closes: #517483 

 -- Sam Hartman <hartmans@debian.org>  Sat, 28 Feb 2009 00:42:51 -0500

krb5 (1.6.dfsg.4~beta1-7) experimental; urgency=low

  * Do not build krb4 support; this is being removed upstream with 1.7 and
    it is strongly desirable to  examine the debian implications.
  * As a result, the libraries which were previously all in libkrb53 need
    to change package names as we are dropping some libraries.  So, split
    out the libraries into lib<libraryname>-<soname> per policy.  The old
    format was consistent with policy when it was written 8 years ago, and
    has lasted well.  As a result, a significant number of new library
    packages are introduced.
  * Use dpkg-gensymbols support for .symbols files for better version tracking
  * Update to policy 3.8.0
      - Support parallel=

 -- Sam Hartman <hartmans@debian.org>  Fri, 20 Feb 2009 16:57:43 -0500

krb5 (1.6.dfsg.4~beta1-6) unstable; urgency=low

  * In the krb5-install info pages, document the need to create an empty
    database on new slaves before the first database propagation to work
    around a bug in kdb5_util.  This is a workaround for Bug#512670, which
    won't be fixed in time for the lenny release.

 -- Russ Allbery <rra@debian.org>  Sun, 01 Feb 2009 10:07:37 -0800

krb5 (1.6.dfsg.4~beta1-5) unstable; urgency=low

  * Correct the actions of krb5_newrealm in its man page.  It doesn't
    create a keytab for kadmind since kadmind no longer needs one.
    Mention that it does create a stash file and that it starts the KDC
    and kadmind daemons.  Thanks, David Medberry.  (Closes: #504126)
  * Translation updates:
    - Spanish, thanks Ignacio Mondino.  (Closes: #504766)

 -- Russ Allbery <rra@debian.org>  Mon, 29 Dec 2008 22:21:21 -0800

krb5 (1.6.dfsg.4~beta1-4) unstable; urgency=low

  [ Russ Allbery ]
  * Translation updates:
    - Swedish, thanks Martin Bagge.  (Closes: #487669, #491774)
    - Italian, thanks Luca Monducci.  (Closes: #493962)

  [ Sam Hartman ]
  * Translation Updates:
      - Dutch, Thanks Vincent Zweije, Closes: #495733

 -- Sam Hartman <hartmans@debian.org>  Thu, 21 Aug 2008 10:41:41 -0400

krb5 (1.6.dfsg.4~beta1-3) unstable; urgency=low

  * Set length to 0 on no-salt ldap keys so they do not crash; uupstream
    ticket 5545, Closes: #480523 
  * Swedish translations, thanks Martin Bagge, Closes: #487563 

 -- Sam Hartman <hartmans@debian.org>  Sun, 22 Jun 2008 23:00:37 -0400

krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low

  [ Russ Allbery ]
  * Translation updates:
    - Japanese, thanks TANAKA, Atushi.
    - Russian, thanks Sergey Alyoshin.  (Closes: #485473)
    - Brazilian Portuguese, thanks Eder L. Marques.  (Closes: #485613)
    - Romanian, thanks Eddy Petrișor.  (Closes: #484996)

  [ Sam Hartman ]
  * Upload 1.6.4 beta 1 to unstable.  As best I can tell evaluating the
    changes this is a strict improvement over 1.6.3 even though it is
    still a beta version.  There is not  an ABI change ; backing out would
    be relatively easy.
  * Patch from  Bryan Kadzban  to look inside spnego union_creds when
    looking for a specific mechanism cred.  This allows spnego creds to be
    used when copying out to a ccache after delegation, Closes: #480434
  * Ksu now calls krb5_verify_init_creds rather than using its own custom
    logic because that is correct and so it can take advantage of the
    following change. 
    * krb5_verify_init_creds uses the default realm if it gets a referral
    realm as input for server, Closes: #435427  
  * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at
    the request of  Moritz Muehlenhoff ; he was unsure that adding these
    flags on other platforms would be a good idea.  I'd be happy to expand
    the list at the request of port maintainers, Closes: #484371 
  * Fix KDC purge code introduced in previous revision.

 -- Sam Hartman <hartmans@debian.org>  Mon, 16 Jun 2008 09:29:00 -0400

krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low

  [ Russ Allbery ]
  * Do not translate the Kerberos v4 modes.  They are literal strings
    passed to the Kerberos KDC as arguments to the -4 option.  Comment
    mentions of those strings in the debconf template so that
    translators know this.
  * Rather than prompting at installation time for whether the KDC
    database should be deleted on purge, prompt in prerm when the package
    is being removed for whether the database should be deleted.
  * Translation updates:
    - Galician, thanks Jacobo Tarrio.  (Closes: #482324)
    - French, thanks Christian Perrier.  (Closes: #482326)
    - Vietnamese, thanks Clytie Siddall.  (Closes: #482362)
    - Basque, thanks Piarres Beobide.  (Closes: #482376)
    - Czech, thanks Miroslav Kure.  (Closes: #482428)
    - German, thanks Helge Kreutzmann.  (Closes: #482366)
    - Spanish, thanks Diego D'Onofrio.
    - Finnish, thanks Esko Arajärvi.  (Closes: #482682)
    - Portuguese, thanks Miguel Figueiredo.  (Closes: #483049)

  [ Sam Hartman ]
  * Remove extra space in debian/rules so upstream configure scripts can
    work.
  * Upgrade to 1.6.4 beta 1.
  * Upstream includes several fixes to bugs that were assigned CVE
    numbers; upstream does not actually consider these security issues and
    no advisory was issued, but they are included here for the benefit of
    the security team in case anyone asks.  Closes: #454974
    - fix CVE-2007-5972: double fclose() in krb5_def_store_mkey()
    - fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
    - fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
    - fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs()
    - fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
  
 -- Sam Hartman <hartmans@debian.org>  Sat, 31 May 2008 10:53:21 -0400

krb5 (1.6.dfsg.3-2) unstable; urgency=low

  * kdc.conf was previously in krb5-doc, not uninstalled.  Properly
    handle moving it to the krb5-kdc package.  (Closes: #480452)
  * Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private
    directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an
    RPATH in kdb5_ldap_util and the plugin to find the library.  Drop the
    libkdb-ldap1 library package.  This library isn't intended to be used
    by any software outside of the KDC plugin and utility.  Thanks,
    Bastian Blank.  (Closes: #479384)
  * Load defaults for debconf configuration of krb5-admin-server and
    krb5-kdc from the /etc/default files if they exist.  Thanks, Bastian
    Blank.  (Closes: #479404)
  * Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and
    /etc/default/krb5-kdc even if debconf configuration is enabled.
  * Don't require that a stash file be created in /etc/init.d/krb5-kdc.
    Stash files are optional.  (Closes: #479457)
  * Error out instead of silently existing if debconf's confmodule cannot
    be loaded.  Given that we depend on debconf, if this fails, something
    serious went wrong and we shouldn't ignore it.
  * Use /bin/which instead of command -v to check for update-inetd.
  * Unconditionally remove kpropd's inetd.conf entry in the postrm of
    krb5-kdc rather than special-casing remove and deconfigure.
  * Add 256-bit AES and RC4 keys to the default kdc.conf, the first
    because it's the strongest enctype currently supported and the second
    for Windows compatibility.  Improve the README.KDC enctype
    documentation.
  * Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as
    documentation.  Thanks, Bastian Blank.  (Closes: #479239)

