1. 14 Oct, 2021 2 commits
  2. 22 Sep, 2021 1 commit
  3. 06 Sep, 2021 3 commits
  4. 11 Aug, 2021 1 commit
  5. 21 Jul, 2021 1 commit
  6. 11 Mar, 2021 1 commit
  7. 10 Dec, 2020 1 commit
  8. 23 Nov, 2020 1 commit
    • Sam Hartman's avatar
      Import Debian changes 1.18.3-4 · 369b37c9
      Sam Hartman authored
      krb5 (1.18.3-4) unstable; urgency=medium
        * Sigh, either use <= with the old version in the
          libapache-mod-auth-kerb constraint or << with the new version.  <=
          with the new version is no good.  (used <= with the old version)
      krb5 (1.18.3-3) unstable; urgency=medium
        * Update breaks for libapache2-mod-auth-kerb now that we think we have a fix.
        * Mark libkrad-dev as multi-arch: same
      krb5 (1.18.3-2) unstable; urgency=medium
        * Break libapache2-mod-auth-kerb; see #975344 .  Obviously this is not a stable situation, but I want to at least let users know that by installing this krb5 libapache2-mod-auth-kerb will not work until we fix it.
      krb5 (1.18.3-1) unstable; urgency=medium
        * New upstream version
          - Fix error when DES disabled, Closes: #932298
        * Fix typo in lintian overrides.
        * Update hurd compat patch, thanks Pino Toscano, Closes: #933770
      krb5 (1.18.2-1) experimental; urgency=medium
        * New Upstream version
        * Include several pre-release patches from 1.18.3:
          - Unregister thread key in SPNEGO finalization
          - Set pw_expiration during LDAP load
        -  Avoid using LMDB environments across forks
          - Allow gss_unwrap_iov() of unpadded RC4 tokens
          - Fix input length checking in SPNEGO DER decoding
          - Set lockdown attribute when creating LDAP KDB
          - Add recursion limit for ASN.1 indefinite lengths (CVE-2020-28196,
          Closes: #973880) 
        * Release new upstream to experimental
      krb5 (1.17-10) unstable; urgency=medium
        * Also set localstatedir to be consistent with old builds, Closes: #962522
        * Include journalctl dump from krb5kdc tests so we can figure out why ppc tests are breaking.
      krb5 (1.17-9) unstable; urgency=low
        * Fix build-indep, Closes: #962470
      krb5 (1.17-8) unstable; urgency=low
        * krb5-doc is multi-arch Foreign, Closes: #959984
        * Convert to using dh sequencer, Closes: #930690
        * Low urgency to give us a chance to shake out the DH changes
      krb5 (1.17-7) unstable; urgency=medium
        * Use python3 for building docs; pull patch from upstream, Closes: #939483
      krb5 (1.17-6) unstable; urgency=medium
        * Stop depending on texlive-generic-extra, which is no longer built,
          Closes: #933286
      krb5 (1.17-5) unstable; urgency=high
        * Upstream patch to filter invalid enctypes when nfs calls  to indicate
          which enctypes it supports, Closes: #932000
        * Do not error out if a keytab includes a single-des enctype, Closes:
      krb5 (1.17-4) unstable; urgency=low
        * Remove single DES support entirely; it has been deprecated for a
          number of years and is going away in 1.18.  We want to find out now
          any debian problems.
        * Migrate from git-dpm to git-debrebase; it truly is better.  Thanks Ian.
        * Add a krb5-user.news for single DES going away
        * Remove the old news file across all packages
  9. 06 Mar, 2021 1 commit
  10. 19 Nov, 2020 1 commit
  11. 30 Mar, 2020 1 commit
  12. 17 Aug, 2019 1 commit
  13. 18 Jun, 2019 1 commit
    • Sam Hartman's avatar
      Import Debian changes 1.17-3 · 3f540372
      Sam Hartman authored
      krb5 (1.17-3) unstable; urgency=medium
        * Fix memory leak in replay cache type none
        * Merge in two upstream documentation changes
      krb5 (1.17-2) unstable; urgency=medium
        * Finish removing the run kadmind debconf template which was obsoleted
          when the systemd units were installed, LP: #1817376
  14. 31 May, 2019 2 commits
  15. 13 Jan, 2019 1 commit
    • Sam Hartman's avatar
      Import Debian changes 1.17-1 · 65af8b38
      Sam Hartman authored
      krb5 (1.17-1) unstable; urgency=low
        * New Upstream release
        * Don't include all memory ccaches in ccache collection, avoids invalid
          mutex, Closes: #918088
        * The default path for the KDC database even without a config file is
          /var/lib/krb5kdc/principal, Closes: #777579
      krb5 (1.16.2-1) unstable; urgency=medium
        [ Ondřej Nový ]
        * d/changelog: Remove trailing whitespaces
        * d/control: Remove trailing whitespaces
        * d/rules: Remove trailing whitespaces
        [ Sam Hartman ]
        * New Upstream version, Closes: #915780
        * CVE-2018-20217: Incorrect KDC assertion leading to denial of service,
          Closes: #917387
        * Fix typo in tests
      krb5 (1.16.1-1) unstable; urgency=medium
        [ Sam Hartman ]
        * New upstream release
          - Fix flaws in LDAP DN checking, including a null dereference KDC
          crash which could be triggered by kadmin clients with administrative
          privileges [CVE-2018-5729, CVE-2018-5730], Closes: #891869
        * Install kerberos.openldap.ldif, which is probably more useful than
          kerberos.ldif if you're hoping to use the Kerberos schema on Debian.
          Also, the bugs in kerberos.ldif have been corrected; Closes: #660767
        * Suggest krb5-k5tls from krb5-user, Closes: #887937
        * Merge dep8 tests, thanks Canonical  and Andreas Hasenack (LP:
      krb5 (1.16-2) unstable; urgency=medium
        * Update location of packaging GIT repository
        * krb5-config was incorrectly changed to include the multiarch tripple
          in include paths.  However, our include files are not architecture
          specific; fix krb5-config to not include a multiarch tripple in
          include paths, Closes: #887810
      krb5 (1.16-1) unstable; urgency=medium
        * New Upstream Version, Closes: #884490
            - libkdb5 soname is now 9
        * Note that we break moonshot-gss-eap less than 1.0.1.  In particular
          because /etc/gss/mech.d/README is no longer installed,
          moonshot-gss-eap will drop a stray file in /usr/etc.
        *  make krb5-config identical on all architectures and make
          krb5-multidev and libkrb5-dev multiarch installable; solution based on
          discussion with Hugh McMaster, Closes: #881597
      krb5 (1.15.2-2) unstable; urgency=medium
        * Apply upstream patch removing a fixed-size buffer in PKINIT client code,
          Closes: #871698
      krb5 (1.15.2-1) unstable; urgency=medium
        [ Sam Hartman ]
        * Fix plugins directory, thanks Andreas Hasenack, Closes: #872140
        * Move kpropd to krb5-kpropd since stretch is released
        * Mark krb5-kdc and krb5-addmin-server as multi-arch foreign
        [ Benjamin Kaduk ]
        * New Upstream Version
          - Ignore files starting with '.' in profile include directories
          - Use longer timeout for HTTPS (KKDCP) transport before switching to UDP
          - Fix kadm5 setkey operations wit LDAP KDB
          - Fix CVE-2017-11462: preserve GSS context on init/accept failure,
            Closes: #873563
          - Prevent NULL dereference with keyboard master key
        * Update to policy 4.1.1:
          - Refer to service(8) instead of /etc/init.d/foo
          - Support the 'nodoc' DEB_BUILD_OPTIONS entry
          - Make all packages Priority: optional
      krb5 (1.15.1-2) unstable; urgency=high
        * Depend on libsasl2-dev for LDAP SASL authentication, Thanks Hideki
          Yamane, Closes: #868035
        * Remove /etc/gss/mech.d/README on libgssapi-krb5-2 purge, Closes: #868121
        * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
          Closes: #869260
        * Set Restart=on-abnormal in krb5-kdc.service and krb5-admind.service to
          minimize the impact of future DOS bugs.
