-
Notifications
You must be signed in to change notification settings - Fork 367
Permalink
Choose a base ref
{{ refName }}
default
Choose a head ref
{{ refName }}
default
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
base repository: krb5/krb5
base: krb5-1.20.1-final
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
...
head repository: krb5/krb5
compare: krb5-1.20.2-final
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
- 12 commits
- 43 files changed
- 3 contributors
Commits on Nov 13, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 706c43b - Browse repository at this point
Copy the full SHA 706c43bView commit details
Commits on Jul 6, 2023
-
Update error checking for OpenSSL CMS_verify
The code for CMS data verification was initially written for OpenSSL's PKCS7_verify() function. It now uses CMS_verify(), but error handling is still done using PKCS7_verify() error identifiers. Update the recognized error codes so that the KDC generates KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate. Use ERR_peek_last_error() to observe the error generated closest to the API surface. [[email protected]: edited commit message] (cherry picked from commit 70f61d4) ticket: 9069 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for 9a20519 - Browse repository at this point
Copy the full SHA 9a20519View commit details -
Fix PKINIT CMS error checking for older OpenSSL
Commit 70f61d4 updated the CMS_verify() error code checks, using two error codes new to OpenSSL 3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM). This change broke the build for OpenSSL 1.0 and 1.1. Instead of looking for codes indicating an algorithm issue and assuming that everything else is an invalid signature, check for the code indicating an invalid signature and assume that everything else is an algorithm issue. (cherry picked from commit e48e2e5) ticket: 9069 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for a6971d2 - Browse repository at this point
Copy the full SHA a6971d2View commit details -
Fix aclocal.m4 syntax error for autoconf 2.72
An incorrect closure inside KRB5_AC_INET6 is innocuous with autoconf versions up to 2.71, but will cause an error at configure time with the forthcoming autoconf 2.72. [[email protected]: added more context to commit message] (cherry picked from commit d864d74) ticket: 9077 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for d1e41ca - Browse repository at this point
Copy the full SHA d1e41caView commit details -
Fix kpropd crash with unrecognized option
(cherry picked from commit d0ea8de) ticket: 9083 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for 50f3640 - Browse repository at this point
Copy the full SHA 50f3640View commit details -
Fix read overruns in SPNEGO parsing
Fix three read overruns discovered by the GitHub Security Lab team (GHSL-2023-016, GHSL-2023-017, and GHSL-2023-018) using OSS-Fuzz. In get_mech_set(), error out if gss_add_oid_set_member() fails rather than continue the loop and increment i past the current bound of returned_mechSet. In g_verify_neg_token_init(), check for zero-byte sequences before reading tag bytes, and reduce cur_size by one to account for the tag byte when calling gssint_get_der_length(). (cherry picked from commit 47c2a12) ticket: 9085 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for eb886f6 - Browse repository at this point
Copy the full SHA eb886f6View commit details -
Fix possible double-free during KDB creation
In krb5_dbe_def_encrypt_key_data(), when we free key_data->key_data_contents[0], reset it to null so the caller doesn't free it as well. Since commit a06945b this bug manifests as a double-free during KDB creation if master key encryption fails. [[email protected]: edited commit message] (cherry picked from commit fddd419) ticket: 9086 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for 81a2265 - Browse repository at this point
Copy the full SHA 81a2265View commit details -
Fix meridian type in getdate.y
Commit d3356bc (ticket 8927) incorrectly tagged tMERIDIAN as <Number>. So while the lexer assigns meridian values to the Meridian union field, the parser erroneously reads them from the Number field. On 64-bit IBM zSystems (s390x), this can result in using the most recently read number as a meridian value, leading to an abort in ToSeconds(). Fix the tMERIDIAN token type to be <Meridian>. [[email protected]: edited commit message] (cherry picked from commit 0108d7d) ticket: 9087 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for 5c2f26a - Browse repository at this point
Copy the full SHA 5c2f26aView commit details -
Ensure array count consistency in kadm5 RPC
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the key_data array count when decoding. Otherwise when the structure is later freed, xdr_array() could iterate over the wrong number of elements, either leaking some memory or freeing uninitialized pointers. Reported by Robert Morris. CVE-2023-36054: An authenticated attacker can cause a kadmind process to crash by freeing uninitialized pointers. Remote code execution is unlikely. An attacker with control of a kadmin server can cause a kadmin client to crash by freeing uninitialized pointers. (cherry picked from commit ef08b09) ticket: 9099 version_fixed: 1.20.2
Configuration menu - View commit details
-
Copy full SHA for c81ffb6 - Browse repository at this point
Copy the full SHA c81ffb6View commit details -
Configuration menu - View commit details
-
Copy full SHA for a273d4d - Browse repository at this point
Copy the full SHA a273d4dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 62db77c - Browse repository at this point
Copy the full SHA 62db77cView commit details
Commits on Jul 7, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 47646c2 - Browse repository at this point
Copy the full SHA 47646c2View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff krb5-1.20.1-final...krb5-1.20.2-final