Getting the right version of krb5 into lenny
Hi. krb5 1.6.dfsg.4~beta1-2 is currently in unstable and is on its
way towards migrating into testing. If I understand the freeze timing
correctly, it should make it before the library freeze. I think
that's good: it includes a number of useful fixes that Debian users
have been complaining about. Upstream says that while it is a beta,
it's strictly better than 1.6.3. I agree with them.
However since uploading 1.6.dfsg.4~beta1-2 I've found a fix to the
only important bug against the package. If I make another low-urgency
upload to unstable, I think I risk missing the freeze. I think
getting this fix in to lenny would be nice but if I had to choose
between what is in unstable now and what is in testing now, I'd choose
unstable.
What should I do? Accept that the change won't make it into lenny?
Make an urgency medium/high upload (which one?) to unstable? Make an
urgency low upload and ask for a freeze exception (when? now or after the current unstable migrates)?
Attached please find the change. As you can see it is relatively well
contained and has been shipping in Redhat for a while.
commit bcd2a96754872357b8b115da5bb74cf4c535b3b5
Merge: 56e4446... 7340169...
Author: Sam Hartman <hartmans@debian.org>
Date: Fri Jun 20 16:40:45 2008 -0400
Merge branch 'master' of ssh://git.alioth.debian.org/git/pkg-k5-afs/debian-krb5
commit 56e4446a98582d4269936fa04d55641f74673eeb
Author: Sam Hartman <hartmans@debian.org>
Date: Fri Jun 20 16:24:21 2008 -0400
Document upstream_ldap_nosalt_5545 changes
diff --git a/debian/changelog b/debian/changelog
index bb24ec8..e59f5dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+krb5 (1.6.dfsg.4~beta1-3) unstable; urgency=low
+
+ * Set length to 0 on no-salt ldap keys so they do not crash; uupstream ticket 5545, Closes: #480523
+
+ -- Sam Hartman <hartmans@debian.org> Fri, 20 Jun 2008 16:22:55 -0400
+
krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low
[ Russ Allbery ]
commit 83972fc5467eb29d6ade2794e472243ace436c44
Merge: 4d70d6e... a5626ab...
Author: Sam Hartman <hartmans@mit.edu>
Date: Fri Jun 20 16:20:34 2008 -0400
Merge branch 'upstream_ldap_nosalt_5545'
commit a5626abb30808ee2a3f1485a6ba3ea0a7ee1a9f8
Author: raeburn <raeburn@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Fri Jul 27 04:37:50 2007 +0000
ticket: 5545
If no salt is included with the key data, set the salt length field to 0.
Bug report and patch from Nalin Dahyabhai.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@19733 dc483132-0cff-0310-8789-dd5450dbe970
(cherry picked from commit 04f5c0669cd652832f49d27a33376cd8840bb7f7)
diff --git a/src/lib/krb5/asn.1/ldap_key_seq.c b/src/lib/krb5/asn.1/ldap_key_seq.c
index 1fe9a54..b910e72 100644
--- a/src/lib/krb5/asn.1/ldap_key_seq.c
+++ b/src/lib/krb5/asn.1/ldap_key_seq.c
@@ -341,7 +341,8 @@ static asn1_error_code asn1_decode_key(asn1buf *buf, krb5_key_data *key)
if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */
ret = decode_tagged_octetstring (&slt, 1, &keylen,
&key->key_data_contents[1]); checkerr;
- }
+ } else
+ keylen = 0;
safe_syncbuf (&subbuf, &slt);
key->key_data_length[1] = keylen; /* XXX range check?? */
commit 73401690910a14ea8239c880a35a68ecf2360348
Author: Sam Hartman <hartmans@debian.org>
Date: Mon Jun 16 10:18:00 2008 -0400
Fix lintian warnings about long changelog lines
diff --git a/debian/changelog b/debian/changelog
index bb24ec8..3b14058 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,10 +15,15 @@ krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low
* Patch from Bryan Kadzban to look inside spnego union_creds when
looking for a specific mechanism cred. This allows spnego creds to be
used when copying out to a ccache after delegation, Closes: #480434
- * Ksu now calls krb5_verify_init_creds rather than using its own custom logic because that is correct and so it can take advantage of the following change.
- * krb5_verify_init_creds uses the default realm if it gets a referral
- realm as input for server, Closes: #435427
- * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at the request of Moritz Muehlenhoff ; he was unsure that adding these flags on other platforms would be a good idea. I'd be happy to expand the list at the request of port maintainers, Closes: #484371
+ * Ksu now calls krb5_verify_init_creds rather than using its own custom
+ logic because that is correct and so it can take advantage of the
+ following change.
+ * krb5_verify_init_creds uses the default realm if it gets a referral
+ realm as input for server, Closes: #435427
+ * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at
+ the request of Moritz Muehlenhoff ; he was unsure that adding these
+ flags on other platforms would be a good idea. I'd be happy to expand
+ the list at the request of port maintainers, Closes: #484371
* Fix KDC purge code introduced in previous revision.
-- Sam Hartman <hartmans@debian.org> Mon, 16 Jun 2008 09:29:00 -0400
Reply to: