Updates for krb5-1.11.4krb5-1.11.4-final

27 files changed, 87 insertions, 45 deletions

diff --git a/README b/README
index 9c5704d..b3d53f7 100644
--- a/README
+++ b/README
@@ -77,6 +77,42 @@ from using single-DES cryptosystems.  Among these is a configuration
 variable that enables "weak" enctypes, which defaults to "false"
 beginning with krb5-1.8.
 
+Major changes in 1.11.4 (2013-11-04)
+------------------------------------
+
+* Fix a KDC null pointer dereference [CVE-2013-1417] that could affect
+  realms with an uncommon configuration.
+
+* Fix a KDC null pointer dereference [CVE-2013-1418] that could affect
+  KDCs that serve multiple realms.
+
+* Fix a number of bugs related to KDC master key rollover.
+
+krb5-1.11.4 changes by ticket ID
+--------------------------------
+
+7508    Indefinite FD polling
+7650    Issue following client referral from AD
+7664    Build with Visual Studio 2012
+7668    KDC null deref due to referrals [CVE-2013-1417]
+7670    Add test case for CVE-2013-1417
+7671    Install ccselect_plugin.h
+7702    krb5-1.11.3 FTBFS on NetBSD
+7723    Fix GSSAPI krb5 cred ccache import
+7724    Change KRB5KDC_ERR_NO_ACCEPTABLE_KDF to 100
+7726    Use protocol error for PKINIT cert expiry
+7727    Discuss cert expiry, no-key princs in PKINIT docs
+7734    Fix typos in kdb5_util master key command outputs
+7735    Use active master key in update_princ_encryption
+7737    Correctly activate master keys in pre-1.7 KDBs
+7742    Reset key-generation parameters for each enctype
+7746    Fix decoding of mkey kvno in mkey_aux tl-data
+7747    Improve LDAP KDB initialization error messages
+7748    Document master key rollover
+7752    Clarify kpropd standalone mode documentation
+7756    Multi-realm KDC null deref [CVE-2013-1418]
+7758    Fix reference for trace logging
+
 Major changes in 1.11.3 (2013-06-03)
 ------------------------------------
 
@@ -556,6 +592,7 @@ reports, suggestions, and valuable resources:
     Mark Bannister
     David Bantz
     Alex Baule
+    David Benjamin
     Adam Bernstein
     Arlene Berry
     Jeff Blaine
@@ -576,14 +613,18 @@ reports, suggestions, and valuable resources:
     Nalin Dahyabhai
     Mark Davies
     Dennis Davis
+    Alex Dehnert
     Mark Deneen
+    Günther Deschner
     Roland Dowdeswell
+    Viktor Dukhovni
     Jason Edgecombe
     Mark Eichin
     Shawn M. Emery
     Douglas E. Engert
     Peter Eriksson
     Juha Erkkilä
+    Gilles Espinasse
     Ronni Feldt
     Bill Fellows
     JC Ferguson
@@ -596,6 +637,7 @@ reports, suggestions, and valuable resources:
     Steve Grubb
     Philip Guenther
     Dominic Hargreaves
+    Robbie Harwood
     Jakob Haufe
     Matthieu Hautreux
     Paul B. Henson
@@ -619,6 +661,7 @@ reports, suggestions, and valuable resources:
     Jan iankko Lieskovsky
     Oliver Loch
     Kevin Longfellow
+    Nuno Lopes
     Ryan Lynch
     Nathaniel McCallum
     Greg McClement
@@ -648,6 +691,7 @@ reports, suggestions, and valuable resources:
     Mike Roszkowski
     Guillaume Rousse
     Tom Shaw
+    Jim Shi
     Peter Shoults
     Simo Sorce
     Michael Spang
@@ -668,6 +712,7 @@ reports, suggestions, and valuable resources:
     Simon Wilkinson
     Nicolas Williams
     Ross Wilper
+    Augustin Wolf
     Xu Qiang
     Nickolai Zeldovich
     Hanz van Zijst
diff --git a/src/man/k5identity.man b/src/man/k5identity.man
index b14fd09..04baa86 100644
--- a/src/man/k5identity.man
+++ b/src/man/k5identity.man
@@ -1,4 +1,4 @@
-.TH "K5IDENTITY" "5" " " "1.11.3" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
diff --git a/src/man/k5login.man b/src/man/k5login.man
index f3c634a..5fd516c 100644
--- a/src/man/k5login.man
+++ b/src/man/k5login.man
@@ -1,4 +1,4 @@
-.TH "K5LOGIN" "5" " " "1.11.3" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man
index 8845053..5e2c748 100644
--- a/src/man/k5srvutil.man
+++ b/src/man/k5srvutil.man
@@ -1,4 +1,4 @@
-.TH "K5SRVUTIL" "1" " " "1.11.3" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
index 607653c..570cd96 100644
--- a/src/man/kadm5.acl.man
+++ b/src/man/kadm5.acl.man
@@ -1,4 +1,4 @@
-.TH "KADM5.ACL" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
index df75fae..a3f29d4 100644
--- a/src/man/kadmin.man
