heimdal 1.4_1 security =16

A popular BSD-licensed implementation of Kerberos 5
Maintained by: Joerg.Pulz@frm2.tum.de
Port Added: unknown
Also Listed In: ipv6
License: not specified in port

---

---

Heimdal is an implementation of Kerberos 5, largely written in Sweden
(due to crypto export legal issues in the US at the time). It is freely
available under a three clause BSD style license.

WWW: http://www.pdc.kth.se/heimdal/

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

NOTE: FreshPorts displays only required dependencies information. Optional dependencies are not covered.
Required To Build: devel/autoconf268, devel/libtool22, devel/pkg-config
Required To Run: devel/pkg-config
Required Libraries: devel/gettext
There are no ports dependent upon this port

---

To install the port: cd /usr/ports/security/heimdal/ && make install clean
To add the package: pkg_add -r heimdal

---

Configuration Options

===> The following configuration options are available for heimdal-1.4_1:
     IPV6=on (default) "Enable IPV6 support"
     KCM=on (default) "Enable Kerberos Credentials Manager"
     BDB=off (default) "Enable BerkeleyDB KDC backend support"
     SQLITE=off (default) "Enable SQLite KDC backend support"
     LDAP=off (default) "Enable OpenLDAP KDC backend support"
     PKINIT=on (default) "Enable PK-INIT support"
     DIGEST=on (default) "Enable DIGEST support"
     KX509=on (default) "Enable kx509 support"
     KRB4=off (default) "Enable krb4 support"
     CRACKLIB=off (default) "Use CrackLib for password quality checking"
     X11=off (default) "Build X11 utilies"
===> Use 'make config' to modify these settings

---

Master Sites:

http://www.h5l.org/dist/src/

http://ftp.pdc.kth.se/pub/heimdal/src/

ftp://ftp.pdc.kth.se/pub/heimdal/src/

ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/

ftp://ftp.ayamura.org/pub/heimdal/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

Sync to new bsd.autotools.mk

Add the 'gss_pname_to_uid' function to libgssapi.
This function is obtained from the FreeBSD base libgssapi code.

Whith this function added to the port, it is possible to buildworld
FreeBSD fully against the port.
FYI: Patches for CURRENT and 8-STABLE src/ are here:
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/CURRENT_use_kerberos_port.patch
ftp://ftp.frm2.tum.de/pub/jpulz/FreeBSD/patches/8-STABLE_use_kerberos_port.patch

PR:             ports/152030
Submitted by:   maintainer

Assign maintainer to submitter of previous commit (ports/151506).

Update to 1.4

PR:             ports/151506
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de>

- Mark BROKEN on HEAD: fails to build with new utmpx

Reported by:    pointyhat

Use CMGROUP_MAX instead of NGROUPS and the argument to SOCKCREDSIZE().
This is a NO-OP except on 8/9 where it is a bugfix.

Fix invalid malloc in LDAP backend.

PR:     128025

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

With regret, return these to the pool.

- Remove unneeded dependency from gtk12/gtk20 [1]
- Remove USE_XLIB/USE_X_PREFIX/USE_XPM in favor of USE_XORG
- Remove X11BASE support in favor of LOCALBASE or PREFIX
- Use USE_LDCONFIG instead of INSTALLS_SHLIB
- Remove unneeded USE_GCC 3.4+

Thanks to all Helpers:
        Dmitry Marakasov, Chess Griffin, beech@, dinoex, rafan, gahr,
        ehaupt, nox, itetcu, flz, pav

PR:             116263
Tested on:      pointyhat
Approved by:    portmgr (pav)

- hcrypto library is only installed on FreeBSD < 7.0

Reported by:    pointyhat
Approved by:    portmgr (hat)

Re-add a file (for cracklib support) that was inadvertently removed with
the last update.

PR:             ports/117351 [1], ports/116864 [2]
Submitted by:   Koji Yokota <yokota@res.otaru-uc.ac.jp> [1],
                Matthias Andree <matthias.andree@gmx.de> [2]

Upgrade to 1.0.1.

PR:             ports/115589
Submitted by:   Rasmus Kaj <kaj@kth.se>

Use libtool port instead of included version to avoid objformat a.out botch

Register conflicts for srp in security/heimdal, security/krb4, and
securiry/krb5.
Bump PORTREVISION accordingly.

PR:             ports/105442
Submitted by:   Ruben van Staveren <ruben@verweg.com>
Reviewed by:    shaun@, cy@
Approved by:    flz (mentor)

When using LDAP as a KDC back-end, allow users to override the
hard-coded LDAP socket path. By default, we will use the path where
OpenLDAP usually puts its socket.