 -- Russ Allbery <rra@debian.org>  Fri, 09 May 2008 20:27:16 -0700

krb5 (1.6.dfsg.3-1) unstable; urgency=low

  * Final upstream 1.6.3 release.
  * Package the LDAP plugin for the KDC, which allows one to use an LDAP
    server to store the KDC database.  Install the krb5-kdc-ldap package
    for the plugin.  (Closes: #453113)
  * If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
    so that the kdc.conf will at least be syntactically valid (but will
    still require editing).  (Closes: #474741)
  * krb5-kdc explicitly depends on krb5-config since it relies on debconf
    variables set by that package.
  * Always stop krb524d on /etc/init.d/krb5-kdc stop even if the
    configuration has been changed to no longer run it.  Thanks, Bastian
    Blank.  (Closes: #477294)
  * Install the kdc.conf man page.  (Closes: #477307)
  * krb5-kdc no longer depends on update-inetd and inet-superserver and
    instead just suggests openbsd-inetd | inet-superserver and
    conditionally adds the commented-out kpropd example if update-inetd is
    available.  krb5-admin-server doesn't need inet-superserver at all.
    Thanks, Bastian Blank.  (Closes: #477301)
  * Change the doc-base sections to System/Security.
  * Correctly mangle the version in the watch file.
  * Remove conflicts with packages already not present in oldstable.
  * Remove versioned build-dependencies satisfied by oldstable.
  * Remove versioned Replaces for versions older than oldstable.

 -- Russ Allbery <rra@debian.org>  Sun, 27 Apr 2008 20:39:36 -0700

krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency

  * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
    malformed messages may result in NULL pointer use, double-frees, or
    exposure of information.  (CVE-2008-0062, CVE-2008-0063)
  * MITKRB5-SA-2008-002: If the file descriptor limit is larger than
    FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
    array overrun and memory corruption may result.  (CVE-2008-0947)

 -- Russ Allbery <rra@debian.org>  Fri, 07 Mar 2008 18:53:59 -0800

krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low

  * Apply cross-build patch from Neil Williams.  (Closes: #465294)
  * Document in comments that configuration management via debconf should
    be disabled before making manual changes to /etc/default/krb5-kdc and
    /etc/default/krb5-admin-server.  (Closes: #443326)
  * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind.
    Thanks, Dwayne Litzenberger.  (Closes: #443331)
  * Don't stop the servers in runlevel S.  This isn't a real runlevel and
    cannot be switched to, so the links are extraneous.
  * Use binary:Version instead of Source-Version in debian/control.
  * Depend on openbsd-inetd | inet-superserver instead of on update-inetd,
    since inetd implementations may provide their own update-inetd.
  * Improve quoting and formatting in the postinsts for krb5-kdc and
    krb5-admin-server.  Error on failure to load debconf, since we do
    depend on it.  Support reconfigure.
  * Fix file locations in the krb524 doc-base control file.
  * Add the info documentation to all doc-base control files.
  * Fix a variety of man page errors uncovered by man --warnings.
  * Wrap Depends and Conflicts fields in debian/control.
  * dpkg-dev now compresses duplicate relations, so no need for lintian
    overrides.
  * Add an override for the empty plugin directory in libkrb53.
  * Update standards version to 3.7.3 (no changes required).
  * Translation updates:
    - Finnish, thanks Esko Arajärvi.  (Closes: #451146)
    - Dutch, thanks Vincent Zweije.  (Closes: #460589)

 -- Russ Allbery <rra@debian.org>  Mon, 18 Feb 2008 20:53:08 -0800

krb5 (1.6.dfsg.3~beta1-2) unstable; urgency=low

  *  Move pkinit into a new package krb5-pkinit.  We don't want pkinit to
    always be installed because this pulls in an openssl dependency and
    most people don't need it.  However we want the plugin available when
    needed, Closes: #444938
  * I had hoped to wait for the upstream release, but that is being a bit slow.

 -- Sam Hartman <hartmans@debian.org>  Thu, 18 Oct 2007 17:03:27 -0400

krb5 (1.6.dfsg.3~beta1-1) unstable; urgency=low

  * New Upstream release
    - Fix krb5_set_default_tgs_enctypes, Closes: #413838


 --  Sam Hartman <hartmans@debian.org>  Mon, 01 Oct 2007 21:21:59 -0400

krb5 (1.6.dfsg.1-7) unstable; urgency=emergency

  * mit-sa-2007-6:
      - CVE 2007-3999 rpc library buffer overflow
      - CVE 2007-uninitialized kadmin pointer

 -- Sam Hartman <hartmans@debian.org>  Tue, 04 Sep 2007 15:06:51 -0400

krb5 (1.6.dfsg.1-6) unstable; urgency=low

  * Don't depend on libkeyutils-dev on non-Linux architectures.  Thanks,
    Petr Salinger.  (Closes: #430215)
  * Restore support for the RUN_KADMIND setting as written by debconf.
    Thanks, Christoph Neerfeld.  (Closes: #429535)
  * Wrap the build-depends line now that dpkg in oldstable supports this.
  * Update debconf templates and debian/control long package descriptions
    as suggested by the debian-l10n-english team as part of the Smith
    review project.  Thanks to Christian Perrier for the coordination
    work.  (Closes: #428195)
  * Debconf translation updates:
    - Galician, thanks Jacobo Tarrio.  (Closes: #429511)
    - Portuguese, thanks Miguel Figueiredo.  (Closes: #429592)
    - Basque, thanks Piarres Beobide.  (Closes: #429637)
    - Japanese, thanks TANAKA, Atushi.  (Closes: #429844)
    - Vietnamese, thanks Clytie Siddall.  (Closes: #429907)
    - German, thanks Helge Kreutzmann.  (Closes: #430561)
    - Czech, thanks Miroslav Kure.  (Closes: #431203)
    - Russian, thanks Yuri Kozlov.  (Closes: #431247)
    - French, thanks Christian Perrier.

 -- Russ Allbery <rra@debian.org>  Sun, 15 Jul 2007 20:58:07 -0700

krb5 (1.6.dfsg.1-5) unstable; urgency=emergency

  * MIT-SA-2007-4: The kadmin RPC library can free an uninitialized
    pointer or write past the end of a stack buffer.  This may lead to
    execution of arbitrary code.  (CVE-2007-2442, CVE-2007-2443)
  * MIT-SA-2007-5: kadmind is vulnerable to a stack buffer overflow that
    may lead to execution of arbitrary code.  (CVE-2007-2798)

 -- Russ Allbery <rra@debian.org>  Wed, 13 Jun 2007 13:07:44 -0700
  
krb5 (1.6.dfsg.1-4) unstable; urgency=low

  *  Make --deps switch to krb5-config include dependent libraries; otherwise do not, Closes: #422985
  * Include copyright statement for remaining IETF draft, Closes: #393380

 -- Sam Hartman <hartmans@debian.org>  Sun, 13 May 2007 16:28:56 -0400

krb5 (1.6.dfsg.1-3) unstable; urgency=low

  * Upstream bug #5552: krb5_get_init_creds  needs to not dereference
    gic_opts if it is null.  Instead, assume that it is default options,
    Closes: #422687 

 -- Sam Hartman <hartmans@debian.org>  Tue,  8 May 2007 14:46:55 -0400

krb5 (1.6.dfsg.1-2) unstable; urgency=low

  * Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1
  * Upload 1.6 to unstable

 -- Sam Hartman <hartmans@debian.org>  Thu,  3 May 2007 20:23:47 -0400

krb5 (1.6.dfsg.1-1) experimental; urgency=low

  * Oops, I failed to understand how the version numbers work.  Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series.  We will use 1.6.dfsg.1 for 1.6.1.
  * Update to update-inetd dependency, Closes: #420748

 -- Sam Hartman <hartmans@debian.org>  Sun, 29 Apr 2007 08:59:28 -0400

krb5 (1.6.1.dfsg-1) experimental; urgency=low

  * Depend on keyutils-lib-dev so we consistently get keyring cache support
  * New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318
  * New Upstream release
      - Update shlibs for new API
  * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.

 -- Sam Hartman <hartmans@debian.org>  Sat, 28 Apr 2007 16:21:03 -0400

krb5 (1.6.dfsg-1) experimental; urgency=low

  * New 1.6 release from upstream.
  * Update copyright

 -- Sam Hartman <hartmans@debian.org>  Thu,  1 Feb 2007 22:26:08 -0500

krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low

  * New upstream release
  * Remove IETF RFCs, Closes: #393380
  * Update copyright file based on new copyrights upstearm

 -- Sam Hartman <hartmans@debian.org>  Wed, 22 Nov 2006 10:28:13 -0500

krb5 (1.4.4-8) unstable; urgency=emergency

  * MIT-SA-2007-1: telnet allows  login as an arbitrary user when
    presented with a specially crafted username; CVE-2007-0956 
  * krb5_klog_syslog has a trivial buffer overflow that can be exploited
    by network data; CVE-2007-0957.  The upstream patch is very intrusive
    because it fixes each call to syslog to have proper length checking as
    well as the actual krb5_klog_syslog internals to use vsnprintf rather
    than vsprintf.  I have chosen to only include the change to
    krb5_klog_syslog for sarge.  This is sufficient to fix the problem but
    is much smaller and less intrusive.   (MIT-SA-2007-2)
  * MIT-SA-2007-3: The GSS-API library can cause a double free if
    applications treat certain errors decoding a message as errors that
    require freeing the output buffer.  At least the gssapi rpc library
    does this, so kadmind is vulnerable.    Fix the gssapi library because
    the spec allows applications to treat errors this way.  CVE-2007-1216 
  * New Japanese translation, thanks TANAKA Atushi, Closes: #414382

 -- Sam Hartman <hartmans@debian.org>  Sun, 11 Mar 2007 19:08:52 -0400

krb5 (1.4.4-7) unstable; urgency=low

  * Translation updates:
    - New Portuguese translation, thanks Rui Branco.  (Closes: #409318)

 -- Russ Allbery <rra@debian.org>  Wed, 21 Feb 2007 15:23:08 -0800


krb5 (1.4.4-6) unstable; urgency=emergency

  * MIT-SA-2006-2: kadmind and rpc library call through function pointer
    to freed memory (CVE-2006-6143).  Null out xp_auth unless it is
    associated with an rpcsec_gss connection.

 -- Sam Hartman <hartmans@debian.org>  Thu,  4 Jan 2007 16:07:02 -0500

krb5 (1.4.4-5) unstable; urgency=low

  * Translation updates:
    - New Spanish translation, thanks Fernando Cerezal.  (Closes: #402986)

 -- Russ Allbery <rra@debian.org>  Sun, 17 Dec 2006 17:18:05 -0800

krb5 (1.4.4-4) unstable; urgency=low

  * Remove the check for pthread_mutexattr_setrobust_np in the thread
    initialization code.  This was only needed on Solaris 9 and has been
    removed upstream, and was causing FTBFS with glibc 2.5.  Thanks,
    Martin Pitt.  (Closes: #396166)
  * Translation updates:
    - New Romanian translation, thanks stan ioan-eugen.  (Closes: #395347)

 -- Russ Allbery <rra@debian.org>  Sun,  5 Nov 2006 21:32:17 -0800

krb5 (1.4.4-3) unstable; urgency=low

  * Don't require the presence of debconf during the postrm.  Thanks to
    Bill Allombert for the report.  (Closes: #388784)
  * Fix uses of hyphens instead of minus signs in the man pages.

 -- Russ Allbery <rra@debian.org>  Fri, 22 Sep 2006 14:57:34 -0700

krb5 (1.4.4-2) unstable; urgency=low

  * Patch from Alejandro R. Sedeno to allow 32-bit and 64-bit krb4 ticket
    files to be used on the same system.  Similar to a patch included in
    MIT Kerberos 1.5 but backported  because of missing byte order macros.

 -- Sam Hartman <hartmans@debian.org>  Wed, 20 Sep 2006 22:51:59 -0400

krb5 (1.4.4-1) unstable; urgency=low

  * New upstream release.
  * Stop using --exec to start and stop services since then services will
    not be stopped properly during an upgrade.  (Closes: #385039)
  * Rewrite the init scripts to include LSB information and to use the LSB
    logging functions.  krb5-kdc and krb5-admin-server now depend on
    lsb-base (>= 3.0-6) for the LSB functions.

 -- Russ Allbery <rra@debian.org>  Fri,  1 Sep 2006 20:45:59 -0700

krb5 (1.4.4~beta1-1) unstable; urgency=low

  * New upstream version including several memory leak fixes
  * Install upstream changelog

 -- Sam Hartman <hartmans@debian.org>  Wed, 16 Aug 2006 16:45:56 -0400

krb5 (1.4.3-9) unstable; urgency=high

  * Add error checking to setuid, setreuid  to avoid local privilege
    escalation ; fixes krb5-sa-2006-1, CVE-2006-3084, CVE-2006-3083
  * Update standards version to 3.7.2 (no changes required).
  * Translation updates.
    - Russian, thanks Yuri Kozlov.  (Closes: #380303)

 -- Sam Hartman <hartmans@debian.org>  Sun,  6 Aug 2006 17:12:40 -0400

krb5 (1.4.3-8) unstable; urgency=low

  * Defer seeding of the random number generator in kadmind until after
    forking and backgrounding, since otherwise blocking on /dev/random may
    block system startup.  (Closes: #364308)
  * Update config.{guess,sub}.  (Closes: #373727)
  * Better fix for error handling of a zero-length keytab.  Thanks,
    Rainer Weikusat.