+++ b/src/man/kadmin.man
@@ -1,4 +1,4 @@
-.TH "KADMIN" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
diff --git a/src/man/kadmind.man b/src/man/kadmind.man
index e348fc0..a49acf8 100644
--- a/src/man/kadmind.man
+++ b/src/man/kadmind.man
@@ -1,4 +1,4 @@
-.TH "KADMIND" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man
index 6bb8697..aec70c7 100644
--- a/src/man/kdb5_ldap_util.man
+++ b/src/man/kdb5_ldap_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_LDAP_UTIL" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man
index 8aa8241..f0063d6 100644
--- a/src/man/kdb5_util.man
+++ b/src/man/kdb5_util.man
@@ -1,4 +1,4 @@
-.TH "KDB5_UTIL" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
@@ -349,8 +349,8 @@ gives more verbose output.
 .sp
 Update all principal records (or only those matching the
 \fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the
-active database master key, if they are encrypted using older
-versions, and give a count at the end of the number of principals
+active database master key, if they are encrypted using a different
+version, and give a count at the end of the number of principals
 updated.  If the \fB\-f\fP option is not given, ask for confirmation
 before starting to make changes.  The \fB\-v\fP option causes each
 principal processed to be listed, with an indication as to whether it
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index d98198a..04e47f9 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -1,4 +1,4 @@
-.TH "KDC.CONF" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man
index c647ec0..b4512f7 100644
--- a/src/man/kdestroy.man
+++ b/src/man/kdestroy.man
@@ -1,4 +1,4 @@
-.TH "KDESTROY" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kdestroy \- destroy Kerberos tickets
 .
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 6a8f32b..fc44aac 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -1,4 +1,4 @@
-.TH "KINIT" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kinit \- obtain and cache Kerberos ticket-granting ticket
 .
diff --git a/src/man/klist.man b/src/man/klist.man
index 598c779..f581e67 100644
--- a/src/man/klist.man
+++ b/src/man/klist.man
@@ -1,4 +1,4 @@
-.TH "KLIST" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 klist \- list cached Kerberos tickets
 .
diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man
index c890562..82e2fd8 100644
--- a/src/man/kpasswd.man
+++ b/src/man/kpasswd.man
@@ -1,4 +1,4 @@
-.TH "KPASSWD" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kpasswd \- change a user's Kerberos password
 .
diff --git a/src/man/kprop.man b/src/man/kprop.man
index 389fd61..f072ff7 100644
--- a/src/man/kprop.man
+++ b/src/man/kprop.man
@@ -1,4 +1,4 @@
-.TH "KPROP" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kprop \- propagate a Kerberos V5 principal database to a slave server
 .
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index a244f49..02f91bc 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -1,4 +1,4 @@
-.TH "KPROPD" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kpropd \- Kerberos V5 slave KDC update server
 .
@@ -69,9 +69,14 @@ kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
 .UNINDENT
 .UNINDENT
 .sp
-kpropd can also run as a standalone daemon.  This is required for
-incremental propagation.  But this is also useful for debugging
-purposes.
+kpropd can also run as a standalone daemon, backgrounding itself and
+waiting for connections on port 754 (or the port specified with the
+\fB\-P\fP option if given).  Standalone mode is required for incremental
+propagation.  Starting in release 1.11, kpropd automatically detects
+whether it was run from inetd and runs in standalone mode if it is
+not.  Prior to release 1.11, the \fB\-S\fP option is required to run
+kpropd in standalone mode; this option is now accepted for backward
+compatibility but does nothing.
 .sp
 Incremental propagation may be enabled with the \fBiprop_enable\fP
 variable in \fIkdc.conf(5)\fP.  If incremental propagation is
@@ -101,19 +106,11 @@ to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/kr
 Allows the user to specify the pathname to the \fIkdb5_util(8)\fP
 program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP.
