---
- branch: MAIN
  date: Fri Jan  5 23:46:29 UTC 2024
  files:
  - new: '1.117'
    old: '1.116'
    path: pkgsrc/security/mit-krb5/Makefile
    pathrev: pkgsrc/security/mit-krb5/Makefile@1.117
    type: modified
  - new: '1.25'
    old: '1.24'
    path: pkgsrc/security/mit-krb5/PLIST
    pathrev: pkgsrc/security/mit-krb5/PLIST@1.25
    type: modified
  - new: '1.18'
    old: '1.17'
    path: pkgsrc/security/mit-krb5/buildlink3.mk
    pathrev: pkgsrc/security/mit-krb5/buildlink3.mk@1.18
    type: modified
  - new: '1.19'
    old: '1.18'
    path: pkgsrc/security/mit-krb5/builtin.mk
    pathrev: pkgsrc/security/mit-krb5/builtin.mk@1.19
    type: modified
  - new: '1.81'
    old: '1.80'
    path: pkgsrc/security/mit-krb5/distinfo
    pathrev: pkgsrc/security/mit-krb5/distinfo@1.81
    type: modified
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c
    pathrev: pkgsrc/security/mit-krb5/patches/patch-kprop_kproplog.c@1.2
    type: modified
  - new: '0'
    old: '1.4'
    path: pkgsrc/security/mit-krb5/patches/patch-util_k5ev_verto-k5ev.c
    pathrev: pkgsrc/security/mit-krb5/patches/patch-util_k5ev_verto-k5ev.c@0
    type: deleted
  - new: '1.1'
    old: '0'
    path: pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c
    pathrev: pkgsrc/security/mit-krb5/patches/patch-util_verto_verto-k5ev.c@1.1
    type: added
  id: 20240105T234629Z.405b95eeb3697fcf43de680f5ea07d3bc2a04f94
  log: |
    mit-krb5: updated to 1.21.2

    Major changes in 1.21.2 (2023-08-14)

    Fix double-free in KDC TGS processing [CVE-2023-39975].

    Major changes in 1.21.1 (2023-07-10)

    Fix potential uninitialized pointer free in kadm5 XDR parsing [CVE-2023-36054].

    Major changes in 1.21 (2023-06-05)

    User experience
    Added a credential cache type providing compatibility with the macOS 11 native credential cache.
    Developer experience
    libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own.
    Added an interface to retrieve the ticket session key from a GSS context.
    Protocol evolution
    The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively.
    The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute.
    Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack.
    The PKINIT client will advertise a more modern set of supported CMS algorithms.
    Code quality
    Removed unused code in libkrb5, libkrb5support, and the PKINIT module.
    Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code.
    Improved the test framework's detection of memory errors in daemon processes when used with asan.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/mit-krb5'
  unixtime: '1704498389'
  user: adam