 -- Russ Allbery <rra@debian.org>  Sun, 16 Jul 2006 08:59:20 -0700

krb5 (1.4.3-7) unstable; urgency=low

  * Fix double free caused by a zero-length keytab.  Thanks, Steve
    Langasek.  (Closes: #344295)
  * Fix segfault in krb5_kuserok if the local name doesn't correspond to a
    local account.  (Discovered in bug #354133.)
  * Build a separate libkrb5-dbg package containing the detached debugging
    information for libkrb53 and libkadm55.
  * Update debhelper compatibility level to V5 since the dh_strip behavior
    around debug packages changes in V5 and we should use the current
    interface from the beginning.
  * Translation updates.
    - Dutch, thanks Vincent Zweije.  (Closes: #360444)
    - Galician, thanks Jacobo Tarrio.  (Closes: #361809)

 -- Russ Allbery <rra@debian.org>  Sat, 15 Apr 2006 16:22:01 -0700

krb5 (1.4.3-6) unstable; urgency=low

  * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is
    passed in.  Fixes a segfault in racoon from ipsec-tools.  Thanks,
    Daniel Kahn Gillmor.  (Closes: #351877)
  * v5passwdd is gone, so remove the debconf template, the prompts, and
    the code to start and stop it from the init script.  Thanks, Greg
    Folkert.
  * Fix incorrect option names in krb5.conf(5).  Thanks, Martin v.
    Loewis.  (Closes: #347643)
  * Translation updates.
    - Danish, thanks Claus Hindsgaul.  (Closes: #350041)

 -- Russ Allbery <rra@debian.org>  Tue, 21 Feb 2006 23:25:34 -0800

krb5 (1.4.3-5) unstable; urgency=medium

  * Configure with --enable-shared --enable-static so that libkrb5-dev
    gets static libraries.
  * Fix double free in getting credentials, Closes: #344543

 -- Sam Hartman <hartmans@debian.org>  Sun, 25 Dec 2005 21:59:47 -0500

krb5 (1.4.3-4) unstable; urgency=high

  * Fix problem when libpthreads is dynamically loaded into a program
    causing mutexes to sometimes be used and sometimes not be used.  If
    the library starts out without threads support it will never start
    using threads support; doing anything else causes hangs. 

 -- Sam Hartman <hartmans@debian.org>  Fri, 16 Dec 2005 18:16:53 -0500

krb5 (1.4.3-3) unstable; urgency=low

  * Additional internal pthread symbols have to be declared weak on Hurd.
    Thanks, Michael Banck.  (Closes: #341608)
  * Build on GNU/kFreeBSD.  Thanks, Petr Salinger.  (Closes: #261712)
  * Change the default KDC enctype to 3DES to match upstream (the
    difference was probably a mismerge).
  * Remove /etc/default/krb5-admin-server on purge.  (Closes: #333161)
  * Document the behavior of klogind and kshd if the user has no .k5login
    file.  Remove vestigial .rhosts references.  (Closes: #250966)
  * Document krb5-rsh-server authorization defaults in README.Debian.
  * Enable kinit -a to match the man page.  (Closes: #232431)
  * Remove the patch to tightly bind libkrb4 to libdes425.  This should no
    longer be necessary with symbol versioning.
  * Upstream has removed the file with questionable licensing, so the
    upstream tarball is no longer repacked.  Remove the get-orig-source
    target in debian/rules and the notes in copyright and README.Debian.
  * Add a watch file.
  * Translation updates.
    - German, thanks jens.  (Closes: #330925)

 -- Russ Allbery <rra@debian.org>  Sun,  4 Dec 2005 11:37:40 -0800

krb5 (1.4.3-2) unstable; urgency=low

  * Conflict with libauthen-krb5-perl (<< 1.4-5) because of krb5_init_ets.
  * Update uploader address.
  * Conflict with libapache-mod-auth-kerb because it accesses library
    internals in a way that breaks.

 -- Sam Hartman <hartmans@debian.org>  Wed, 30 Nov 2005 22:33:47 -0500

krb5 (1.4.3-1) experimental; urgency=low

  * New upstream release.
  * Install ac_check_krb5 for use by aclocal.
  
 -- Sam Hartman <hartmans@debian.org>  Sat, 19 Nov 2005 16:20:56 -0500

krb5 (1.4.2-1) UNRELEASED; urgency=low

  * New upstream version.  (Closes: #293077)
    - kadmind4, v5passwdd, and v5passwd are no longer included.
    - Increase the libkrb53 shlibs version dependency.  Programs linked
      against this version will not work with an older libkrb53.
    - Rebuild should fix link problems on powerpc.  (Closes: #329709)
  * Re-enable optimization on m68k to stop hiding the toolchain problem.
  * Don't build crypto code -O3.  It uncovers too many gcc bugs.
  * Fix compilation on Hurd.  Thanks, Michael Banck.  (Closes: #324305)
  * Always initialize the output token in gss_init_sec_context, even with
    an unknown mechanism.  (Closes: #311977)
  * rcp should fall back to /usr/bin/netkit-rcp, not /usr/bin/rpc.
  * Add the missing shared library depends for libkadm55.
  * Use dh_install rather than dh_movefiles and enable --fail-missing to
    be sure to pick up any new upstream files.
  * Avoid test -a in maintainer scripts.
  * Expand and reformat the documentation and sample kdc.conf file.
  * Add a doc-base file for the krb425 migration guide.
  * Ignore lintian warnings about the library package names.  We'll fix
    them the next time upstream changes SONAMEs.
  * Conflict with packages that used internal symbols not part of the
    public ABI 
  * Use "MIT Kerberos" rather than krb5 in the krb5-doc short description.
  * Remove the saved patches that have been applied upstream or are no
    longer applied to the package, update the remaining patches, and move
    them into debian/patches.
  * Break out the other patches of interest for ease submitting them
    upstream.
  * Translation updates.
    - Vietnamese, thanks Clytie Siddall.  (Closes: #319704)

 -- Russ Allbery <rra@stanford.edu>  Thu, 22 Sep 2005 17:08:58 -0700

krb5 (1.3.6-5) unstable; urgency=high

  * Disable optimization on m68k to attempt to work around a gcc 4.0 bug.