 .TP
-.B \fB\-S\fP
-[DEPRECATED] Enable standalone mode.  Normally kpropd is invoked by
-inetd(8) so it expects a network connection to be passed to it
-from inetd(8).  If the \fB\-S\fP option is specified, or if standard
-input is not a socket, kpropd will put itself into the background,
-and wait for connections on port 754 (or the port specified with the
-\fB\-P\fP option if given).
-.TP
 .B \fB\-d\fP
-Turn on debug mode.  In this mode, if the \fB\-S\fP option is
-selected, kpropd will not detach itself from the current job and
-run in the background.  Instead, it will run in the foreground and
-print out debugging messages during the database propagation.
+Turn on debug mode.  In this mode, kpropd will not detach
+itself from the current job and run in the background.  Instead,
+it will run in the foreground and print out debugging messages
+during the database propagation.
 .TP
 .B \fB\-P\fP
 Allow for an alternate port number for kpropd to listen on.  This
diff --git a/src/man/kproplog.man b/src/man/kproplog.man
index 34dc812..d9184cc 100644
--- a/src/man/kproplog.man
+++ b/src/man/kproplog.man
@@ -1,4 +1,4 @@
-.TH "KPROPLOG" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kproplog \- display the contents of the Kerberos principal update log
 .
diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man
index 74e5cfb..2be370a 100644
--- a/src/man/krb5-config.man
+++ b/src/man/krb5-config.man
@@ -1,4 +1,4 @@
-.TH "KRB5-CONFIG" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 krb5-config \- tool for linking against MIT Kerberos libraries
 .
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index bdf3585..4ffe03e 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -1,4 +1,4 @@
-.TH "KRB5.CONF" "5" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 krb5.conf \- Kerberos configuration file
 .
diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man
index f8fdc60..21b7814 100644
--- a/src/man/krb5kdc.man
+++ b/src/man/krb5kdc.man
@@ -1,4 +1,4 @@
-.TH "KRB5KDC" "8" " " "1.11.3" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 krb5kdc \- Kerberos V5 KDC
 .
diff --git a/src/man/ksu.man b/src/man/ksu.man
index 02318b9..1d099c0 100644
--- a/src/man/ksu.man
+++ b/src/man/ksu.man
@@ -1,4 +1,4 @@
-.TH "KSU" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KSU" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 ksu \- Kerberized super-user
 .
diff --git a/src/man/kswitch.man b/src/man/kswitch.man
index 20e0190..9190a7a 100644
--- a/src/man/kswitch.man
+++ b/src/man/kswitch.man
@@ -1,4 +1,4 @@
-.TH "KSWITCH" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kswitch \- switch primary ticket cache
 .
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 064c506..36211ae 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -1,4 +1,4 @@
-.TH "KTUTIL" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 ktutil \- Kerberos keytab file maintenance utility
 .
diff --git a/src/man/kvno.man b/src/man/kvno.man
index df3d279..47bdda8 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -1,4 +1,4 @@
-.TH "KVNO" "1" " " "1.11.3" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 kvno \- print key version numbers of Kerberos principals
 .
diff --git a/src/man/sclient.man b/src/man/sclient.man
index 6684b28..6d80a00 100644
--- a/src/man/sclient.man
+++ b/src/man/sclient.man
@@ -1,4 +1,4 @@
-.TH "SCLIENT" "1" " " "1.11.3" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 sclient \- sample Kerberos version 5 client
 .
diff --git a/src/man/sserver.man b/src/man/sserver.man
index 325ace6..1f7cc5f 100644
--- a/src/man/sserver.man
+++ b/src/man/sserver.man
@@ -1,4 +1,4 @@
-.TH "SSERVER" "8" " " "1.11.3" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.11.4" "MIT Kerberos"
 .SH NAME
 sserver \- sample Kerberos version 5 server
 .
diff --git a/src/patchlevel.h b/src/patchlevel.h
index eb6cf94..9674800 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -51,7 +51,7 @@
  */
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 11
-#define KRB5_PATCHLEVEL 3
-#define KRB5_RELTAIL "postrelease"
+#define KRB5_PATCHLEVEL 4
+/* #undef KRB5_RELTAIL */
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "krb5-1.11"
+#define KRB5_RELTAG "krb5-1.11.4-final"