      krb5 (1.15.1-1) unstable; urgency=medium
        *  New Upstream Version
            - Samba wants this, Closes: #861651
              * Include krb5-otp tmpfile for freeipa, Closes: #859243
        * Move doxygen to build-indep, Closes: #754139
        * For stage1 builds, skip LDAP, based on patch by Johannes Schauer and
          Peter Pentchev, Closes: #752407
        * Annotate control file for stage1 without ldap, Closes: #752409
        * Remove /etc/gss/mech.d/README, Closes: #861218
      krb5 (1.15-2) experimental; urgency=medium
        * Upstream patches to fix startup if getaddrinfo() returns a wildcard v6
          address, and to fix handling of explicitly specified v4 wildcard
          address; regression over previous versions, Closes: #860767
        * Fix SRV lookups to respect udp_preference_limit, regression over
          previous versions with OTP, Closes: #856307
      krb5 (1.15-1) unstable; urgency=medium
        [ Benjamin Kaduk ]
        * New upstream version
          - Make zap() more reliable and use it more consistently; the
            previous version could be optimized out by gcc 5.1 or later
          - Update license statement in ccapi/common/win/OldCC/autolock.hxx,
            Closes: #846088
        * Update Debian-HURD-compatibility.patch, Closes: #845381
        * Bump debhelper compat level to 9
        [ Sam Hartman ]
        * Actually build and ship German translations, Closes: #842497
      krb5 (1.15~beta1-1) unstable; urgency=low
        [ Benjamin Kaduk ]
        * New upstream version
          - Upstream's tarball is now DFSG-free
          - Builds against openssl 1.1.0, Closes: #828369
          - Add support for the AES-SHA2 enctypes
          - Add support to kadmin for remote extraction of current keys
            and principal attributes to prevent such extraction
          - Add DNS auto-discovery using URI records in addition to SRV records
          - Improve LDAP backend to contain some features previously only
            present in the BDB backend
          - Use the getrandom system call on supported Linux kernels
          - Use SHA256 instead of MD5 for hashing authenticators in the replay cache
            * The symbol gssrpc_svcauth_gss_creds was removed upstream from
          libgssrpc; no soname bump because this is an internal API never in a
          public header
        [ Sam Hartman ]
        * Update standards version to 3.9.8
      krb5 (1.14.3+dfsg-2) unstable; urgency=medium
        * Fix gcc -O3, thanks Ben Kaduk/Steve Langasek, Closes: #833798
        * Fix kdb5_util create on 32-bit platforms, thanks Greg Hudson, Closes:
      krb5 (1.14.3+dfsg-1) unstable; urgency=medium
        * New upstream version
          - includes fix for CVE-2016-3120, Closes: #832572
        * build-dep-indep on texlive-generic-extra to pick up iftex.sty after
          a reshuffle, Closes: #828946
        * Comment out supported_enctypes in kdc.conf to avoid including
          single-DES enctypes, Closes: #806928
        * Spell Build-Depends-Indep properly, Closes: #829196
      krb5 (1.14.2+dfsg-1) unstable; urgency=low
        * New upstream version
            - Includes fix for CVE-2016-3119: remote DOS with ldap for
          authenticated attackers, Closes: #819468
        * Fix short descriptions capitalization, Thanks Laura Arjona Reina,
          Closes: #821021
        * New German translation, Thanks Chris Leick, Closes: #816548
      krb5 (1.14+dfsg-1) experimental; urgency=medium
        * New upstream version, Closes: #812131
        * Apply upstream patches:
          - upstream/0010-Fix-mechglue-gss_acquire_cred_impersonate_name.patch
          - 0011-Correctly-use-k5_wrapmsg-in-ldap_principal2.c.patch
          - upstream/0012-Set-TL_DATA-mask-flag-for-master-key-operations.patch
          - upstream/0013-Check-context-handle-in-gss_export_sec_context.patch
          - upstream/0014-Check-internal-context-on-init-context-errors.patch
          - upstream/0015-Fix-interposed-gss_accept_sec_context.patch
          - upstream/0016-Work-around-uninitialized-warning-in-cc_kcm.c.patch
          - upstream/0017-Increase-hostname-length-in-ipropd_svc.c.patch
          - upstream/0018-Make-ksu-work-with-prompting-clpreauth-modules.patch
          - upstream/0019-Fix-memory-leak-in-SPNEGO-gss_init_sec_context.patch
          - upstream/0020-Fix-EOF-check-in-kadm5.acl-line-processing.patch
          - upstream/0021-Fix-iprop-server-stub-error-management.patch
        - upstream/0022-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
          - upstream/0023-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
              - Use blocking lock for db promote, Closes: #815677
        * Verify decoded kadmin C strings [CVE-2015-8629]
          CVE-2015-8629: An authenticated attacker can cause kadmind to read
          beyond the end of allocated memory by sending a string without a
          terminating zero byte. Information leakage may be possible for an
          attacker with permission to modify the database. (Closes: #813296)
        * Check for null kadm5 policy name [CVE-2015-8630]
          CVE-2015-8630: An authenticated attacker with permission to modify a
          principal entry can cause kadmind to dereference a null pointer by
          supplying a null policy value but including KADM5_POLICY in the mask.
          (Closes: #813127)
        * Fix leaks in kadmin server stubs [CVE-2015-8631]
          CVE-2015-8631: An authenticated attacker can cause kadmind to leak
          memory by supplying a null principal name in a request which uses one.
          Repeating these requests will eventually cause kadmind to exhaust all
          available memory. (Closes: #813126)
        * Remove all references to libkrb53, Closes: #708175
        * Merge patch for kpropd service, introducing a new stub package for now
          that will contain the binaries in stretch+1.  We don't want to move
          the binaries now because we'd either break existing installations or
          we'd need krb5-kdc to depend on the new package, which would cause
          kpropd to start in cases where we don't want it, thanks  Mark Proehl
          and Michael Weiser, Closes: #775277
      krb5 (1.13.2+dfsg-4) unstable; urgency=high
        * Import upstream patches fixing regressions in the previous upload:
          - CVE-2015-2698: the patch for CVE-2015-2696 caused memory corruption
            for applications calling gss_export_sec_context() on contexts
            established using the IAKERB mechanism.
          - Supply gss_import_sec_context implementations for SPNEGO and IAKERB,
            which were not implemented due to the erroneous belief that the
            exported context tokens would be tagged with the underlying
            context's mechanism.
