summaryrefslogtreecommitdiff
path: root/security/heimdal/files (follow)
Commit message (Collapse)AuthorAgeFilesLines
* security/heimdal: Fix uninitialized pointer dereferenceCy Schubert2024-03-141-2/+29
| | | | | | | | | | | | krb5_ret_preincipal() returns a non-zero return code when a garbage principal is passed to it. Unfortunately ret_principal_ent() does not check the return code, with garbage pointing to what would have been the principal. This results in a segfault when free() is called. PR: 267944, 267972 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2024Q1
* security/heimdal*: Handle other types of garbage dataCy Schubert2022-11-241-2/+30
| | | | | | | | | In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2022Q4
* security/heimdal*: Fix NULL dereference when mangled realm messageCy Schubert2022-11-242-0/+29
| | | | | | | | | Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2022Q4
* security/heimdal*: The version string must always contain a terminating NULCy Schubert2022-11-241-0/+42
| | | | | | | | | | | Should the sender send a string without a terminating NUL, ensure that the NUL terminates the string regardless. And while at it only process the version string when bytes are returned. PR: 267884 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2022Q4
* security/heimdal*: Remove LLVM_DEFAULT build prerequisiteCy Schubert2022-11-242-18/+36
| | | | | | | | | Adjust ./configure to set the correct CLANG_FORMAT value when clang-format is not found (when none of the llvm ports are installed). PR: 267814 Submitted by: Tatsuki Makino <tatsuki_makino@hotmail.com> MFH: 2022Q4
* security/heimdal: Update to 7.8.0Cy Schubert2022-11-151-11/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This upgrade fixes multiple security vulnerabilities. The following issues are patched: - CVE-2022-42898 PAC parse integer overflows - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3, as we believe it should be possible to get an RCE on a KDC, which means that credentials can be compromised that can be used to impersonate anyone in a realm or forest of realms. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all extensible CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal's ASN.1 compiler since 2005, but it may only affect Heimdal 1.6 and up. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. - CVE-2019-14870: Validate client attributes in protocol-transition - CVE-2019-14870: Apply forwardable policy in protocol-transition - CVE-2019-14870: Always lookup impersonate client in DB Reported by: so (philip) Approved by: so (philip) MFH: 2022Q4 Security: Many, see above Sponsored by: so (philip)
* all: Remove all other $FreeBSD keywords.Mathieu Arnold2021-04-063-8/+0
|
* Regen patches.Hiroki Sato2020-03-135-31/+31
| | | | Notes: svn path=/head/; revision=528366
* Fix build breakage when PKINIT and/or KX509 disabled.Hiroki Sato2020-03-136-16/+143
| | | | | | | PR: 244751 Notes: svn path=/head/; revision=528365
* - Fix build when !BDB.Hiroki Sato2020-02-2315-62/+84
| | | | | | | | | - Regenerate patches. PR: 244282 Notes: svn path=/head/; revision=526922
* Update to 7.7.0.Hiroki Sato2020-02-191-10/+0
| | | | Notes: svn path=/head/; revision=526484
* security/heimdal: Chase cracklib dictionary rename from r408137Tobias Kortkamp2018-10-111-1/+1
| | | | | | | | | PR: 213157 Submitted by: Florian Riehm <mail@friehm.de> Approved by: 2 year bug anniversary Notes: svn path=/head/; revision=481805
* security/heimdal: Don't call arc4random_stir.Xin LI2018-08-261-0/+10
| | | | | | | | PR: 230835, 230756 Approved by: portmgr (antoine) Notes: svn path=/head/; revision=478108
* Update to 7.3.0.Hiroki Sato2017-06-1024-223/+55
| | | | Notes: svn path=/head/; revision=443115
* security/heimdal: Backport security fixMark Felder2017-06-091-0/+168
| | | | | | | | | PR: 219657 MFH: 2017Q2 Security: CVE-2017-6594 Notes: svn path=/head/; revision=443016
* Fix build when !BDB and db5 is installed at the same time.Hiroki Sato2017-01-111-12/+12
| | | | | | | | | | The configure script picked up the db5 library though ac_cv_func_db_create=no. PR: 215772 Notes: svn path=/head/; revision=431160
* - Fix krb5-config --libs to provide a list of libraries includingHiroki Sato2017-01-042-9/+10
| | | | | | | | | dependency. This broke ports which depend on this utility. - Add LMDB option to support database/lmdb. Notes: svn path=/head/; revision=430529
