03:55 Yasuhiro Kimura (yasu) 

security/heimdal: Move man pages to share/man

Approved by:	portmgr (blanket)

    3f0064b

22:09 Cy Schubert (cy) 

security/heimdal: Update to 7.8.0

This upgrade fixes multiple security vulnerabilities.

The following issues are patched:

 - CVE-2022-42898 PAC parse integer overflows
 - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
 - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
 - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec

    Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
    on the Common Vulnerability Scoring System (CVSS) v3, as we believe
    it should be possible to get an RCE on a KDC, which means that
    credentials can be compromised that can be used to impersonate
    anyone in a realm or forest of realms.

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all extensible CHOICE types
    used in Heimdal, though not all cases will be exploitable.  We have
    not completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
    only affect Heimdal 1.6 and up.  It was first reported by Douglas
    Bagnall, though it had been found independently by the Heimdal
    maintainers via fuzzing a few weeks earlier.

    While no zero-day exploit is known, such an exploit will likely be
    available soon after public disclosure.

 - CVE-2019-14870: Validate client attributes in protocol-transition
 - CVE-2019-14870: Apply forwardable policy in protocol-transition
 - CVE-2019-14870: Always lookup impersonate client in DB

Reported by:	so (philip)
Approved by:	so (philip)
MFH:		2022Q4
Security:	Many, see above
Sponsored by:	so (philip)

    83f79ba

06:20 hrs 

Update to 7.7.0.

 

13:52 hrs 

Update to 7.1.0.  Changes include:

- hcrypto is now thread safe on all platforms and as much as possible
  hcrypto now uses the operating system's preferred crypto
  implementation ensuring that optimized hardware assisted
  implementations of AES-NI are used.

- RFC 6113 Generalized Framework for Kerberos Pre-Authentication
  (FAST).

- Hierarchical capath support

- iprop has been revamped to fix a number of race conditions that
  could lead to inconsistent replication.

- The KDC process now uses a multi-process model improving resiliency
  and performance.

- AES Encryption with HMAC-SHA2 for Kerberos 5
  draft-ietf-kitten-aes-cts-hmac-sha2-11

- Moved kadmin and ktutil to /usr/bin

- Stricter fcache checks (see fcache_strict_checking krb5.conf setting)

- Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
  telnet, xnlock

 

21:22 hrs 

- Fix Berkeley DB dependency.  It now properly uses BDB_LIB specified in
  Mk/Uses/bdb.mk instead of db185 interfaces in libc.
  As a side-effect, this causes a compatibility issue between
  heimdal.db created by kadmin(8) in the base system or one by
  an older security/heimdal.  See UPDATING about this issue.

- Fix readline dependency end eliminate libheimedit.

- Use -lpthread instead of -pthread.

- Use FOO_CONFIGURE_WITH=foo instead of FOO_CONFIGURE_ON=--with-foo.

 

09:51 hrs 

Add missing header files (com_err.h and com_right.h).

Submitted by:	Franco Fichtner
PR:		213470

 

10:51 hrs 

- Move headers and libraries into PREFIX/{include,lib}/heimdal.  This
  prevents build breakage when a port depends on heimdal in base and
  some other libraries in LOCALBASE/lib such as OpenSSL from ports
  at the same time.

- Always build libcom_err[*].

PR:	194475 [*]

 

17:18 hrs 

Fix build on branches which do not have com_right_r() in libcom_err.

Spotted by:	ume

 

12:44 hrs 

- Add LICENSE.
- Build kcm by default.
- Use gssapi.mk.
- Use ${opt}_* variables instead of .if ${PORT_OPTIONS:Mopt} wherever possible.
- Use /var/heimdal as $hdbdir for compatibility with Heimdal in base.
- Merge pkg-plist.* into pkg-plist.
- Remove lines that are no longer valid.
- Remove stale kdc.sh.  rc.d scripts in base system work with this port.

 

21:48 jkim 

Fix plist again.  r361101 reverted SQLITE fixes in r358060 and r358150.

Pointyhat to:	tijl

 

16:16 tijl 

- Fix pkg-plist [1]
- Add INSTALL_TARGET=install-strip

Reported by:	swills (jenkins) [1]

 

15:42 tijl 

- Convert to USES=libtool
- Remove USE_AUTOTOOLS

 

15:25 adamw 

Fix packaging without KCM

 

17:00 jkim 

Fix plist without SQLITE option, i.e., r358060 was incomplete.  Actually,
this option is very confusing.  This option does not enable SQLite support
but enables building with existing SQLite library, i.e., disables building
with bundled SQLite source.