      krb5 (1.13.2+dfsg-3) unstable; urgency=high
        * Import upstream patches for three CVEs:
          - CVE-2015-2695: SPNEGO context aliasing during establishment
          - CVE-2015-2696: IAKERB context aliasing during establishment
          - CVE-2015-2697: unsafe string handling in TGS processing
      krb5 (1.13.2+dfsg-2) unstable; urgency=medium
        * No-change rebuild to target unstable
      krb5 (1.13.2+dfsg-1) experimental; urgency=medium
        * New upstream release:
          - Fix importing GSS composite export names
          - Fix kadm5.acl wildcard matching when early lines have partial matches
          - Disable principal renames for LDAP; they do not work properly and are
            hard to fix
          - Fix LDAP ticket policies on big-endian LP64 systems
          - Fix memory leak in DB2 iteration
          - Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
        * Add python to build-depends-indep, since we call it manually during
          the documentation build, Closes: #746395
      krb5 (1.13.1+dfsg-1) experimental; urgency=low
        * New upstream release:
          - Make the KDC default to listening on TCP (as well as UDP)
          - Bump DAL major version for krb5_db_iterate() API change; KDB modules
            will need to be rebuilt
          - Let ksu use any keytab entry to verify the obtained TGT
          - Improve kadm5_randkey_principal interop with Solaris KDCs
          - Export symbols for some public gss interfaces
          - Allow the logger to work with redirected stderr
          - Remove length limit on PKINIT PKCS#12 prompts
      krb5 (1.12.1+dfsg-20) unstable; urgency=high
        * Import upstream patch for CVE-2015-2694, Closes: #783557
        * Bump Standards-Version to 3.9.6 (no changes needed)
      krb5 (1.12.1+dfsg-19) unstable; urgency=medium
        * mark systemd unit directories as optional, Closes: #780831
      krb5 (1.12.1+dfsg-18) unstable; urgency=high
        * Import upstream patch for CVE-2014-5355, Closes: #778647
      krb5 (1.12.1+dfsg-17) unstable; urgency=high
        * MITKRB5-SA-2015-001
          - CVE-2014-5352: gss_process_context_token() incorrectly frees context
          - CVE-2014-9421: kadmind doubly frees partial deserialization results
          - CVE-2014-9422: kadmind incorrectly validates server principal name
            - CVE-2014-9423: libgssrpc server applications leak uninitialized bytes
      krb5 (1.12.1+dfsg-16) unstable; urgency=medium
        * Import upstream patches for CVE-2014-5353 and CVE-2014-5354,
          Closes: #773226, Closes: #773228
      krb5 (1.12.1+dfsg-15) unstable; urgency=medium
        * Also apply slapd-before-kdc.conf to krb5-admin-server.service.d,
          Closes: #769710
      krb5 (1.12.1+dfsg-14) unstable; urgency=medium
        * The upstream patch in 1.12.1+dfsg-13 was incomplete; pull in
          another upstream patch upon which it depended, to fix the
          kfreebsd build, Closes: #768379
      krb5 (1.12.1+dfsg-13) unstable; urgency=medium
        * Remove the ExecReload line added in 1.12.1+dfsg-12; it is not
          a regression from the SysV init script and therefore not suitable
          for jessie post-freeze
        * Apply upstream patch to fix build on FreeBSD 10.1, Closes: #768379
      krb5 (1.12.1+dfsg-12) unstable; urgency=medium
        * Fix typo in krb5-kdc EnvironmentFile name, Closes: #768344
        * Add an ExecReload line to krb5-kdc.service to help with log rotation
      krb5 (1.12.1+dfsg-11) unstable; urgency=medium
        * Provide systemd service units for krb5-kdc, Partially affects: #734161
        * Provide systemd overrides to start  slapd first when krb5-kdc-ldap is
          installed, Thanks Michael Biebl, Closes: #758992
        * Provide kadmind service unit, Closes: #734161
        * Drop support for RUN_KADMIND in favor of update-rc.d disable
        * In krb5_newrealm, use service rather than calling init scripts directly
      krb5 (1.12.1+dfsg-10) unstable; urgency=medium
        * Import upstream's patch for CVE-2014-5351, Closes: #762479
      krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low
        [ Jelmer Vernooij ]
        * Reintroduce changes to move krb5-config into krb5-multidev:
         + Provide -L and -I flags from krb5-config. Closes: #730837
         + Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
         + Provide -L and -I flags from pkg-config files. Closes: #750041
        * Use -isystem for include paths, to prevent the compiler from warning
          about problems in them. Closes: #751760
        [ Sam Hartman ]
        * Reintroduce patches and accept proposed patches
        * Update lintian source overrides because some of the BCP 78 hits are
          false positives. We need to investigate cmac.c.
        [ Benjamin Kaduk ]
        * New upstream prerelease:
          - Add support for accessing KDCs via an https proxy using the MS-KKDCP
            protocol, using a plugin provided by the new krb5-k5tls package, which
            uses openssl for the TLS implementation.  The openssl-using code is
            confined to a separate, runtime-loadable, plugin module, in a separate
            package, to ameliorate concerns about GPL code that links libkrb5 running
            into issues with the openssl license.  The Kerberos license is both
          GPL and OpenSSL compatible.  There might be an issue if an application
          was GPL licensed and someone used the OpenSSL plugin with that
          application.  Even that is probably fine provided that no one
          distributes a combination that tends to encourage such usage.  There's
          an existing krb5-pkinit plugin that also links to OpenSSL, but at time
          of integration into Debian no GPLed applications in the archive called
          APIs that would cause that plugin to be loaded.
          - Add support for hierarchical incremental propagation.
          - Add support to the LDAP KDB module for binding to the LDAP server
            using SASL.
          - Add client support for the Kerberos Cache Manager protocol, allowing
            caches served by a Heimdal kcm daemon to be accessed using the KCM:
            cache type.
          - Add support for performing unlocked database dumps to the DB2 KDC
            back end, allowing the KDC and kadmind to continue accessing the
            database during lengthy database dumps.
          - The default location of the socket used by the OTP plugin has moved
            from /etc/krb5kdc to /run/krb5kdc/.
        * Break old versions of libraries that consume libkrb5support0, which
          had its export symbol list change in 1.12 without the dependencies
          changing to reflect that.  Closes: #758288, Closes: #760149
        * Fix the documentation build by explicitly mapping krb5.hin as a C file.
          Closes: #759954
      krb5 (1.12.1+dfsg-9) unstable; urgency=high
        [ Jelmer Vernooij ]
        * Reintroduce changes to move krb5-config into krb5-multidev:
         + Provide -L and -I flags from krb5-config. Closes: #730837
         + Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
         + Provide -L and -I flags from pkg-config files. Closes: #750041
        * Use -isystem for include paths, to prevent the compiler from warning
          about problems in them. Closes: #751760
        [ Sam Hartman ]
        * Reintroduce patches and accept proposed patches
        * Update lintian source overrides because some of the BCP 78 hits are
          false positives. We need to investigate cmac.c.
      krb5 (1.12.1+dfsg-7) unstable; urgency=high
        * Apply upstream's patch for CVE-2014-4345 (MITKRB5-SA-2014-001), buffer
          overrun in kadmind with LDAP backend, Closes: #757416
      krb5 (1.12.1+dfsg-6) unstable; urgency=medium
        [ Benjamin Kaduk ]
        * Apply upstream's patch to switch to TAILQ macros instead of CIRCLEQ macros,
          to work around an issue with certain gcc versions.  This is expected to
          resolve Ubuntu bug (LP: #1347147).
        [ Sam Hartman ]
        * Include a quick and dirty patch so we build cleanly with -O3 fixing
          incorrect may be uninitialized warnings.
      krb5 (1.12.1+dfsg-5) unstable; urgency=high
        * Apply upstream patches for CVE-2014-4343, CVE-2014-4344, Closes: #755520,
          Closes: #755521
      krb5 (1.12.1+dfsg-4) unstable; urgency=high
        * Apply upstream patch for CVE-2014-4341, CVE-2014-4342, Closes: #753624,
          Closes: #753625
      krb5 (1.12.1+dfsg-3) unstable; urgency=high
        * High urgency to revert some changes in the previous version that got
          into testing.  Unfortunately moving krb5-config into krb5-multidev
          breaks some -Werror builds, so we'll revert until we can work out what
          to do, Closes: #751760
        * Revert krb5-config to krb5-multidev, reintroduces: #745322
        * Remove -I and -L from krb5-config, Reintroduces: #730837
        * Remove pkgconfig paths that  include mit-kerberos, Reintroduces: #750041
      krb5 (1.12.1+dfsg-2) unstable; urgency=low
        [ Jelmer Vernooij ]
        * Provide -L and -I flags from krb5-config. Closes: #730837
        * Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
        * Provide -L and -I flags from pkg-config files. Closes: #750041
        [ Sam Hartman ]
        * Include upstream patch to load gss mechanisms from /etc/gss/mech.d,
          Closes: #673680
        * Sysconfdir explicitly set to /etc
        * Include ubuntu change to permit libverto-libevent1 (not currently
          built in Debian) as an alternative for the KDC.  For now just
          reduces diff with Ubuntu.  Next libverto upload will probably start
          building that for Debian too.
        * Do not cause endless loop when a mechanism fails to include
          gss_add_cred_from or other new methods (upstream #7926)
        * Include /etc/gss/mech.d/README
        * Low urgency to give extra time in unstable
        * Update symbols for gss_indicate_mechs
      krb5 (1.12.1+dfsg-1) unstable; urgency=low
        [ Sam Hartman ]
        * New upstream version
        * Move gbp.conf to debian
        [ Benjamin Kaduk ]
        * Pull in upstream patch to put OTP sockets in /run by default
        * Pull in upstream patch to avoid duplicate "/etc/krb5.conf" in profile
          path, so we can safely set sysconfdir to /etc
      krb5 (1.12+dfsg-2) unstable; urgency=low
        * Split out libkrad-dev into its own package, Closes: #735323
      krb5 (1.12+dfsg-1) experimental; urgency=low
        [ Benjamin Kaduk ]
        * New upstream release (closes: #730085, #728845, #637662, #729291).
        * Update HURD compatibility patch (closes: #729191).
        * Move pkgconfig files to krb5-multidev and avoid conflicts with
          heimdal (closes: #730267).
      krb5 (1.12~alpha1+dfsg-1) experimental; urgency=low
        [ Benjamin Kaduk ]
        * New upstream release, Closes: #694988, #697954
        * Build-depend on python-lxml, Closes: #725596
        * Remove Debian versions from symbols
        * Add myself to uploaders
        [ Sam Hartman ]
        * Build-depend on libverto-dev 0.2.4 to get verto_set_flags
      krb5 (1.11.3+dfsg-3+nmu1) unstable; urgency=high
        * Non-maintainer upload by the Security Team.
        * Add python-lxml build dependency (closes: #725596).
        * Fix cve-2013-1417: KDC daemon crash condition (closes: #730085).
        * Fix cve-2013-1418: null pointer dereference issue (closes: #728845).
      krb5 (1.11.3+dfsg-3) unstable; urgency=low
        [ Benjamin Kaduk ]
        * Update config.sub and config.guess, patch from upstream, Closes: #717840
        * Update Brazillian Portugese Translation, thanks Fernando Ike,
          Closes: #719726
        * Bump the version of the gssrpc_clnt_create symbol.  The routine itself
          was changed in a backwards-compatible way, but callers from the kadm5
          libraries were changed to rely on the new behavior, Closes: #718275
        * Add symbols files for the kadm5 libraries.  The KADM5 API version number
          was increased for the 1.11 release but the corresponding library sonames
          were not, so we must indicate the behavior change ourself, Closes: #716772
        [ Sam Hartman ]
        * krb5-kdc depends on libverto-libev1, work around for #652699
        * Remove krb5-kdc conflict since it's more than one release cycle old
        * Add Benjamin Kaduk to uploaders
      krb5 (1.11.3+dfsg-2) experimental; urgency=low
        * Run autoreconf to update configure based on aclocal patch
      krb5 (1.11.3+dfsg-1) experimental; urgency=low
        *  New upstream version
            - Turns out 1.11.2+dfsg didn't include the pingpong fix, but this
          does , Closes: #
      krb5 (1.11.2+dfsg-2) experimental; urgency=low
        * Import upstream's patch to not warn or error on variadic macros,
          Closes: #709824
      krb5 (1.11.2+dfsg-1) experimental; urgency=low
        * New upstream version, Closes: #697662
            - By not depending on texinfo, we avoid FTBFSing from its changes,
            Closes: #708711
        * Fix "usage of keytabs gives "Generic preauthentication failure while
          getting initial credentials"" via upstream change to prefer keys in
          the keytab
          (Closes: #698534)
        * Fixed upstream "kerberos password policy attributes missing from
          kerberos.schema"  (Closes:
        * Remove arch-dep and arch-indep dependency in rules  (Closes: #708973)
      krb5 (1.10.1+dfsg-5) unstable; urgency=low
        * Import workaround for getaddrinfo bug from upstream.  Described in
          upstream's RT 7124, addresses the main concern of #697662
        * Correct CVE number for CVE-2012-1016 in changelog and patches, Closes:
      krb5 (1.10.1+dfsg-4+nmu1) unstable; urgency=high
        * Non-maintainer upload by the Security Team.
        * Fix cve-2012-1016: null pointer derefence when handling a draft9 request
          (closes: #702633).
      krb5 (1.10.1+dfsg-4) unstable; urgency=high
        * KDC null pointer dereference with PKINIT, CVE-2013-1415
      krb5 (1.10.1+dfsg-3) unstable; urgency=low
        * Kadmind crash only triggered by admin users, cve-2012-1013, Closes:
        * Don't unload GSS-API plugins to avoid crashing applications that use
          GSS-API on systems with plugins installed, Closes: #693741
      krb5 (1.10.1+dfsg-2) unstable; urgency=high
        * MITKRB5-SA-2012-001 [CVE-2012-1014 CVE-2012-1015] KDC frees
          uninitialized pointers
        * Break libgssglue1 << 0.2-2 for multiarch, Closes: #680612
        * Don't free caller's principal in verify_init_creds, Closes: #512410
      krb5 (1.10.1+dfsg-1) unstable; urgency=low
        *  New Upstream Version
          - Set display_name in gss_get_name_attribute, Closes: #658514
        * Fix use counts on preauthentication, Closes: #670457
        * Fix kadmin access controls, Closes: #670918
        * Accept NMU with longer hostname, Closes: #657027
        * Fix history from old databases, Closes: #660869
        * Fix gcc 4.6.2 may be used uninitialized warnings/errors, Closes: #672075
        * Check all keys in keytab for verifying credentials, Possibly fixes:
        * Avoid multi-arch libpath in krb5-config, Closes: #642229
            * Debconf translations:
          - Turkish debconf Translation, Thanks Atila KOC, Closes: #659072
          - Polish, thanks Michal/ Kul/ach, Closes: #658437
      krb5 (1.10+dfsg~beta1-2.1) unstable; urgency=low
        * Non-maintainer upload.
        * Apply patch from Svante Signell to fix FTBFS on hurd-i386, Closes: #657027.
      krb5 (1.10+dfsg~beta1-2) unstable; urgency=low
        * Oops, actually fix build flags, Closes: #655248
      krb5 (1.10+dfsg~beta1-1) unstable; urgency=low
        * New Upstream version
        * Fix hardening flags and pre-dpkg-buildflags support, Closes: #655248
        * Update some symbols files for enhanced functions in 1.10
      krb5 (1.10+dfsg~alpha2-1) unstable; urgency=low
        * New upstream Version
      krb5 (1.10+dfsg~alpha1-7) unstable; urgency=high
        * Merge in github/krb5-1-10 branch up through 12/16/2010: many new
          upstream changes
        * Includes fix for MITKRB5-SA-2011-007 KDC null pointer
          dereference in TGS handling [CVE-2011-1530]
          , Closes: #651226
      krb5 (1.10+dfsg~alpha1-6) unstable; urgency=low
        * Fix segfault with unknown hostnames in krb5_sname_to_principal,
          Closes: #650671
        * Indicate that this library breaks libsmbclient versions that depend on
          krb5_locate_kdc, Closes: #650603, #650611
      krb5 (1.10+dfsg~alpha1-5) unstable; urgency=low
        * Add texinfo back to build depends: policy has been subverted by the
          evil forces of wishful thinking and forward progress
        * Conflict: with libkrb53 again. The transition is over and we no longer
          need that package.
      krb5 (1.10+dfsg~alpha1-4) unstable; urgency=low
        * Add kadmind and krb5kdc pidfiles, Closes: #550781
        * Respect locale in time display, Closes: #138430
        * Status action for init scripts, Thanks Yukio Shiiya, Closes: #645363,
        * Fix dependencies for krb5-kdc
        * Add dpkg-buildflags support
        * Initial build-arch and build-indep support: currently build-indep
          depends on build-arch but that's OK as a starting point
      krb5 (1.10+dfsg~alpha1-3) unstable; urgency=low
        * Build depend on pkg-config
      krb5 (1.10+dfsg~alpha1-2) unstable; urgency=low
        * LDAP plugin depends on ldap library for parallel builds
      krb5 (1.10+dfsg~alpha1-1) unstable; urgency=low
        * New upstream release
          - mit-krb5-sa-2011-006, Closes: #646367
          - Install k5login.5 not just .k5login.5, Closes: #623068
            - Fixes LDAP file descriptor leak, Closes: #561176
        * Updated translations:
            - French, Thanks Christian Perrier, Closes: #630827
            - Catalan, Thanks Innocent De Marchi, Closes: #632208
          * Update to krb5-1-10 branch of 2011-11-28
      krb5 (1.9.1+dfsg-3) unstable; urgency=low
        * New function gss_localname from trunk
      krb5 (1.9.1+dfsg-2) unstable; urgency=low
        * Revert incorrect Danish translations
        * Multiarch support, Thanks Steve  Langasek, Closes: #634121
        * Use linux-any in debian/control instead of explicit exclusions,
          Closes: #634311
        * Apply upstream r24977 in order to fix problems where a name exists
          for v6 but not v4, Closes: #532536
        * Apply upstream tickets 6916 and 6917 to fi x referrals behavior with
          old KDCs, Closes: #631106
      krb5 (1.9.1+dfsg-1) unstable; urgency=low
        * New upstream version
        * Fix g_make_token_header when no token type is passed
        * Support absolute paths for GSS-API mechanisms
        * Add gss_authorize_localname, gss_userok,  gss_pname_to_uid
        * Fix gss_acquire_cred handling with empty mech set; fix
          accept_sec_context handling in this case too
        * Permit importing anonymous name with empty buffer
            * New Translations:
          - Dutch: Thanks  Vincent Zweije, Closes: #624173
          - Danish, Thanks  Joe Dalton, Closes: #626530
        * Fix kadmin free of null pointer on change password, Closes: #622681
      krb5 (1.9+dfsg-2) unstable; urgency=low
        * In the interest of testing other GSS-API mechanisms it is desirable to
          install the gss-server and gss-client application. These are useful to
          people developing new GSS-API mechanisms within Debian.
      krb5 (1.9+dfsg-1) unstable; urgency=low
        * New upstream version
        *  Pull in krb5 1.9 branch as of 03/16/2011
          - Include updates in 1.8.3+dfsg-4, 1.8.3+dfsg-5, 1.8.3+dfsg-6
          - Include fixes for trace logging
        * Since Debian does not and will not ever build with edirectory
          support, remove documentation of edirectory commands from the man
          page. Closes: #580502
        * Includes IPv6 support for kadmind, Closes: #595796
        * Upstream 1.9 supports hooks for password change and synchronization,
          Closes: #588968
        * LDAP now supports stash creation after db cretaion, Closes: #484808
        * Krb5 1.9 supports including files from krb5.conf, Closes: #429692
      krb5 (1.9+dfsg~beta2-1) experimental; urgency=low
        * New upstream release
        * Fix default location of kpropd.acl in kpropd.M (LP: #688464)
        * Ignore PACs without a server signature generated by OS X Open
          Directory rather than failing authentication, Closes: #604925
        * New exported API: krb5_tkt_creds_get
      krb5 (1.9+dfsg~beta1-1) experimental; urgency=low
        * New upstream release
        * No longer use symbols files for libkadm5 ad libkdb5: these libraries
          change very rapidly and tend to change soname each major release.
          Symbols files will be introduced if they make sense again.
        * Update symbols for libkrb5-3: note that several internal functions
          have disappeared. These functions were not part of the public ABI
          which remains stable
        * Update library package names based on soname changes
      krb5 (1.8.3+dfsg-6) unstable; urgency=low
        * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
        * Updated Danish debconf translations, thanks  Joe Dalton, Closes:
      krb5 (1.8.3+dfsg-5) unstable; urgency=low
        * KDC/LDAP DOS    (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
          Closes: #613487
        * Fix delegation of credentials against Windows servers; significant
          interoperability issue, Closes: #611906
        * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
        * Don't fail authentication when PAC verification fails; support hmac-
          md5 checksums even for non-RC4 keys, Closes: #616728
      krb5 (1.8.3+dfsg-4) unstable; urgency=medium
        * Ignore PACs without a server signature generated by OS X Open
          Directory rather than failing authentication, Closes: #604925
      krb5 (1.8.3+dfsg-3) unstable; urgency=emergency
        * MITKRB5-SA-2010-007
              * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
              content into an existing GSS connection that appears to be integrity
              protected from the legitimate peer under some circumstances
            * GSS applications may accept a PAC produced by an attacker as if it
              were signed by a KDC
            * CVE-2010-1323: attackers have a 1/256 chance of being able to
              produce krb_safe messages that appear to be from legitimate remote
              sources. Other than use in KDC database copies this may not be a
              huge issue only because no one actually uses krb_safe
              messages. Similarly, an attacker can force clients to display
              challenge/response values of the attacker's choice.
            * CVE-2010-4020: An attacker may be able to generate what is
              accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
        * New   Vietnamese debconf translations, Thanks Clytie Siddall,
          Closes: #601533
        * Update standards version to 3.9.1 (no changes required
      krb5 (1.8.3+dfsg-2) unstable; urgency=high
        * MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
          kdc_authdata.c leading to KDC crash, Closes: #599237
        * Fix two memory leaks in krb5_get_init_creds path; one of these memory
          leaks is quite common for any application such as PAM or kinit that
          gets initial credentials, thanks Bastian Blank, Closes: #598032
        * Install doc/CHANGES only in krb5-doc, not in all packages, saves
          several megabytes on most Debian systems, Closes: #599562
      krb5 (1.8.3+dfsg-1) unstable; urgency=low
        * New Upstream release; only change is version bump from beta1 to final
        * Bring back a libkrb53 oldlibs package. Note that this is technically a
          policy violation because it doesn't provide libdes425.so.3 or
          libkrb4.so.2 and thus provides a different ABI. However, some
          packages, such as postgres8.4 require the lenny version to be present
          for the squeeze transition, so we cannot force the removal of
          libkrb53's reverse dependencies. We can conflict or break with lenny
          packages that will not work with this libkrb53, but we may break
          out-of-archive packages without notice. Absent someone coming up with
          a patch to the modern libk5crypto-3 that allows it to work with the
          lenny libkrb53 (a weekend's worth of work proved this would be quite
          difficult), this is the best solution we've come up with, Closes: #596678
      krb5 (1.8.3+dfsg~beta1-2) unstable; urgency=low
        * Remove documentation that has moved to the krb5-appl package and is
          not shipped upstream from Debian diff
      krb5 (1.8.3+dfsg~beta1-1) unstable; urgency=low
        * New Upstream version
        * Add breaks with libkrb53 because libdes425 cannot work with new
          libk5crypto3 (Closes: #557929)
        * You want this version: it fixes an incompatibility with how PACs are
          verified with Windows 2008
        * As a result of libkrb53 breaks, we no longer get into problems with
          krb5int_hmac, Closes: #566988
        * Note that libkdb5-4 breaks rather than conflicts libkadm5srv6, Closes:
        * Start kdc  before x display managers, Closes: #588536
      krb5 (1.8.1+dfsg-5) unstable; urgency=low
        * Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
          (LP: #551901)
        * krb5-admin-server starts after krb5-kdc, Closes: #583494
      krb5 (1.8.1+dfsg-4) unstable; urgency=low
        * fix prerm script (Closes: #577389), thanks Harald Dunkel
      krb5 (1.8.1+dfsg-3) unstable; urgency=high
        * CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
        * Force use of bash for build, Closes: #581473
        * Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
      krb5 (1.8.1+dfsg-2) unstable; urgency=high
        * Fix crash in renewal and validation, Thanks Joel Johnson for such a
          prompt bug report, Closes: #577490
      krb5 (1.8.1+dfsg-1) unstable; urgency=high
        * New upstream release
        * Fixes significant ABI incompatibility between Heimdal and MIT in the
          init_creds_step API; backward incompatible change in the meaning of
          the flags API.  Since this was introduced in 1.8 and since no better
          solution was found, it's felt that getting 1.8.1 out everywhere that
          had 1.8 very promptly is the right approach.  Otherwise software build
          against 1.8 will be broken in the future.
        * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
          Kerberos and Microsoft Kerberos; resolve this incompatibility.  As a
          result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
          produce undesirable results for constrained delegation.  Again,
          another reason to replace 1.8 with 1.8.1 as soon as possible.
        * Acknowledge security team upload, thanks for picking up the slack and
          sorry it was necessary
      krb5 (1.8+dfsg-1.1) unstable; urgency=high
        * Non-maintainer upload by the Security Team.
        * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
          via an invalid packet that triggers incorrect preparation of an error
          token. (Closes: 575740)
        * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
      krb5 (1.8+dfsg-1) unstable; urgency=low
        * New upstream version
        * Include new upstream notice file in docs
        * Update symbols files
        * Include upstream ticket 6676: fix handling of cross-realm tickets
          issued by W2K8R2
        * Add ipv6 support to kprop,  Michael Stapelberg, Closes: #549476
        * New Brazilian Portuguese translations, Thanks Eder L. Marques,
          Closes: #574149
      krb5 (1.8+dfsg~alpha1-7) unstable; urgency=high
        * MITKRB5-SA-2010-001: Avoid an assertion failure leading to a denial of
          service in the KDC by doing better input validation.  (CVE-2010-0283)
        * Update standards version to 3.8.4 (no changes required).
      krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium
        * Import upstream fixes including:
           - A non-conformance with RFC 4120 that causes  enc_padata to be
          included when the client may not support it
            - Weak crypto acts as a filter and does not reject if DES is
          included in krb5.conf, fixes Samba net ads join, Closes: #566977
          * Medium urgency because of the samba bug fix.  If the samba maintainers
          request the release team to bump to high I'd support that.
        * Update libkdb5 symbols for new upstream internal interface
      krb5 (1.8+dfsg~alpha1-5) unstable; urgency=high
        [ Sam Hartman ]
        * New API to allow an application to enable weak crypto
        * Rename libkadm5clnt and libkadm5srv to libkadm5clnt_mit and
          libkadm5srv_mit in order to avoid conflicts with Heimdal packages.
          Sorry for the second trip through new, but we needed to coordinate
          with upstream  on the ABI issues involved with this change.
        * Medium urgency in order to get a fix for openafs-krb5 weak crypto into
          testing sooner
        * Include fix for pam-krb5 segfault with wrong password; bump urgency to
        [ Russ Allbery ]
        * Change libkrb5-dbg to only depend on libkrb5-3, libk5crypto3, or
          libkrb5support0.  All of the other packages for which it provides
          debugging symbols also depend on one of those packages and always
          will, so listing the disjunction of every library package is
          overkill.  Remove from the Depends several obsolete library packages
          no longer included.
        * Drop obsolete Replaces for libkadm5srv-mit7 and libkadm5clnt-mit7.
        * Wrap krb5-multidev dependencies and description and shorten the short
        * Reformat NEWS.Debian to avoid using a bulleted list per devref.
        [ Sam Hartman ]
        * Link libkadm5{clnt,srv}.so specially so that the links work without
          libkrb5-dev installed
      krb5 (1.8+dfsg~alpha1-4) unstable; urgency=high
        * Add replaces to deal with moving files from krb5-multidev to
          libkrb5-dev, Closes: #565217
        * This is definitely the getting all the conflicts combinations right is
          tricky series of releases.  Sorry about the wasted cycles.
      krb5 (1.8+dfsg~alpha1-3) unstable; urgency=high
        * Move files to avoid overlap between heimdal-dev and krb5-multidev,
          Closes: #565132
      krb5 (1.8+dfsg~alpha1-2) unstable; urgency=high
        * While Kerberos 1.8 is not vulnerable to CVE-2009-4212 (the vulnerable
          code was removed during the 1.8 release process for code
          simplification and code size reasons), this is urgency high to get a
          version of Kerberos that fixes that integer underflow in the AES and
          RC4 code  into testing.
        * For now,  heimdal and MIT shared libraries for kadm5 will conflict;
          discussions of how to fix this are ongoing upstream, Closes: #564666
        * New translations; sorry about missing them in the last upload
            - Vietnamese,  Thanks Clytie Siddall, Closes: #548204
            - Basque, Thanks Piarres Beobide, Closes: #534284
        * Update standards version (no changes required)
        * Pull upstream changes made since alpha1 into the package.  In
          particular this includes a fix to a bug where unkeyed checksums are
          accepted by the FAST KDC backend.  That bug was introduced between 1.7
          and 1.8 alpha1 so is only present in prior Debian packages of 1.8. See
          upstream tickets 6632 and 6633.
      krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low
        * Include symlinks in libkrb5-dev too
        * New upstream release
        * Fix .so symlinks in krb5-multidev
      krb5 (1.8+dfsg~aa+r23527-1) experimental; urgency=low
        * MIT krb5 trunk prior to 1.8 branch
        * Remove krb5-telnet, krb5-ftpd, krb5-clients, krb5-rsh-server, no
          longer provided upstream.  These are provided now in a separate source
        * Bring back functions needed by Samba, Closes: #531635
        * I know that the symbols revisions are generating lintian warnings;
          that will be cleaned up when upstream actually makes an alpha release
        * Implement krb5-multidev similar to heimdal-multidev so that packages
          can be built against both MIT Kerberos and Heimdal
      krb5 (1.7+dfsg-4) unstable; urgency=high
        * cve-2009-3295, MIT-KRB5-SA-2009-003: KDC crash when failing to find
          the realm of a host., Thanks 2Jakob Haufe for the report to Debian
      krb5 (1.7+dfsg-3) unstable; urgency=low
        * Fix typo in control file
        * Exclude usr/lib/krb5/plugins from  dh_makeshlibs call to deal with
          behavior change in dh_makeshlibs, Closes: #558719
      krb5 (1.7+dfsg-2) unstable; urgency=low
        * Only picked up part of the upstream fix to #557979; upstream fully
          reverted to 1.6.
      krb5 (1.7+dfsg-1) unstable; urgency=low
        * New upstream version, Closes: #554225
        * Several fixes applied after the 1.7 release:
            - 6506: correctly handle keytab vs stash file
          - 6508: kadmind ACL parsing could reference uninitialized memory
          - 6509: kadmind can reference null pointer on ACL error
          - 6511: uninitialized memory passed to krb5_free_error in change
          password client path
          - 6514: none replay cache memory leak
          - 6515: profile library mutex performance improvements
          - 6541: memory leak in PAC verify code
          - 6542: Check for null characters in pkinit certs
          - 6543: login vs user order in ftpd sometimes wrong
          - 6551: Memory leak in spnego accept_sec_context error path
        * libkrb5-dev depends on libkadm5clnt6 (LP: #472080)
        *  Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP:
      krb5 (1.7dfsg~beta3-2) UNRELEASED; urgency=low
        * Update to policy 3.8.2 (no changes)
      krb5 (1.7dfsg~beta3-1) unstable; urgency=low
        * New upstream release
        * Revert relaxation of Debian symbol versions introduced in
        * Fix kproplog's manpage (LP: #374819)
      krb5 (1.7dfsg~beta2-4) unstable; urgency=low
        * Upstream fixes to RT #6490, Closes: #528729
            - Use MS  usage 9 not 8 for tgs-rep encrypted in subkey
            - Do not use keyed checksum with RC4; WS2003  expects it to be
          encrypted in the subsession key, everyone else expects the session
          key.  Note that a keyed checksum for RC4 would work against WS2008.
        * Patch from Marc Dequ?nes (Duck)   for HURD portability, Closes:
      krb5 (1.7dfsg~beta2-3) unstable; urgency=low
        * Use correct enctype identifier in lucid security context export,
          Closes: #528514
      krb5 (1.7dfsg~beta2-2) unstable; urgency=low
        * Apply upstream patch from ticket 6488  intended to fix
          gss_krb5_export_lucid_sec_context and thus NFS; hopefully fixes
        *  Apply patch from ticket 6489 to fix UCS2 handling in RC4 string to
          key and PAC routines
      krb5 (1.7dfsg~beta2-1) unstable; urgency=low
        * New Upstream release including FAST support for DES and 3DES.
        * Remove non-free content accidentally reintroduced in beta1, Closes: #528555
        * Add strict dependency from libgssapi-krb5-2 to libkrb5-3 as discussed
          in #528514
      krb5 (1.7dfsg~beta1-4) unstable; urgency=low
        * When  decrypting the TGS response fails with the subkey, try with the
          session key to work around Heimdal bug, Closes: #527353
      krb5 (1.7dfsg~beta1-3) unstable; urgency=low
        * Relax symbol versions of symbols that exist in krb5 1.6.dfsg.2 to
          1.6.dfsg.2.  No software currently in Debian uses the new
          functionality, and this will ease the transition because it allows
          krb5 to move independently of packages that are being rebuilt.  This
          change will be reverted before the end of May, 2009.
      krb5 (1.7dfsg~beta1-2) unstable; urgency=low
        * Upload to unstable  with permission of release team; note that this
          upload will make anything that depends on libkrb53 uninstallable in
          unstable.  The release team will make binary only NMUs to rebuild any
          such packages and they will depend on the new libraries.  Packages
          built since 1.6.dfsg.4~beta1-9 entered unstable should not be affected.
        * Upstream change: return PREAUTH_REQUIRED not PREAUTH_FAILED on unknown
          preauth type in the KDC.
        * Remove a bunch of patches applied ustream from debian/patches
      krb5 (1.7dfsg~beta1-1) experimental; urgency=low
        * New upstream release
          - kadmin and related commands moved to /usr/bin, Closes: #477296
          - Kadmin headers are Public: Closes: #191616
          - KDC supports loopback address, Closes: #478425
      krb5 (1.7dfsg~alpha1-1) experimental; urgency=low
        * New upstream version
      krb5 (1.6.dfsg.4~beta1-13) unstable; urgency=high
        * MITKRB5-SA-2009-001: Fix read-beyond-end-of-buffer DOS in SPNEGO, an
          SPNEGO null pointer dereference, and incorrect length validation in
          an ASN.1 decoder.  (CVE-2009-0844, CVE-2009-0845, CVE-2009-0847)
        * MITKRB5-SA-2009-002: ASN.1 general time decoder can free uninitialized
          pointer.  (CVE-2009-0846)
        * Add dependency on libkrb53 from libkrb5-dev.  This should make it
          significantly more difficult for buildds to get out of sync.  I don't
          think we can do better within the constraints of this transition,
          Closes: #522469
      krb5 (1.6.dfsg.4~beta1-12) unstable; urgency=low
        * Translation updates:
          - Romanian, thanks Eddy Petrișor.  (Closes: #519660)
          - Finnish, thanks Esko Arajärvi.  (Closes: #519741)
          - Russian, thanks Sergey Alyoshin.  (Closes: #519744)
          - Spanish, thanks Francisco Javier Cuadrado.  (Closes: #519808)
      krb5 (1.6.dfsg.4~beta1-11) unstable; urgency=low
        * Upload from the partial-krb4 branch not the master branch so we don't
          break unstable.
            - Restore libkrb53 and libkadm55
        * Resync the aes test files from upstream to fix a line ending problem
          and significantly shrink the debian diff
      krb5 (1.6.dfsg.4~beta1-10) unstable; urgency=low
        * Add Homepage control field.
        * Add ${misc:Depends} to dependencies for all packages.
        * Expand the packages that satisfy the libkrb5-dbg dependency.
        * Include a few more details about the differences between the various
          library packages in their long descriptions and fix some whitespace
          inconsistencies.  Thanks, Gerfried Fuchs.  (Closes: #519403)
        * Remove empty usr/include/kerberosIV directory in libkrb5-dev.
        * Use set -e instead of #!/bin/sh -e for all maintainer scripts.
        * Use which without a path to check for update-inetd.
        * Improve the leading comment in /etc/default/krb5-kdc.
        * Remove unnecessary section override for krb5-pkinit.
        * Update to debhelper compatibility level V7.
          - Use dh_lintian to install Lintian overrides.
          - Use dh_prep instead of dh_clean -k.
        * Update standards version to 3.8.1 (no changes required).
        * Fix superfluous space in the krb5-kdc debconf templates and unfuzzy
          translations.  Thanks, Helge Kreutzmann.  (Closes: #518403)
        * Translation updates:
          - French, thanks Christian Perrier.  (Closes: #518221)
          - Japanese, thanks TANAKA Atushi.  (Closes: #518345)
          - Swedish, thanks Martin Bagge.  (Closes: #518347)
          - German, thanks Helge Kreutzmann.  (Closes: #518402)
          - Czech, thanks Miroslav Kure.  (Closes: #518993)
          - Portuguese, thanks Miguel Figueiredo.  (Closes: #519000)
          - Italian, thanks Luca Monducci.  (Closes: #519178)
          - Galician, thanks Marce Villarino.  (Closes: #519481)
      krb5 (1.6.dfsg.4~beta1-9) unstable; urgency=medium
        * Fix typo in downgrade instructions in NEWS file.
        * Fix override for libkadm55
        * Upload to unstable.
      krb5 (1.6.dfsg.4~beta1-8) experimental; urgency=low
        * Re-introduce libkrb53 and libkadm55 based on discussion on
          debian-devel; in this version, libkrb53 contains only libkrb4.  Both
          libkrb53 and libkadm55 depend on  the split library packages.  These
          dependencies are unversioned; that means that before any symbols are
          added the shlibs files need to be repointed away from libkrb53 and
          libkadm55.  Any version of the split library packages can satisfy the
          symbols needed by the libraries previously shipped in libkrb53.
        * Perform two builds; one without krb4 and one with krb4 for the only
          warnings; they will go away when the shlibs files are repointed.
        * Remove krb4 support from  debconf and init scripts.
        * Remove the krb4 migration guide from doc-base
        * Fix up replaces in control file so that libraries that used to be in
          libkadm55 claim to replace libkadm55
        * Only use parallel builds on the krb5 build; it breaks krb4  enabled
        * Used versioned replaces; this seems to make it harder to get a system
          into a broken state if you remove the new packages, Closes: #517483
      krb5 (1.6.dfsg.4~beta1-7) experimental; urgency=low
        * Do not build krb4 support; this is being removed upstream with 1.7 and
          it is strongly desirable to  examine the debian implications.
