Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: www-apache/mod_auth_kerb/files/
Date: Wed, 29 Dec 2021 08:46:58
Message-Id: 1640767603.e0ba60b7305896a86a5f2021e743e1aae9cd834d.sam@gentoo
1 commit: e0ba60b7305896a86a5f2021e743e1aae9cd834d
2 Author: Sam James <sam <AT> gentoo <DOT> org>
3 AuthorDate: Wed Dec 29 08:46:34 2021 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Wed Dec 29 08:46:43 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0ba60b7
7
8 www-apache/mod_auth_kerb: add Debian patch metadata
9
10 Signed-off-by: Sam James <sam <AT> gentoo.org>
11
12 .../files/mod_auth_kerb-5.4-api-change-krb5.patch | 22 ++++++++++++++++++++++
13 1 file changed, 22 insertions(+)
14
15 diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
16 index d0421a0eb6ea..fb402de44a8d 100644
17 --- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
18 +++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
19 @@ -1,5 +1,27 @@
20 https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch
21 https://bugs.gentoo.org/830208
22 +
23 +From: Sam Hartman <hartmans@××××××.org>
24 +Date: Mon, 23 Nov 2020 09:30:22 -0500
25 +Subject: Always use NONE replay cache type
26 +
27 +It's 2020. Any MIT Kerberos in the wild supports the none replay
28 +cache type. The previous code used an internal function to detect
29 +that replay cache type; that function is no longer available.
30 +Instead, assume it is present.
31 +
32 +An alternative would be to enable the default replay cache. It was
33 +originally disabled because of problems between Microsoft
34 +authenticators and 2004-era MIT Kerberos 1.3. That's probably a good
35 +idea. It probably closes off security attacks, although analyzing the
36 +impact of replays in cases where neither channel binding nor
37 +per-message services are used is difficult. I believe that a replay
38 +cache is not strictly necessary in the common configuration where
39 +mod-auth-kerb is used over a TLS-protected connection where the client
40 +properly verifies the TLS certificate presented by the server prior to
41 +sending a GSS token.
42 +
43 +I have elected not to enable replay cache to affect a minimal change.
44 --- a/src/mod_auth_kerb.c
45 +++ b/src/mod_auth_kerb.c
46 @@ -2061,28 +2061,6 @@