diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-30 17:25:08 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-01-31 00:13:44 -0800 |
| commit | 2fafea2aa746da946b6110c4f9e8cdd7311a45fa (patch) | |
| tree | 2708c98d8ffffecb4eb039972df73b1cd21610c0 /meta-python/recipes-devtools/python | |
| parent | 8ba0a9e49a697f20c8cf1ecddcac06a8afdae26b (diff) | |
| download | meta-openembedded-2fafea2aa746da946b6110c4f9e8cdd7311a45fa.tar.gz | |
krb5: upgrade 1.21.3 -> 1.22.2
Drop the patches that are included in this release.
License-Update: copyright year bump
Changelog:
1.22.2:
Fix a SPNEGO packet parsing bug which could cause GSS mechanism negotiation failure.
1.22.1:
Fix a vulnerability in GSS MIC verification [CVE-2025-57736]
1.22.0:
User experience
- The libdefaults configuration variable "request_timeout" can be set to limit the
total timeout for KDC requests. When making a KDC request, the client will now
wait indefinitely (or until the request timeout has elapsed) on a KDC which
accepts a TCP connection, without contacting any additional KDCs. Clients will
make fewer DNS queries in some configurations.
- The realm configuration variable "sitename" can be set to cause the client to
query site-specific DNS records when making KDC requests.
Administrator experience
- Principal aliases are supported in the DB2 and LMDB KDB modules and in the
kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.)
- UNIX domain sockets are supported for the Kerberos and kpasswd protocols.
- systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
- KDB modules can be be implemented in terms of other modules using the new
krb5_db_load_module() function.
- The profile library supports the modification of empty profiles and the copying
of modified profiles, making it possible to construct an in-memory profile and
pass it to krb5_init_context_profile().
- GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context()
to request strict enforcement of channel bindings by the acceptor.
Protocol evolution
- The PKINIT preauth module supports elliptic curve client certificates, ECDH key
exchange, and the Microsoft paChecksum2 field.
- The IAKERB implementation has been changed to comply with the most recent draft
standard and to support realm discovery.
- Message-Authenticator is supported in the RADIUS implementation used by the OTP
kdcpreauth module.
Code quality
- Removed old-style function declarations, to accomodate compilers which have
removed support for them.
- Added OSS-Fuzz to the project's continuous integration infrastructure.
- Rewrote the GSS per-message token parsing code for improved safety.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
0 files changed, 0 insertions, 0 deletions