 -- Russ Allbery <rra@stanford.edu>  Sun, 14 Aug 2005 22:26:00 -0700

krb5 (1.3.6-4) unstable; urgency=high

  [ Russ Allbery ]
  * Fix a mistake in variable names that caused the package to be built
    without optimization.
  * Allow whitespace before comments in krb5.conf.  Thanks, Jeremie
    Koenig.  (Closes: #314609)
  * GCC 4.0 compile fixes, thanks Daniel Schepler.  (Closes: #315618)
  * Avoid "say yes" in debconf templates.  (Closes: #306883)
  * Update Czech translation, thanks Miroslav Kure.
  * Update French translation, thanks Christian Perrier.  (Closes: #307748)
  * Update Portuguese (Brazil) translation, thanks André Luís Lopes.
  * New Vietnamese translation, thanks Clytie Siddall.  (Closes: #312172)
  * Update standards version to 3.6.2 (no changes required).
  * DAK can now handle not repeating maintainers in uploaders.

  [ Sam Hartman ]
  * Fix double free in krb5_recvauth; critical because it is in the code
    path for kpropd and may allow arbitrary code execution.
    (CAN-2005-1689)
  * krb5_unparse_name overflows allocated storage by one byte on 0 element
    principal name.  (CAN-2005-1175, VU#885830) 
  * Do not free unallocated storage in the KDC's TCP request handling
    path.  (CAN-2005-1174, VU#259798)

 -- Sam Hartman <hartmans@debian.org>  Tue, 12 Jul 2005 15:45:14 -0400

krb5 (1.3.6-3) unstable; urgency=low

  * krb5-kdc: Install a commented-out line for kpropd with update-inetd.
    Add dependency on netbase for update-inetd.  (Closes: #293182)
  * krb5-kdc: Ask with debconf whether the user wishes to delete the KDC
    database on purge, modelled after how postgresql handles the same
    situation.  (Closes: #289358)
  * Close leak in the arcfour crypto support.  Thanks, fumihiko kakuma.
    (Closes: #244595)
  * krb5-config should never return -I/usr/include.  (Closes: #165521)
  * Write manual pages for fakeka, krb524init, kadmind4, and v5passwdd.
    Backport from upstream the manual pages for krb5-config and krb524d.
    (Closes: #78953, #96437)
  * Fix paths in manual pages to match the Debian defaults.  Fix service
    in the inetd.conf example in the kpropd man page to work with Debian
    /etc/services.  (Closes: #157736)
  * Fix references to kerberos(1) in the rlogin and kinit man pages and
    include kerberos.1 in krb5-doc.  (Closes: #154381, #154384)
  * Add more detailed information about each package to the extended
    descriptions.  (Closes: #135517)
  * krb5-doc: Include info pages.  (Closes: #292512)
  * krb5-doc: Fix two minor variable name problems in the texinfo docs.
  * Let dh_installdebconf set the debconf dependency.
  * Update standards version to 3.6.1.
    - Support noopt in DEB_BUILD_OPTIONS.
    - Let debhelper take care of calling ldconfig appropriately.
    - Remove calls to dh_undocumented.
    - Remove lintian overrides for links to the undocumented man page.
    - Install kdc.conf template in /usr/share/krb5-kdc rather than
      /usr/share/krb5 (policy 10.7.3 states the directory should be named
      after the package).
    - Symlink the kdc.conf template to /usr/share/doc/krb5-kdc/examples
      per policy 10.7.3 since it's also a useful example.
  * Update debhelper compatibility level to V4.
    - Remove all *.conffiles control files.  They're no longer needed.
  * rules generally cleaned up.  Commented out and unused debhelper programs
    removed as the set being run wasn't comprehensive anyway.  Invocation
    order now matches the debhelper examples.
  * Removed (s) from copyright to make lintian happier.
  * Removed unnecessary lintian override for libkrb53.
  * Add lintian overrides for the duplicate dependencies on krb5 libraries.

 -- Russ Allbery <rra@stanford.edu>  Sat, 16 Apr 2005 14:12:08 -0700

krb5 (1.3.6-2) unstable; urgency=high

  * Package priority to standard
  * Fix buffer overflow in slc_add_reply in telnet.c (CAN-2005-0469)
  * Fix telnet.c env_opt_add buffer overflow (CAN-2005-0468)
  * Note that both of these vulnerabilities are client-side
    vulnerabilities that can be exploited only by a server.

 -- Sam Hartman <hartmans@debian.org>  Sun,  3 Apr 2005 23:49:08 -0400

krb5 (1.3.6-1) unstable; urgency=medium

  * New upstream version
  * Changing a password afwter the size of password history has been
    reduced may  double free or write past end of an arry; fix
    (CAN-2004-1189 / CERT VU#948033)
  * Conflict between krb5-kdc and kerberos4kth-kdc; also deals with
    krb5-admin-server conflict indirectly, Closes: #274763 

 -- Sam Hartman <hartmans@debian.org>  Sun,  2 Jan 2005 15:55:25 -0500

krb5 (1.3.5-1) unstable; urgency=low

  * New pt_br debconf translation, Cluses: #278734
  * New upstream version
  * Part of the fix to #261712: allow ftpd to build on gnu/bsd

 -- Sam Hartman <hartmans@debian.org>  Fri, 26 Nov 2004 18:44:02 -0500

krb5 (1.3.4-4) unstable; urgency=high

  * Fix what is hopefully the last remnant of the patch to gettextize the
    debconf without making the code consistent, thanks Thimo Neubauer,
    Closes: #271456
  * Fix krb5_newrealm man page to better describe dependencies, thanks
    Rachel Elizabeth Dillon , Closes: #269685

 -- Sam Hartman <hartmans@debian.org>  Mon, 13 Sep 2004 11:36:38 -0400

krb5 (1.3.4-3) unstable; urgency=high

  * Initial Czech translations thanks to  Miroslav Kure, Closes: #264366
  * Updated French debconf translation, thanks Martin Quinson, Closes: #264941
  * KDC and clients double-free on error conditions (CAN-2004-0642  VU#795632)
  *krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT
    VU#866472 ) 
  * ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and
    earlier allows unauthenticated remote attackers to induce
    infinite loop, causing denial of service, including in KDC
    code  (CAN-2004-0644 , CERT VU#550464)
  * Fix double free in krb524d  handling of encrypted ticket contents
    (CAN-2004-0772)  

 -- Sam Hartman <hartmans@debian.org>  Tue, 31 Aug 2004 13:04:51 -0400

krb5 (1.3.4-2) unstable; urgency=low

  * Fix doc-base files, Closes: #262916

 -- Sam Hartman <hartmans@debian.org>  Wed,  4 Aug 2004 13:08:53 -0400

krb5 (1.3.4-1) unstable; urgency=low

  * New upstream version
  * Update krb5-doc to include pointers to the right html documents,
    Closes: #203321 
  * Patches to find res_search on amd64 and to include new Debian ports in
    shared library building, Closes: #261712 
  * Install default file for krb5-admin-server, Closes: #262428
  * Patch from Russ Allbery to only prompt for a password once in krb4
    when null is passed in to krb_get_in_pw_tkt, Closes: #262192
  * New pt_br translation, thanks Andre Luis Lopes, Closes: #254115
  * New French translation, thanks Christian Perrier, closes: #253685

