Debian Patches
Status for krb5/1.22.1-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0011-Allow-kpropd-to-bind-even-if-only-loopback-is-config.patch | Allow kpropd to bind even if only loopback is configured In src/kprop/kpropd.c get_wildcard_address, call getaddrinfo without AI_ADDRCONFIG if both the v6 and v4 calls to getaddrinfo fail with AI_ADDRCONFIG. This generally means that only the loopback interface is configured. This change allows the testsuite to succeed ina container isolated to prohibit network connectivity. |
Sam Hartman <hartmans@debian.org> | no | 2024-06-14 | ||
| 0012-Skip-keyring-tests-if-keyring-blocked-by-seccomp.patch | Skip keyring tests if keyring blocked by seccomp Skip keyring tests if we cannot successfully add a key because add_key returns ENOSYS, presumably because it is blocked by seccomp policy in a container environment. * Move keyring support detection code duplicated between t_cccol.py and t_ccache.py to k5test.py * Expand that code to call keyctl and confirm it works to add a key. |
Sam Hartman <hartmans@debian.org> | no | 2024-06-14 | ||
| debian-local/0001-Debian-HURD-compatibility.patch | Debian: HURD compatibility HURD has no MAXPATHLEN or MAXHOSTNAMELEN. Thanks Pino Toscano for making the patch more robust. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch | debian: Handle multi-arch paths in krb5-config We cannot use @libdir@ because that will include the multi-arch prefix in the built krb5-config, but we want krb5-config to be identical on all arches so that krb5-multidev can be multi-arch: same. So, instead, figure out our multi-arch tripple by calling CC directly. Based on an approach suggested by Hugh McMaster. Also include --deps in the usage output, since it is a valid argument. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0003-debian-osconf.hin-path-changes.patch | debian: osconf.hin path changes | Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0004-debian-install-ldap-library-in-subdirectory.patch | debian: install ldap library in subdirectory Debian received a request to install the internal ldap library not in the main lib directory. We are changing SHLIB_DIRS from the default that upstream sets in the makefile includes; assign unconditionally the full value. |
Sam Hartman <hartmans@debian.org> | no | 2011-12-26 | ||
| debian-local/0005-gssapi-never-unload-mechanisms.patch | gssapi: never unload mechanisms It turns out that many GSSAPI mechanisms link to the main gss-api library creating a circular reference. Depending on how the linker breaks the cycle at process exit time, the linker may unload the GSS library after unloading the mechanisms. The explicit dlclose from the GSS library tends to cause a libdl assertion failure at that point. So, never unload plugins. They are refcounted, so dlopen handles will not leak, although obviously the memory from the plugin is never reclaimed. |
Benjamin Kaduk <kaduk@mit.edu> | no | 2013-03-29 | ||
| debian-local/0006-Add-substpdf-target.patch | Add substpdf target Akin to substhtml, so that we can build PDF documents without overwriting the upstream-provided versions and causing debian/rules clean to not return to the original state. |
Ben Kaduk <kaduk@mit.edu> | no | 2013-03-29 | ||
| debian-local/0007-Fix-pkg-config-library-include-paths.patch | Fix pkg-config library/include paths Include library and include flags in pkg-config files, so they work when the symlinks provided by libkrb5-dev are not installed. |
Jelmer Vernooij <jelmer@debian.org> | no | 2014-08-27 | ||
| debian-local/0008-Use-isystem-for-include-paths.patch | Use -isystem for include paths This is necessary so Kerberos headers files are classified as "system headers" by the compiler, and thus not subject to the same strict warnings as other headers (which breaks compilation if -Werror is specified). . This fixes the build of folks using -Werror and including Kerberos headers when the latter are installed in a non-standard location (e.g. /usr/include/tuple/mit-krb5, as Debian is doing). (cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232) |
Jelmer Vernooij <jelmer@debian.org> | no | debian | 2014-09-03 | |
| 0009-Add-.gitignore.patch | Add .gitignore | Sam Hartman <hartmans@debian.org> | no | 2019-07-08 | ||
| 0013-Fix-two-NegoEx-parsing-vulnerabilities.patch | Fix two NegoEx parsing vulnerabilities In parse_nego_message(), check the result of the second call to vector_base() before dereferencing it. In parse_message(), check for a short header_len to prevent an integer underflow when calculating the remaining message length. Reported by Cem Onat Karagun. CVE-2026-40355: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a null pointer dereference, causing the process to terminate. CVE-2026-40356: In MIT krb5 release 1.18 and later, if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech, an unauthenticated remote attacker can trigger a read overrun of up to 52 bytes, possibly causing the process to terminate. Exfiltration of the bytes read does not appear possible. target_version: 1.22-next |
Greg Hudson <ghudson@mit.edu> | no | debian | https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f | 2026-04-08 |
| 0013-Fix-strchr-conformance-to-C23.patch | Fix strchr() conformance to C23 C23 7.28.5.1 specifies search functions such as strchr() as generic, returning const char * if the first argument is of type const char *. Fix uses of strchr() to conform to this change. [jrische@redhat.com: altered changes to avoid casts; fixed an additional case] [ghudson@mit.edu: condensed some declarations; rewrote commit message] (cherry picked from commit ad4dcf1856dadc4b352b5c8ff08e51c7290fb41f) |
Alexander Bokovoy <abokovoy@redhat.com> | no | 2025-12-10 | ||
| 0014-Improve-future-OpenSSL-compatibility.patch | Improve future OpenSSL compatibility Avoid calling deprecated OpenSSL functions when compiling against versions of OpenSSL where they are deprecated. Add -DOPENSSL_NO_DEPRECATED to the linux-clang-openssl CI build to help detect calls to deprecated functions in the future. Use const pointer variables to hold values retrieved by accessors which will return const pointers in OpenSSL 4.0. Define macros to make certain functions accept these const pointers in versions of OpenSSL where they don't already do so. Use accessor functions instead of direct field access for ASN1_STRING values, as the type will become opaque in OpenSSL 4.0. The PKINIT code is written to assume that DHX support was not present until OpenSSL 1.1, but it was added in release 1.0.2, causing a compilation error against 1.0.2 from a double definition of EVP_PKEY_DHX. Minimally fix the compilation error. (The custom DHX marshalling code to support 1.0.x could be removed, as 1.0.2 is the minimum version after commit f5bbfa4821cf590a4748f96d0e016bc0485e95c4, but the plan is to remove 1.0.x compatibility shortly.) Contains work by Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> and Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>. [ghudson@mit.edu: combined numerous commits; added compatibility macros; rewrote commit message; fixed 1.0.2 compatibility issue] (cherry picked from commit 5e4e8452328804948d042235bbf58ca457795857) |
Bob Beck <beck@openssl.org> | no | 2026-02-16 | ||
| 0015-Use-X509_check_host-to-verify-KKDCP-server-cert.patch | Use X509_check_host() to verify KKDCP server cert In the k5tls module, rely on X509_check_host() and X509_check_ip_asc(), which were added in OpenSSL 1.0.2, instead of doing our own verification. There is one notable difference in behavior: X509_check_host() admits wildcards with a prefix or suffix (but not both) within the label, like "kdc*.mydomain.com". The old code only allows a wildcard to match a complete label. (cherry picked from commit f5bbfa4821cf590a4748f96d0e016bc0485e95c4) |
Greg Hudson <ghudson@mit.edu> | no | 2026-02-25 | ||
| 0016-PATCH-Prevent-read-overrun-in-libkdb_lda.patch | Prevent read overrun in libkdb_ldap In berval2tl_data(), reject inputs of length less than 2 to prevent an integer underflow and subsequent read overrun. (The security impact is negligible as the attacker would have to control the KDB LDAP server.) |
Sebastián Alba <sebasjosue84@gmail.com> | no | https://github.com/krb5/krb5/commit/2a5fd83d4436583f2ddc0e193269a4d800ee45c4 | 2026-04-08 |
All known versions for source package 'krb5'
- 1.22.1-3 (sid)
- 1.22.1-2.1 (forky)
- 1.21.3-5+deb13u1 (trixie-security, trixie-proposed-updates)
- 1.21.3-5 (trixie)
- 1.20.1-2+deb12u5 (bookworm-proposed-updates, bookworm-security)
- 1.20.1-2+deb12u4 (bookworm)