Submitted by:	mat

 

23:28 jkim 

Fix plist for SQLITE option.  We do not build bundled SQLite for years.

 

22:08 marino 

security/heimdal: Mark not-jobs-safe and fix cracklib location

While here:
 * Clean up options and PLIST_SUB with new option framework capabilities
 * Remove condition for FreeBSD 6 and earlier
   - Remove never-fulfilled plist condition
   - Move extra-patch to always-patch
 * minor cosmetic realignment

PR:		181923
Submitted by:	dewayne

 

12:56 knu 

Fix heimdal.

- Resolve conflict with security/openssl regarding manual pages.
- Add a couple of patches from the upstream.
- Remove NO_STAGE and delete obsolete MLINKS while at it.

PR:		177397
Submitted by:	Shane Ambler <FreeBSD@ShaneWare.Biz>
Approved by:	(MAINTAINER timeout)

 

19:54 wxs 

Update to 1.5.2

PR:             ports/166320
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de> (maintainer)

17:02 wxs 

Update to 1.4

PR:             ports/151506
Submitted by:   Joerg Pulz <Joerg.Pulz@frm2.tum.de>

23:27 pav 

- hcrypto library is only installed on FreeBSD < 7.0

Reported by:    pointyhat
Approved by:    portmgr (hat)

00:16 shaun 

Upgrade to 1.0.1.

PR:             ports/115589
Submitted by:   Rasmus Kaj <kaj@kth.se>

02:42 kris 

Use libtool port instead of included version to avoid objformat a.out botch

16:07 shaun 

- Update to 0.7.2.
- Improve pkg-descr, etc.
- Take maintainership.

17:07 jylefort 

- Let configure know that we have fnmatch.h (fixes some fnmatch-using
  C++ ports, since the fnmatch.h which was uselessly installed by
  heimdal did not wrap the fnmatch() declaration in extern C {}) [1]
- Fix the packing list on 4.x

[1]
PR:             ports/80366
Submitted by:   Joan Picanyol i Puig <lists-freebsd-gnats@biaix.org>
Approved by:    maintainer timeout (76 days)

18:03 nectar 

Fix packaging: com_err will only be built and installed on a few systems
where compile_et is not modern enough.

23:06 nectar 

Update 0.6 -> 0.6.1
Use OPTIONS
Use USE_OPENLDAP

23:24 nectar 

Update 0.5.1 -> 0.6.

Switch to using `INFO' while we are at it.

13:04 nectar 

Update 0.4e -> 0.5

20:45 nectar 

Update 0.4d -> 0.4e    

21:28 nectar 

Move the man pages back out of the PLIST, but this time into a separate  
Makefile (Makefile.man).    

20:45 nectar 

Add a couple of missing man pages.    

20:29 nectar 

There are now too many man pages to usefully maintain with   MANn= in the
Makefile.  Move them to the PLIST instead.    

17:41 nectar 

Update 0.4b -> 0.4c    

23:55 nectar 

Update 0.3f -> 0.4b    

19:37 nectar 

Update 0.3e -> 0.3f.  From the announcement:    * change default keytab to
ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,      the new keytab type that tries
both of these in order (SRVTAB is      also an alias for krb4:)    * improve
error reporting and error handling (error messages should      be more detailed
and more useful)    * improve building with openssl    * add kadmin -K, rcp -F  
 * fix two incorrect weak DES keys    * fix building of kaserver compat in KDC  
 * the API is closer to what MIT krb5 is using    * more compatible with windows
2000    * removed some memory leaks    * bug fixes    

17:25 nectar 

Add a sample start-up script for the KDC.    

15:50 nectar 

Update 0.3d -> 0.3e.    

16:34 nectar 

Missed in previous commit: remove headers for libdes   (they are in a seperate
PLIST now).    

16:30 nectar 

= Update to use OpenSSL in the base if it has MD4 support (version 0.9.6     or
later).  If these libraries are used, then this port's libdes will     not be
built nor installed.    

16:13 nectar 

Update 0.3c -> 0.3d    

23:35 nectar 

= Use system libcom_err.     No longer build or install the included libcom_err
and compile_et.