 -- Sam Hartman <hartmans@debian.org>  Sat, 31 Jul 2004 12:12:44 -0400

krb5 (1.3.3-2) unstable; urgency=high

  * Fix buffer overflow in krb5_aname_to_localname; potential remote root
    exploit in some fairly limited circumstances.  You are not vulnerable
    unless you have enabled aname_to_lname rules in krb5.conf  (CAN-2004-0523)
  * Fix kadmind template formatting, thanks  Christian Perrier 

 -- Sam Hartman <hartmans@debian.org>  Sat,  5 Jun 2004 16:57:44 -0400

krb5 (1.3.3-1) unstable; urgency=low

  * New upstream version
  * Gettextize my debconf templates, thanks Martin Quinson    , Closes:
    #236176 
  * Don't remove /etc/krb5.conf on libkrb53 purge

 -- Sam Hartman <hartmans@debian.org>  Tue, 13 Apr 2004 20:04:37 -0400

krb5 (1.3.2-2) unstable; urgency=low

  * Don't check for /etc/krb5kdc/kadm5.keytab, Closes: #235966 
  * Fix dangling symlink, Closes: #203622

 -- Sam Hartman <hartmans@debian.org>  Sun, 14 Mar 2004 20:46:27 -0500

krb5 (1.3.2-1) unstable; urgency=low

  * New Upstream Release, Closes: #223485
  * Includes upstream patch to ignore unknown address families, Closes: #206851
  * Include note that encrypted services are not enabled, Closes: #232115
  * Up shlib deps because of new features in auth context

 -- Sam Hartman <hartmans@debian.org>  Sun, 29 Feb 2004 09:36:27 -0500

krb5 (1.3-3) unstable; urgency=low

  * Don't clear the key schedule so krb4 callers can use it,  Closes: #203566
  * Use alternatives system for rcp, Closes: #218392

 -- Sam Hartman <hartmans@debian.org>  Tue,  3 Feb 2004 14:07:12 -0500

krb5 (1.3-2) unstable; urgency=low

  * Include patch to MIT Bug #1681, an incompatible change to etype_info2.
    This change will break  clients between 1.3 beta1 and 1.3-1 talking to
    1.3-2 KDCs, but is necessary because of a protocol bug.

 -- Sam Hartman <hartmans@debian.org>  Thu, 24 Jul 2003 13:32:33 -0400

krb5 (1.3-1) unstable; urgency=medium

  * New upstream version--finally 1.3 is released, Closes: #199573
  * Don't depend on com_err in libcrypto, Closes: #201005
  * Urgency is medium because the only code change is removing a single
    call to com_err and this package not being in testing is blocking
    other packages.  The beta has been in unstable more than 10 days.
  * Update shlibs again to avoid long-term references to a beta in the archive

 -- Sam Hartman <hartmans@debian.org>  Sat, 19 Jul 2003 15:19:38 -0400

krb5 (1.2.99-1.3.beta5-1) unstable; urgency=low

  * New upstream version

 -- Sam Hartman <hartmans@debian.org>  Sat,  5 Jul 2003 21:29:44 -0400

krb5 (1.2.99-1.3.beta4-1) unstable; urgency=low

  * Fix rpath on generated binaries and in krb5-config, Closes: #198124
  * Fix build-depends to require comerr-dev with correct shlibs,
  Closes: #197650
  * New upstream version
  * Don't generate /etc/krb5kdc/kadm5.keytab as 1.3 does not require it
    except for kadmind4

 -- Sam Hartman <hartmans@debian.org>  Fri, 20 Jun 2003 17:37:15 -0400

krb5 (1.2.99-1.3.beta3-4) unstable; urgency=low

  * Add replaces for libkadm55 on libkrb53

 -- Sam Hartman <hartmans@debian.org>  Wed, 11 Jun 2003 16:41:16 -0400

krb5 (1.2.99-1.3.beta3-3) unstable; urgency=low

  * One more try at avoiding autoconf dependency

 -- Sam Hartman <hartmans@debian.org>  Wed, 11 Jun 2003 03:04:56 -0400

krb5 (1.2.99-1.3.beta3-2) unstable; urgency=low

  * Touch some more files to defeat autoheader

 -- Sam Hartman <hartmans@debian.org>  Tue, 10 Jun 2003 23:55:08 -0400

krb5 (1.2.99-1.3.beta3-1) unstable; urgency=low

  * Fix dh_makeshlibs call so dependencies are correct
  * New upstream version
  * Patch from Steve Langasek          for versioned symbols; adapted to
    better fit  the build system and to work for all libraries
  * This version builds with GCC 3.3, Closes: #195571
  * Move the rest of the administration libraries into libkadm55 to reduce
    space required by libkrb53. 
  * libkrb53 conflicts with current openafs-krb5 because of ABI changes in
    krb524 

 -- Sam Hartman <hartmans@debian.org>  Tue, 10 Jun 2003 20:56:33 -0400

krb5 (1.2.99-1.3.beta2-1) experimental; urgency=low

  * New upstream version
  * Include a patch from upstream CVS (post beta2) to fix renewable tickets.

 -- Sam Hartman <hartmans@debian.org>  Sun,  1 Jun 2003 00:30:35 -0400

krb5 (1.2.99-1.3.beta1-1) experimental; urgency=low

  * New upstream pre-release
  * Update copyright
  * Add db_stop calls to krb5-kdc.postinst and krb5-admin-server.postinst
  * Install a fakeka binary
  * Install libkrb524.a even though upstream does not
  * kdc defaults to no v4 support per upstream change.

 -- Sam Hartman <hartmans@debian.org>  Thu, 15 May 2003 11:37:10 -0400

krb5 (1.2.99-1.3.alpha3-1) experimental; urgency=low

  * New upstream pre-release
    - ftp no longer segfaults on wildcards,  Closes: #175495
    - Clock skew is returned on clock skew with preauth, Closes: #98855
    - Preauthentication has been reworked to improve interoperability with
    older implementations and to comply with Kerberos Clarifications,
    Closes: #169014
    - Typo in man page fixed, Closes: #127302  
  * Remove dangling symlink, Closes: #133244
  * Depend on sufficiently new com_err and libss
  * Build the crypto library -O9 as it seems to help performance a lot.
  * Bump up shared library versions; all the public libraries have new
    functions 

 -- Sam Hartman <hartmans@debian.org>  Mon, 12 May 2003 02:22:37 -0400

krb5 (1.2.7-3) unstable; urgency=high

  *  Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in
    Kerberos 4
      - Add -X option to krb5kdc and krb524d.  By default  cross-realm is
    no longer supported for krb4 as it is a security hole.
      - Add protection to isolate krb5 keys from krb4 especially for the
    TGS key
     - Remove support for the MIT extension to krb4 to use 3DES keys as it
    is insecure.
  * Patch to various DOS issues where the KDC assumes principal names have
    certain components.  Fixes CAN-2003-0072 
  *  VU#516825: Additional errors in XDR that may lead to denial of
    service. 
  * Fix template bug in v5passwd template, Closes: #172565