* - Enable dbopen() in DB 1.85 even if !BDB because libhdb withHiroki Sato2017-01-0320-20/+62
| | | | | | | | | | | no backend is very confusing. - Fix build when !BDB[*] PR: 215741 [*] Notes: svn path=/head/; revision=430517
* Update to 7.1.0. Changes include:Hiroki Sato2017-01-0330-283/+962
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - hcrypto is now thread safe on all platforms and as much as possible hcrypto now uses the operating system's preferred crypto implementation ensuring that optimized hardware assisted implementations of AES-NI are used. - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST). - Hierarchical capath support - iprop has been revamped to fix a number of race conditions that could lead to inconsistent replication. - The KDC process now uses a multi-process model improving resiliency and performance. - AES Encryption with HMAC-SHA2 for Kerberos 5 draft-ietf-kitten-aes-cts-hmac-sha2-11 - Moved kadmin and ktutil to /usr/bin - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, telnet, xnlock Notes: svn path=/head/; revision=430468
* - Fix Berkeley DB dependency. It now properly uses BDB_LIB specified inHiroki Sato2016-11-122-37/+38
| | | | | | | | | | | | | | | | Mk/Uses/bdb.mk instead of db185 interfaces in libc. As a side-effect, this causes a compatibility issue between heimdal.db created by kadmin(8) in the base system or one by an older security/heimdal. See UPDATING about this issue. - Fix readline dependency end eliminate libheimedit. - Use -lpthread instead of -pthread. - Use FOO_CONFIGURE_WITH=foo instead of FOO_CONFIGURE_ON=--with-foo. Notes: svn path=/head/; revision=425994
* Do not let the configure script pick up Berkeley DB from ports.Jung-uk Kim2016-11-091-8/+18
| | | | | | | Approved by: hrs (maintainer) Notes: svn path=/head/; revision=425814
* Add missing header files (com_err.h and com_right.h).Hiroki Sato2016-11-021-9/+0
| | | | | | | | Submitted by: Franco Fichtner PR: 213470 Notes: svn path=/head/; revision=425129
* security/heimdal: Fix build when EGD is not available (e.g. LibreSSL)John Marino2016-09-122-0/+29
| | | | | | | Approved by: SSL blanket Notes: svn path=/head/; revision=421928
* - Remove an orphaned directory [1].Hiroki Sato2015-03-041-0/+41
| | | | | | | | | - Fix USE_LDCONFIG [2]. Spotted by: sunpoet [1] and bdrewery [2] Notes: svn path=/head/; revision=380434
* Fix krb5-config.Hiroki Sato2014-11-241-0/+20
| | | | Notes: svn path=/head/; revision=373361
* Add -rpath forgotten in the previous commit.Hiroki Sato2014-11-241-2/+9
| | | | Notes: svn path=/head/; revision=373189
* - Fix heimdal-gssapi.pc.Hiroki Sato2014-11-241-0/+13
| | | | | | | | | - Add an UPDATING entry. PR: 195319 Notes: svn path=/head/; revision=373188
* - Move headers and libraries into PREFIX/{include,lib}/heimdal. ThisHiroki Sato2014-11-222-6/+23
| | | | | | | | | | | | | prevents build breakage when a port depends on heimdal in base and some other libraries in LOCALBASE/lib such as OpenSSL from ports at the same time. - Always build libcom_err[*]. PR: 194475 [*] Notes: svn path=/head/; revision=373047
* Add ipropd_master and ipropd_slave rc.d scripts for branches which do notHiroki Sato2014-09-162-0/+88
| | | | | | | | | have them. PR: 176805 Notes: svn path=/head/; revision=368294
* Fix build with makeinfo version 5.2.Hiroki Sato2014-09-142-0/+54
| | | | | | | | Obtained from: https://github.com/heimdal/heimdal/commit/1846c7a35d1091d3b6140c 56b Notes: svn path=/head/; revision=368214
* Fix build on branches which do not have com_right_r() in libcom_err.Hiroki Sato2014-08-302-0/+32
| | | | | | | Spotted by: ume Notes: svn path=/head/; revision=366650
* - Add LICENSE.Hiroki Sato2014-08-304-61/+89
| | | | | | | | | | | | | - Build kcm by default. - Use gssapi.mk. - Use ${opt}_* variables instead of .if ${PORT_OPTIONS:Mopt} wherever possible. - Use /var/heimdal as $hdbdir for compatibility with Heimdal in base. - Merge pkg-plist.* into pkg-plist. - Remove lines that are no longer valid. - Remove stale kdc.sh. rc.d scripts in base system work with this port. Notes: svn path=/head/; revision=366616
* security/heimdal: Establish consistency for seed data with base heimdalJohn Marino2014-07-271-0/+11
| | | | | | | | | | | | | This patch enables heimdal port and heimdal bad to be consistent [in byte order for seed data] and talk nicely to each other. Please refer to FreeBSD Errata Notice FreeBSD-EN-14:08.heimdal. This port is not unmaintained. PR: 191356 Submitted by: dewayne (heuristicsystems.com.au) Notes: svn path=/head/; revision=363088
* security/heimdal: Mark not-jobs-safe and fix cracklib locationJohn Marino2014-06-101-0/+0
| | | | | | | | | | | | | | | While here: * Clean up options and PLIST_SUB with new option framework capabilities * Remove condition for FreeBSD 6 and earlier - Remove never-fulfilled plist condition - Move extra-patch to always-patch * minor cosmetic realignment PR: 181923 Submitted by: dewayne Notes: svn path=/head/; revision=357393
* Fix heimdal.Akinori MUSHA2014-04-083-0/+70
| | | | | | | | | | | | | - Resolve conflict with security/openssl regarding manual pages. - Add a couple of patches from the upstream. - Remove NO_STAGE and delete obsolete MLINKS while at it. PR: 177397 Submitted by: Shane Ambler <FreeBSD@ShaneWare.Biz> Approved by: (MAINTAINER timeout) Notes: svn path=/head/; revision=350606
* Update to 1.5.2Wesley Shields2012-05-0520-2087/+19
| | | | | | | | PR: ports/166320 Submitted by: Joerg Pulz <Joerg.Pulz@frm2.tum.de> (maintainer) Notes: svn path=/head/; revision=296061
* Add the 'gss_pname_to_uid' function to libgssapi.Rene Ladan2010-11-146-0/+171
| | | | | | | | | | | | | | | | This function is obtained from the FreeBSD base libgssapi code. Whith this function added to the port, it is possible to buildworld FreeBSD fully against the port. FYI: Patches for CURRENT and 8-STABLE src/ are here: ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/CURRENT_use_kerberos_port.patch ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/8-STABLE_use_kerberos_port.patch PR: ports/152030 Submitted by: maintainer Notes: svn path=/head/; revision=264518
* Update to 1.4Wesley Shields2010-10-3116-25/+1917
| | | | | | | | PR: ports/151506 Submitted by: Joerg Pulz <Joerg.Pulz@frm2.tum.de> Notes: svn path=/head/; revision=263841
* Use CMGROUP_MAX instead of NGROUPS and the argument to SOCKCREDSIZE().Brooks Davis2010-03-111-0/+14
| | | | | | | This is a NO-OP except on 8/9 where it is a bugfix. Notes: svn path=/head/; revision=250884
* Fix invalid malloc in LDAP backend.Alexander Nedotsukov2009-09-021-0/+11
| | | | | | | PR: 128025 Notes: svn path=/head/; revision=240690
* Re-add a file (for cracklib support) that was inadvertently removed withShaun Amott2007-10-291-0/+21
| | | | | | | | | | | the last update. PR: ports/117351 [1], ports/116864 [2] Submitted by: Koji Yokota <yokota@res.otaru-uc.ac.jp> [1], Matthias Andree <matthias.andree@gmx.de> [2] Notes: svn path=/head/; revision=202289
* Upgrade to 1.0.1.Shaun Amott2007-09-273-49/+0
| | | | | | | | PR: ports/115589 Submitted by: Rasmus Kaj <kaj@kth.se> Notes: svn path=/head/; revision=200150
* When using LDAP as a KDC back-end, allow users to override theShaun Amott2006-10-071-0/+11
| | | | | | | | | | | hard-coded LDAP socket path. By default, we will use the path where OpenLDAP usually puts its socket. PR: ports/72149 Submitted by: Pawel Wieleba <wielebap@iem.pw.edu.pl> Notes: svn path=/head/; revision=174694
* Update 0.6 -> 0.6.1Jacques Vidrine2004-04-022-51/+0
| | | | | | | | Use OPTIONS Use USE_OPENLDAP Notes: svn path=/head/; revision=105992
* Fix a double-free which prevented `ftpd' from functioning correctly.Jacques Vidrine2003-12-171-0/+30
| | | | Notes: svn path=/head/; revision=96091
* Update 0.5.1 -> 0.6.Jacques Vidrine2003-08-193-35/+21
| | | | | | | Switch to using `INFO' while we are at it. Notes: svn path=/head/; revision=87321
* Fix build with OpenSSL 0.9.7+.Jacques Vidrine2003-03-042-0/+35
| | | | Notes: svn path=/head/; revision=76849
* Update 0.4e -> 0.5Jacques Vidrine2002-09-195-158/+9
| | | | Notes: svn path=/head/; revision=66705
* Patch a heap overflow. SeeJacques Vidrine2002-05-031-0/+65
| | | | | | | | | | <URL:http://online.securityfocus.com/archive/1/269356> and <URL:http://www.freeweb.hu/mantra/04_2002/KRB4.htm>. Obtained from: Heimdal repository Notes: svn path=/head/; revision=58497
* su: Don't use the result of getlogin() to determine whether we are theJacques Vidrine2001-10-311-0/+46
| | | | | | | | | superuser. Always use getuid() instead. Submitted by: Johan Danielsson <joda@pdc.kth.se> Notes: svn path=/head/; revision=49434
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 11:37:19 +0000