PR:             ports/72149
Submitted by:   Pawel Wieleba <wielebap@iem.pw.edu.pl>

- Update to 0.7.2.
- Improve pkg-descr, etc.
- Take maintainership.

BROKEN on 7.0: Incomplete pkg-plist

- s,INSTALLS_SHLIB,USE_LDCONFIG,g
- these include security/ sysutils/ textproc/ maintained by ports@

PR:             ports/101916
Submitted by:   Gea-Suan Lin <gslin_AT_gslin dot org>

Reset maintainer at his request; nectar is away from FreeBSD work right now.

- Update to 0.6.6
- Remove extra TABs and portlint(1)
- Update pkg-descr from page

Approved by:    secteam (simon)
Security:       CAN-2005-0469, CAN-2005-2040, CAN-2006-0582, CVE-2006-0677,
                VUXML: b62c80c2-b81a-11da-bec5-00123ffe8333

SHA256ify

Approved by: krion@

Remove install-info from Makefile, it's automatically done when INFO is defined

- Set CONFLICTS with krb4 and krb5
- Portlint

PR:             ports/85025
Submitted by:   lofi
Approved by:    maintainer timeout (nectar, 7 weeks)

- Let configure know that we have fnmatch.h (fixes some fnmatch-using
  C++ ports, since the fnmatch.h which was uselessly installed by
  heimdal did not wrap the fnmatch() declaration in extern C {}) [1]
- Fix the packing list on 4.x

[1]
PR:             ports/80366
Submitted by:   Joan Picanyol i Puig <lists-freebsd-gnats@biaix.org>
Approved by:    maintainer timeout (76 days)

BROKEN on 4.x: Incomplete pkg-plist

Add CONFLICTS due to libexec/ftpd.

PR:             ports/76235
Approved by:    ache, sumikawa (maintainers for wu-ftpd*)

Fix PLIST again.  Spell `password' correctly and keep the pointy
hat an extra day.

Noticed by:     pointyhat.freebsd.org

Fix PLIST (forgotten new manual pages).  Bump PORTREVISION.

Noticed by:     pointyhat.freebsd.org

Upgrade 0.6.1 -> 0.6.3

PR:     ports/74113
Submitted by:   Petr Holub <hopet@ics.muni.cz>

Cleanup master-sites.

PR:             ports/67157
Submitted by:   Roman Neuhauser
Approved by:    maintainer timeout

Fix packaging: com_err will only be built and installed on a few systems
where compile_et is not modern enough.

Update 0.6 -> 0.6.1
Use OPTIONS
Use USE_OPENLDAP

Whoa there, boy, that's a mighty big commit y'all have there...

Begin autotools sanitization sequence by requiring ports to explicitly
specify which version of {libtool,autoconf,automake} they need, erasing
the concept of a "system default".

For ports-in-waiting:

        USE_LIBTOOL=YES         ->      USE_LIBTOOL_VER=13
        USE_AUTOCONF=YES        ->      USE_AUTOCONF_VER=213
        USE_AUTOMAKE=YES        ->      USE_AUTOMAKE_VER=14

Ports attempting to use the old style system after June 1st 2004 will be
sorely disappointed.

Add size.

Set `USE_LIBTOOL=yes'.  Previously, the value was `no', but that means
the same thing.  My original intention was to work around a build
buglet encountered on some version of FreeBSD.  Apparently, no such
work around is necessary.

Reported by:    Rolandas Naujikas <rolnas@takas.lt>

Put CFLAGS in CONFIGURE_ENV

On amd64, include -fPIC in CFLAGS.

PR:             ports/63199
Reported by:    Hendrik Scholz <hendrik@scholz.net>

Remove Kerberos IV support, as I'm unwilling to properly test it and
resolve packaging problems.

Fix a double-free which prevented `ftpd' from functioning correctly.

Update 0.5.1 -> 0.6.

Switch to using `INFO' while we are at it.

Fix non-default dependency on openldap2[012] which is broken by splitting.

# I'm not bumped port revision of them because this should not affect
# packages built on bento...

Fix build with OpenSSL 0.9.7+.

-- Move pkg-comment into Makefile
-- portlint as necessary

Point dependencies on net/openldap2 to net/openldap20

Remove RESTRICTED tag for crypto stuff.

Approved by:    kris (implicitly)

update to heimdal 1.5.1 (fixes kadmind buffer overflow)

Approved by:    security-officer

Update 0.4e -> 0.5

Patch a heap overflow.  See
<URL:http://online.securityfocus.com/archive/1/269356> and
<URL:http://www.freeweb.hu/mantra/04_2002/KRB4.htm>.

Obtained from:  Heimdal repository

Use ${ECHO_CMD} instead of ${ECHO} where you mean the echo command;   the ECHO
macro is set to "echo" by default, but it is set to "true" if   make(1) is
invoked with the -s option while ECHO_CMD is always set to   the echo command.  
 

Bump PORTREVISION for today's updates to libgssapi and su.    

su: Don't use the result of getlogin() to determine whether we are the  
superuser.  Always use getuid() instead.    

Fix a heap buffer overrun in gss_get_mic().    

= Add support for using cracklib with kpasswdd, the password changing    
daemon.   = Fix a bug in `ktutil get' which was causing a segfault.   = Bump
PORTREVISION.    

Update 0.4d -> 0.4e    

Move the man pages back out of the PLIST, but this time into a separate  
Makefile (Makefile.man).    

Add a couple of missing man pages.    

There are now too many man pages to usefully maintain with   MANn= in the
Makefile.  Move them to the PLIST instead.    

Update 0.4c -> 0.4d    

Update 0.4b -> 0.4c    

Update 0.4b -> 0.4c    

= Fix possible telnetd vulnerability in option processing.    

Update 0.3f -> 0.4b    

Correct no-nos: one file per  patch, please. Don't touch more than one   source
file with each patch file, and don't touch the same source file   with more than
one patch file.    

Bug fix for memory being free'd twice when using the new ANY:-keytabs.  
PORTREVISION bumped.    

Remove patch  that has  been incorporated  into 0.3f.   By a  quirk of   fate, 
it  applied cleanly  anyway,  with  harmless effect  (two  NULL   assignments
instead of one).    

Fix segfault in ftpd introduced in 0.3f.   PORTREVISION bumped.    

Update 0.3e -> 0.3f.  From the announcement:    * change default keytab to
ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,      the new keytab type that tries
both of these in order (SRVTAB is      also an alias for krb4:)    * improve
error reporting and error handling (error messages should      be more detailed
and more useful)    * improve building with openssl    * add kadmin -K, rcp -F  
 * fix two incorrect weak DES keys    * fix building of kaserver compat in KDC  
 * the API is closer to what MIT krb5 is using    * more compatible with windows
2000    * removed some memory leaks    * bug fixes    

configure was generating bogus `-R' and `-L' flags for the linker when  
Kerberos IV libs were not present.    

Explicitly list directories for Kerberos 4 bits, so that once this   is built
there are no references to the likely non-existent `/usr/athena'.    

Fix an uninitialized pointer dereference in krb5_rd_cred.    

Add a sample start-up script for the KDC.    

On older systems (pre-4.1.0-RELEASE or so), this port will install   its own
ifaddrs.h.  Update ${PLIST} accordingly.    

Update 0.3d -> 0.3e.    

There is no des_set_odd_parity in OpenSSL's libcrypto.  Use  
des_fixup_key_parity instead.    

Missed in previous commit: remove headers for libdes   (they are in a seperate
PLIST now).    

= Update to use OpenSSL in the base if it has MD4 support (version 0.9.6     or
later).  If these libraries are used, then this port's libdes will     not be
built nor installed.    

Style fixup only: use tabs consistently; sort man pages.    

Update 0.3c -> 0.3d    

= Use system libcom_err.     No longer build or install the included libcom_err
and compile_et.    

Bump PORTREVISION for ftp client fix.    

(This is a forced commit ... the previous commit went through with an    empty
log message.)    

Add a knob (WITH_LDAP) to enable compiling with support for LDAP as a   backend
database for the KDC.    

Convert category security to new layout.  

Rename PLIST.{KRB4,X11} to pkg-plist.{krb4,x11}.    

Update 0.3b -> 0.3c    

Upgrade 0.2t -> 0.3b    

Make these COMMENT files conform to Handbook standard.    

Rename INSTALLS_SHLIBS to INSTALLS_SHLIB.  (There was a typo in the   previous
commit message to bsd.port.mk, which said INSTALL_SHLIBS.  Boo.)    

Final round of the INSTALLS_SHLIBS=yes conversion. Few remaining ports with  
ldconfig in PLIST need personal consideration.    

Fix PLIST.    

14 vulnerabilities affecting 33 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities