linux/meta-openembedded.git/meta-oe/recipes-connectivity/krb5, branch master

krb5: Fix build with autotools 2.73

2026-04-04T06:50:55+00:00

Signed-off-by: Khem Raj

krb5: backport additional fixes to build with glibc 2.43

2026-03-18T21:33:23+00:00

Building krb5 with glibc 2.43 fails due to ISO C23 changes to strchr() and related search functions. Backport the upstream fix that updates code to use correct pointer types and adjusts function signatures accordingly. Signed-off-by: Viswanath Kraleti Signed-off-by: Khem Raj

krb5: upgrade 1.21.3 -> 1.22.2

2026-01-31T08:13:44+00:00

Drop the patches that are included in this release. License-Update: copyright year bump Changelog: 1.22.2: Fix a SPNEGO packet parsing bug which could cause GSS mechanism negotiation failure. 1.22.1: Fix a vulnerability in GSS MIC verification [CVE-2025-57736] 1.22.0: User experience - The libdefaults configuration variable "request_timeout" can be set to limit the total timeout for KDC requests. When making a KDC request, the client will now wait indefinitely (or until the request timeout has elapsed) on a KDC which accepts a TCP connection, without contacting any additional KDCs. Clients will make fewer DNS queries in some configurations. - The realm configuration variable "sitename" can be set to cause the client to query site-specific DNS records when making KDC requests. Administrator experience - Principal aliases are supported in the DB2 and LMDB KDB modules and in the kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.) - UNIX domain sockets are supported for the Kerberos and kpasswd protocols. - systemd socket activation is supported for krb5kdc and kadmind. Developer experience - KDB modules can be be implemented in terms of other modules using the new krb5_db_load_module() function. - The profile library supports the modification of empty profiles and the copying of modified profiles, making it possible to construct an in-memory profile and pass it to krb5_init_context_profile(). - GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context() to request strict enforcement of channel bindings by the acceptor. Protocol evolution - The PKINIT preauth module supports elliptic curve client certificates, ECDH key exchange, and the Microsoft paChecksum2 field. - The IAKERB implementation has been changed to comply with the most recent draft standard and to support realm discovery. - Message-Authenticator is supported in the RADIUS implementation used by the OTP kdcpreauth module. Code quality - Removed old-style function declarations, to accomodate compilers which have removed support for them. - Added OSS-Fuzz to the project's continuous integration infrastructure. - Rewrote the GSS per-message token parsing code for improved safety. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

meta-openembedded/all: adapt to UNPACKDIR changes

2025-06-25T13:44:52+00:00

Please see https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265 for what changes are needed, and sed commands that can be used to make them en masse. I've verified that bitbake -c patch world works with these, but did not run a world build; the majority of recipes shouldn't need further fixups, but if there are some that still fall out, they can be fixed in followups. Signed-off-by: Alexander Kanavin Signed-off-by: Khem Raj

krb5: Backport additional fixes to build on clang

2025-03-26T01:30:53+00:00

Enabling additional warning tightens the function prototype checks and clang goes a step ahead to flag void foo() as well it should be void foo(void) Signed-off-by: Khem Raj Cc: Martin Jansa

krb5: fix build with gcc-15

2025-03-25T21:57:20+00:00

* fixes: http://errors.yoctoproject.org/Errors/Details/848727/ ss_internal.h:88:6: error: conflicting types for 'ss_delete_info_dir'; have 'void(void)' 88 | void ss_delete_info_dir(); | ^~~~~~~~~~~~~~~~~~ ... Signed-off-by: Martin Jansa Signed-off-by: Khem Raj

krb5: fix CVE-2025-24528

2025-03-25T21:57:20+00:00

In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash. Reference: https://security-tracker.debian.org/tracker/CVE-2025-24528 Upstream-patch: https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 Signed-off-by: Divya Chellam Signed-off-by: Khem Raj

krb5: fix CVE-2024-26458 and CVE-2024-26461

2024-08-24T05:35:10+00:00

CVE-2024-26458: Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26461: Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. References: https://nvd.nist.gov/vuln/detail/CVE-2024-26458 https://nvd.nist.gov/vuln/detail/CVE-2024-26461 Upstream Patch: https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d Signed-off-by: Yogita Urade Signed-off-by: Khem Raj

krb5: upgrade 1.21.2 -> 1.21.3

2024-07-04T03:20:16+00:00

CVEs Fixed CVE-2024-37370, CVE-2024-37371 Release Notes: https://web.mit.edu/kerberos/krb5-1.21/krb5-1.21.3.html Signed-off-by: Vijay Anusuri Signed-off-by: Khem Raj

recipes: Start WORKDIR -> UNPACKDIR transition

2024-05-23T15:44:44+00:00

Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR. Signed-off-by: Khem Raj