From: Tom Yu <tlyu@mit.edu>
Date: Wed, 18 Feb 2015 21:23:49 +0000 (-0500)
Subject: Updates for krb5-1.12.3
X-Git-Tag: krb5-1.12.3-final
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a956edbc87735c8c8f6df2dbddd1c0f75020e2a5;p=thirdparty%2Fkrb5.git

Updates for krb5-1.12.3
---

diff --git a/README b/README
index b9eff7172f..a8a8f07d78 100644
--- a/README
+++ b/README
@@ -6,7 +6,7 @@
 Copyright and Other Notices
 ---------------------------
 
-Copyright (C) 1985-2014 by the Massachusetts Institute of Technology
+Copyright (C) 1985-2015 by the Massachusetts Institute of Technology
 and its contributors.  All rights reserved.
 
 Please see the file named NOTICE for additional notices.
@@ -73,6 +73,49 @@ from using single-DES cryptosystems.  Among these is a configuration
 variable that enables "weak" enctypes, which defaults to "false"
 beginning with krb5-1.8.
 
+Major changes in 1.12.3 (2015-02-18)
+------------------------------------
+
+This is a bugfix release.  The krb5-1.12 release series is in
+maintenance, and for new deployments, installers should prefer the
+krb5-1.13 release series or later.
+
+* Fix multiple vulnerabilities in the LDAP KDC back end.
+  [CVE-2014-5354] [CVE-2014-5353]
+
+* Fix multiple kadmind vulnerabilities, some of which are based in the
+  gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
+  CVE-2014-9422 CVE-2014-9423]
+
+krb5-1.12.3 changes by ticket ID
+--------------------------------
+
+8012    gssapi.dll tries to get initial creds even when some are
+        present
+8013    gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is
+        enabled
+8036    Remove rtm_type_name()
+8064    Add missing salt from enctype in t_kdb.py test
+8067    Fix gss_process_context_token() [CVE-2014-5352]
+8068    Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
+8069    Fix kadmind server validation [CVE-2014-9422]
+8070    Fix gssrpc data leakage [CVE-2014-9423]
+8125    Do not loop on principal unknown errors
+8126    Export function gss_add_cred_with_password
+8127    Check for null *iter_p in profile_iterator()
+8128    Fix OTP tests with pyrad 2.x
+8129    Use gssalloc_malloc for GSS error tokens
+8130    Fix typo in doc for krb5_get_init_creds_keytab()
+8131    Parse "ktadd -norandkey" in remote kadmin client
+8132    Report output ccache errors getting initial creds
+8133    Fix cursor leak in krb5_verify_init_creds
+8134    Remove length limit on PKINIT PKCS#12 prompt
+8135    Fix input race condition in t_skew.py
+8136    Update example enctypes in kdc_conf.rst
+8137    Fix LDAP misused policy name crash [CVE-2014-5353]
+8138    kadmind with ldap backend crashes when putting keyless entries
+        [CVE-2014-5354]
+
 Major changes in 1.12.2 (2014-08-11)
 ------------------------------------
 
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index f8307b5205..b54e3f8958 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5IDENTITY" "5" " " "1.12.2" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index cb0122cce4..ebb491f9c5 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5LOGIN" "5" " " "1.12.2" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index f11bd62334..278b9b679a 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5SRVUTIL" "1" " " "1.12.2" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 6e6a041fa5..ad8624724e 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADM5.ACL" "5" " " "1.12.2" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index d1b04dabf6..b86eeebab0 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIN" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index 78106eba40..b7a08d0e5f 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIND" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index e125c13a4a..c82a7eee7c 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_LDAP_UTIL" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 3067fbdb59..d58d106807 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_UTIL" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 3aafac2ce5..7d76379fdc 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDC.CONF" "5" " " "1.12.2" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index 3bb6618244..849eec3802 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDESTROY" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 811c63b437..fd60fe40f0 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KINIT" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index b903f464ed..ce1241454b 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KLIST" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index 5f49711e90..d709d65ae1 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPASSWD" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 6ae646e4d7..0a18bc7c5a 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROP" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 84508997bb..3cd82056d2 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROPD" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
 .
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 1fd8a7e1c6..ae76b7d84b 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KPROPLOG" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
 .
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 42ef45bc3a..ada913b113 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5-CONFIG" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 109ac08e71..3d2d6b3d62 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5.CONF" "5" " " "1.12.2" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index ee9db45160..7dd0408cc4 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KRB5KDC" "8" " " "1.12.2" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index c5f014ca80..9784c6f1ca 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KSU" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KSU" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index a1dd96662a..b00beef8ee 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KSWITCH" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index a134e29164..a0025f97dd 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KTUTIL" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
 .
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 6175f8facb..ab15df25d9 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KVNO" "1" " " "1.12.2" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 0402fc219b..f8177ed14b 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "SCLIENT" "1" " " "1.12.2" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 993aeb0848..70efb13e11 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "SSERVER" "8" " " "1.12.2" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.12.3" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
 .
diff --git a/src/patchlevel.h b/src/patchlevel.h
index f0986211da..317b98e7c1 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -51,7 +51,7 @@
  */
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 12
-#define KRB5_PATCHLEVEL 2
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 3
+/* #undef KRB5_RELTAIL */
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.12"
+#define KRB5_RELTAG "krb5-1.12.3-final"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index 4309491f86..c95091b9c7 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: mit-krb5 1.12.2-postrelease\n"
+"Project-Id-Version: mit-krb5 1.12.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-02-17 16:20-0500\n"
+"POT-Creation-Date: 2015-02-18 16:25-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"