 -- Sam Hartman <hartmans@debian.org>  Tue, 25 Mar 2003 08:03:00 -0500

krb5 (1.2.7-2) unstable; urgency=low

  * Remove declaration of errno from krb.h

 -- Sam Hartman <hartmans@debian.org>  Mon,  6 Jan 2003 15:38:20 -0500

krb5 (1.2.7-1) unstable; urgency=high

  * New upstream version
  * Still urgency high until the kadmin4 fix gets into testing
  * Don't declare errno so glibc will be happy; applying upstream as well,
    Closes :#168528
  * Remove pidfile argument from start-stop-daemon call for restarting
    krb5kdc  so it actually works, Closes: #174881

 -- Sam Hartman <hartmans@debian.org>  Sun,  5 Jan 2003 18:00:55 -0500

krb5 (1.2.6-2) unstable; urgency=high

  * Security fix for buffer overflow in kadmind4 (mitsa-2002-2)
  * If bison is too good for yacc compatibility then we're to good for
    bison,  Closes: #165655
  * Include readme.debian if we're going to reference it, Closes: #166399
  * Fix readme.debian comments to be correct

 -- Sam Hartman <hartmans@debian.org>  Sat, 26 Oct 2002 17:18:41 -0400

krb5 (1.2.6-1) unstable; urgency=low

  * New upstream version
  * Important: upstream has introduced a new way of handling AFS tickets
    within krb524d; long-term this may allow the use of ticket keys other
    than DES with AFS, but short-term this will break AFS because OpenAFS
    has not yet released servers that support the new mechanism.  If you
    run AFS servers and don't want them to break, please look at README.debian
  * This includes a fix for 162794 as that is now in the upstream
  * For now, libkrb5-dev is going to be priority extra.  If anyone
    complains I'll attempt to fight the comerr-dev dependency battle;
    honestly I think comerr-dev is common enough and on enough systems
    that it rates optional but the maintainer does not, Closes: #145165
  * Fix restart to restart krb524d, Closes: #162477


 -- Sam Hartman <hartmans@debian.org>  Sun,  6 Oct 2002 16:40:44 -0400

krb5 (1.2.5-3) unstable; urgency=high

  * Try to fix diversion handling for real this time, Closes: #155514

 -- Sam Hartman <hartmans@debian.org>  Mon,  5 Aug 2002 13:40:53 -0400

krb5 (1.2.5-2) unstable; urgency=high

  * We are still installing a krb5.conf.template; don't as that is
    kerberos-configs's job. 
  * The MIT KDC was not sending etype info padata; this couldcreate a
    problem  if you require preauth and have unusual salts; patch from
    upstream CVS
    * Add readme to krb5-user, Closes: #152670
  * Fix typo in alternatives handling so man page symlinks are handled
    correctely, Closes: #152707
  * Include XDR encoding patch for krb5-sa-2002-01; same patch as the
    woody security update 

 -- Sam Hartman <hartmans@debian.org>  Sat,  3 Aug 2002 17:51:50 -0400

krb5 (1.2.5-1) unstable; urgency=low

  * New upstream version;  not really any patches that will actually
    affect Debian at all, as we pulled them into 1.2.4 packages from
    upstream CVS
  * Stop shipping patches that upstream has accepted and released
  * Update included upstream PGP signature
  * Fix diversion handling; it was fairly broken in 1.2.4.  All we divert
    now is rcp
  * Ftp should not be diverted, closes: #146171
  * Fix overly small fixed length buffer in kuserok, closes: #145106

 -- Sam Hartman <hartmans@debian.org>  Sun,  2 Jun 2002 19:22:39 -0400

krb5 (1.2.4-5) unstable; urgency=low

  * Pull up bugfix from 1.2.5 beta1  to src/lib/krb5/asn.1/asn1_get.c
  * This should be the last thing we need from 1.2.5; Debian has all the
    1.2.5 changes besides the API reorg.  I'm not checking an API reorg
    this close to woody release.

 -- Sam Hartman <hartmans@debian.org>  Fri, 12 Apr 2002 12:16:49 -0400

krb5 (1.2.4-4) unstable; urgency=low

  * Suggest rather than recommend krb5-user from libkrb53, closes: #140116
  * Fix null pointer dereference in krb5 library; pull patch from  1.2.5 beta1

 -- Sam Hartman <hartmans@debian.org>  Wed, 10 Apr 2002 14:19:49 -0400

krb5 (1.2.4-3) unstable; urgency=medium

  * Move from non-us to main

 -- Sam Hartman <hartmans@debian.org>  Sat, 16 Mar 2002 15:04:44 -0500

krb5 (1.2.4-2) unstable; urgency=low

  * Don't respect umask when writing out srvtabs; you always want them
    0600 and if you don't you can chmod later, closes: #135988
  * To work with Heimdal, accept encrypted creds in
    gss_accept_sec_context, closes: #135962
  * Fix kadmin ACL bug.  Targets (a cool but undocumented ACL feature)
    didn't work quite right.  They do now.

 -- Sam Hartman <hartmans@debian.org>  Sun,  3 Mar 2002 18:53:40 -0500

krb5 (1.2.4-1) unstable; urgency=low

  * Don't check address in krb5_rd_cred; upstream patch also applied to
    their CVS, closes: #132226
  * Patch from Ken Raeburn to improve over-the-wire errors from KDC,
    included because I happened to be testing it and it seemed to work
  * New upstream release

 -- Sam Hartman <hartmans@debian.org>  Fri,  1 Mar 2002 00:44:26 -0500

krb5 (1.2.3-2) unstable; urgency=low

  * We want to be able to use krb4 and libssl's libcrypto in the same
    program.  To do this, we make libkrb4 bind libdes425 -Bsymbolic and we
    allow krb_mk_priv and krb_rd_priv to take null schedule arguments.

 -- Sam Hartman <hartmans@debian.org>  Tue, 15 Jan 2002 12:17:40 -0500

krb5 (1.2.3-1) unstable; urgency=low

  * New upstream version, closes: #110932
  * Use alternatives for rsh, closes: #122710
  * Major version of libkadm5 bumped; we no longer conflict with heimdal there

 -- Sam hartman <hartmans@debian.org>  Thu, 10 Jan 2002 06:59:13 -0500

krb5 (1.2.2-8) unstable; urgency=low

  * Oops, call htons around port numbers in kprop patch
  * Register with doc-base, closes: #100463
  * Move krb5.conf and kdc.conf manpages into krb5-doc; krb5-doc now
    conflicts with heimdal-docs, closes: #121141

 -- Sam Hartman <hartmans@debian.org>  Sun, 25 Nov 2001 23:47:35 -0500

krb5 (1.2.2-7) unstable; urgency=low

      * Forward only tickets we believe the remote side knows the enctype
    of, closes: #99320 
  * Start krb5-kdc and krb5-admin-server before RPC services, thanks Hein
    Roehrig, closes: #88604
  * Install krb5.conf and kdc.conf man pages in krb5-user.  This is not
    ideal but installing them in krb5-config won't work as they are
    implementation dependent, closes: #109522
  * Install kprop manpage, thanks Steve   Langasek, closes: #120040
  * Fix FHS  paths with kprop; store files in /var/lib/krb5kdc, thanks
    again Steve, closes: #120050
  * Telnet help should open a connection to the host help not give you a
    usage message, thanks Graeme Mathieson <graeme@mathie.cx> for a patch
    which will be sent upstream, closes: #118730
  * Fix kprop handling of service name.  If we can't find what we are
    looking for in /etc/services default to the obvious correct answer;
    thanks Steve, will commit  upstream, closes: #120010

 -- Sam Hartman <hartmans@debian.org>  Sat, 24 Nov 2001 22:10:16 -0500

krb5 (1.2.2-6) unstable; urgency=high

  * Include telnetd security patch for ring buffer issue from upstream
  * Conflict with the right Heimdal libs, closes: #103872

 -- Sam Hartman <hartmans@debian.org>  Wed,  1 Aug 2001 15:19:43 -0400

krb5 (1.2.2-5) unstable; urgency=low

  * Use krb5-config; remove our own krb5.conf handling..  Note this is the
    krb5-config package for /etc/krb5.conf, not the krb5-config library
    helper command. 
  * 
  * Conflict with kerberos4kth-services, closes: #93303
  * Update config.guess and config.sub, closes: #97585
  * Have telnetd depend on krb5-rsh-server.  I suspect this will make
    people grumpy and we need a better fix.  Really, Kerberized rlogin is
    better than telnetd from a security standpoint, so I'm OK with it for
    now.  Closes: #96695

 -- Sam Hartman <hartmans@debian.org>  Wed, 16 May 2001 17:44:47 -0400

krb5 (1.2.2-4) unstable; urgency=low

  * Fix shared libraries to build with gcc not ld to properly include
    -lgcc symbols, closes: #94407 

 -- Sam Hartman <hartmans@debian.org>  Fri, 20 Apr 2001 02:47:21 -0400

krb5 (1.2.2-3) unstable; urgency=high

  * Fix vulnerability with glob call.  CERT claims that Linux is not
    vulnerable, but I believe the krb5 implementation is.  The result of
    glob was copied  into a fixed-sized buffer.  This fixes that
    closes: #93689 
  * Provide ftp-server not ftpd, closes: #93531
  * Do not link kadm5clnt against kdb5.  

 -- Sam Hartman <hartmans@debian.org>  Wed, 11 Apr 2001 19:50:17 -0400

krb5 (1.2.2-2) unstable; urgency=low

  * Work to provide an alternative for telnet and to be a telnet-client,
    closes: 87914 
    * libkrb5-dev depends on comerr-dev, closes: #87489
  * Make clean target remove configure-stamp

 -- Sam Hartman <hartmans@debian.org>  Mon,  5 Mar 2001 08:25:17 -0500

krb5 (1.2.2-1) unstable; urgency=low

  * New Upstream version, Closes: #82546
  * Depend on debconf, closes: #87490
  * Fix debconf formatting issue, closes: #84447
  * Create sample ACL file, closes: #84448
  * Fix lintian warnings and override as appropriate
  * Upgrade to policy 3.5 moving stuff out of examples.

 -- Sam Hartman <hartmans@debian.org>  Fri,  2 Mar 2001 11:32:06 -0500

krb5 (1.2.1-9) unstable; urgency=low

  * Do not use TIOCGLTC anywhere
  * Build without TCL, closes: #81977
  * Fix krb5-admin-server restart, closes: #81070
  * With the new dpkg-source, files get diffed in the wrong order  for us
    to prevent autoconf from getting run just by mangling things and
    making sure we change every configure script.  So, touch every
    configure script  in debian/rules.

 -- Sam Hartman <hartmans@debian.org>  Sat, 13 Jan 2001 19:27:37 -0500

krb5 (1.2.1-8) unstable; urgency=low

  * Use separate build directory because the source tree supports it and
    it works around failures in the upstream clean target, closes: #78954
  * Make sure we modify all the configure scripts since we modify
    aclocal.m4 so that time stamps don't cause autoconf to be run.
  * Add bison and debhelper as build-depends, closes: #79643
  * New maintainer address

 -- Sam Hartman <hartmans@debian.org>  Sat, 23 Dec 2000 16:20:24 -0500

krb5 (1.2.1-7) unstable; urgency=low

  * Do not conflict with libss.a
  * Upload to Debian(Closes: BUG#78499)

 -- Sam Hartman <hartmans@mit.edu>  Mon,  4 Dec 2000 04:15:50 -0500

krb5 (1.2.1-6) unstable; urgency=low

  * Fix kpasswd manpage.
  * Split out libkadm5 to avoid Heimdal conflict

  * Conflict with kerberos4kth.
  * Remove runpaths from libs and executables.

 -- Sam Hartman <hartmans@mit.edu>  Wed, 29 Nov 2000 12:18:22 -0500

krb5 (1.2.1-5) unstable; urgency=low

  * If libkrb53 was preconfigured, then krb5.conf could overide explicit
    user input.

 -- Sam Hartman <hartmans@mit.edu>  Sat, 25 Nov 2000 17:01:26 -0500

krb5 (1.2.1-4) unstable; urgency=low

  * Write init.d scripts for kdc and admin server.
  * Ask what admin programs to run and what krb4 mode to use.
  * Populate initial kdc.conf if needed.
  * New script (krb5_newrealm) to set up a Kerberos realm
  * Document KDC issues.
  * Make libkrb53.config work again so libkrb53 installs

 -- Sam Hartman <hartmans@mit.edu>  Sat, 18 Nov 2000 17:22:16 -0500

krb5 (1.2.1-3) unstable; urgency=low

  * Add KDC packages
  * Install login.krb5  Sadly, it is needed to make forwarded credentials
    work.  This is unfortunate; it is not a  good login program. 

 -- Sam Hartman <hartmans@mit.edu>  Wed,  8 Nov 2000 16:10:13 -0500

krb5 (1.2.1-2) unstable; urgency=low

  * Add copyright and README.debian
  * Ship kadmin in krb5-user.
  * Add services to inetd.conf
  * Add support for generating krb5.conf

 -- Sam Hartman <hartmans@mit.edu>  Thu,  2 Nov 2000 17:29:59 -0500

krb5 (1.2.1-1) unstable; urgency=low

  * Initial Release.

 -- Sam Hartman <hartmans@permabit.com>  Thu, 19 Oct 2000 16:05:06 -0400