        * As a result, the libraries which were previously all in libkrb53 need
          to change package names as we are dropping some libraries.  So, split
          out the libraries into lib<libraryname>-<soname> per policy.  The old
          format was consistent with policy when it was written 8 years ago, and
          has lasted well.  As a result, a significant number of new library
          packages are introduced.
        * Use dpkg-gensymbols support for .symbols files for better version tracking
        * Update to policy 3.8.0
            - Support parallel=
      krb5 (1.6.dfsg.4~beta1-6) unstable; urgency=low
        * In the krb5-install info pages, document the need to create an empty
          database on new slaves before the first database propagation to work
          around a bug in kdb5_util.  This is a workaround for Bug#512670, which
          won't be fixed in time for the lenny release.
      krb5 (1.6.dfsg.4~beta1-5) unstable; urgency=low
        * Correct the actions of krb5_newrealm in its man page.  It doesn't
          create a keytab for kadmind since kadmind no longer needs one.
          Mention that it does create a stash file and that it starts the KDC
          and kadmind daemons.  Thanks, David Medberry.  (Closes: #504126)
        * Translation updates:
          - Spanish, thanks Ignacio Mondino.  (Closes: #504766)
      krb5 (1.6.dfsg.4~beta1-4) unstable; urgency=low
        [ Russ Allbery ]
        * Translation updates:
          - Swedish, thanks Martin Bagge.  (Closes: #487669, #491774)
          - Italian, thanks Luca Monducci.  (Closes: #493962)
        [ Sam Hartman ]
        * Translation Updates:
            - Dutch, Thanks Vincent Zweije, Closes: #495733
      krb5 (1.6.dfsg.4~beta1-3) unstable; urgency=low
        * Set length to 0 on no-salt ldap keys so they do not crash; uupstream
          ticket 5545, Closes: #480523
        * Swedish translations, thanks Martin Bagge, Closes: #487563
      krb5 (1.6.dfsg.4~beta1-2) unstable; urgency=low
        [ Russ Allbery ]
        * Translation updates:
          - Japanese, thanks TANAKA, Atushi.
          - Russian, thanks Sergey Alyoshin.  (Closes: #485473)
          - Brazilian Portuguese, thanks Eder L. Marques.  (Closes: #485613)
          - Romanian, thanks Eddy Petrișor.  (Closes: #484996)
        [ Sam Hartman ]
        * Upload 1.6.4 beta 1 to unstable.  As best I can tell evaluating the
          changes this is a strict improvement over 1.6.3 even though it is
          still a beta version.  There is not  an ABI change ; backing out would
          be relatively easy.
        * Patch from  Bryan Kadzban  to look inside spnego union_creds when
          looking for a specific mechanism cred.  This allows spnego creds to be
          used when copying out to a ccache after delegation, Closes: #480434
        * Ksu now calls krb5_verify_init_creds rather than using its own custom
          logic because that is correct and so it can take advantage of the
          following change.
          * krb5_verify_init_creds uses the default realm if it gets a referral
          realm as input for server, Closes: #435427
        * Add -D_FORTIFY_SOURCE=2 and -fstack-protector on ia32 and x86_64 at
          the request of  Moritz Muehlenhoff ; he was unsure that adding these
          flags on other platforms would be a good idea.  I'd be happy to expand
          the list at the request of port maintainers, Closes: #484371
        * Fix KDC purge code introduced in previous revision.
      krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low
        [ Russ Allbery ]
        * Do not translate the Kerberos v4 modes.  They are literal strings
          passed to the Kerberos KDC as arguments to the -4 option.  Comment
          mentions of those strings in the debconf template so that
          translators know this.
        * Rather than prompting at installation time for whether the KDC
          database should be deleted on purge, prompt in prerm when the package
          is being removed for whether the database should be deleted.
        * Translation updates:
          - Galician, thanks Jacobo Tarrio.  (Closes: #482324)
          - French, thanks Christian Perrier.  (Closes: #482326)
          - Vietnamese, thanks Clytie Siddall.  (Closes: #482362)
          - Basque, thanks Piarres Beobide.  (Closes: #482376)
          - Czech, thanks Miroslav Kure.  (Closes: #482428)
          - German, thanks Helge Kreutzmann.  (Closes: #482366)
          - Spanish, thanks Diego D'Onofrio.
          - Finnish, thanks Esko Arajärvi.  (Closes: #482682)
          - Portuguese, thanks Miguel Figueiredo.  (Closes: #483049)
        [ Sam Hartman ]
        * Remove extra space in debian/rules so upstream configure scripts can
        * Upgrade to 1.6.4 beta 1.
        * Upstream includes several fixes to bugs that were assigned CVE
          numbers; upstream does not actually consider these security issues and
          no advisory was issued, but they are included here for the benefit of
          the security team in case anyone asks.  Closes: #454974
          - fix CVE-2007-5972: double fclose() in krb5_def_store_mkey()
          - fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
          - fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
          - fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs()
          - fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
      krb5 (1.6.dfsg.3-2) unstable; urgency=low
        * kdc.conf was previously in krb5-doc, not uninstalled.  Properly
          handle moving it to the krb5-kdc package.  (Closes: #480452)
        * Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private
          directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an
          RPATH in kdb5_ldap_util and the plugin to find the library.  Drop the
          libkdb-ldap1 library package.  This library isn't intended to be used
          by any software outside of the KDC plugin and utility.  Thanks,
          Bastian Blank.  (Closes: #479384)
        * Load defaults for debconf configuration of krb5-admin-server and
          krb5-kdc from the /etc/default files if they exist.  Thanks, Bastian
          Blank.  (Closes: #479404)
        * Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and
          /etc/default/krb5-kdc even if debconf configuration is enabled.
        * Don't require that a stash file be created in /etc/init.d/krb5-kdc.
          Stash files are optional.  (Closes: #479457)
        * Error out instead of silently existing if debconf's confmodule cannot
          be loaded.  Given that we depend on debconf, if this fails, something
          serious went wrong and we shouldn't ignore it.
        * Use /bin/which instead of command -v to check for update-inetd.
        * Unconditionally remove kpropd's inetd.conf entry in the postrm of
          krb5-kdc rather than special-casing remove and deconfigure.
        * Add 256-bit AES and RC4 keys to the default kdc.conf, the first
          because it's the strongest enctype currently supported and the second
          for Windows compatibility.  Improve the README.KDC enctype
        * Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as
          documentation.  Thanks, Bastian Blank.  (Closes: #479239)
      krb5 (1.6.dfsg.3-1) unstable; urgency=low
        * Final upstream 1.6.3 release.
        * Package the LDAP plugin for the KDC, which allows one to use an LDAP
          server to store the KDC database.  Install the krb5-kdc-ldap package
          for the plugin.  (Closes: #453113)
        * If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
          so that the kdc.conf will at least be syntactically valid (but will
          still require editing).  (Closes: #474741)
        * krb5-kdc explicitly depends on krb5-config since it relies on debconf
          variables set by that package.
        * Always stop krb524d on /etc/init.d/krb5-kdc stop even if the
          configuration has been changed to no longer run it.  Thanks, Bastian
          Blank.  (Closes: #477294)
        * Install the kdc.conf man page.  (Closes: #477307)
        * krb5-kdc no longer depends on update-inetd and inet-superserver and
          instead just suggests openbsd-inetd | inet-superserver and
          conditionally adds the commented-out kpropd example if update-inetd is
          available.  krb5-admin-server doesn't need inet-superserver at all.
          Thanks, Bastian Blank.  (Closes: #477301)
        * Change the doc-base sections to System/Security.
        * Correctly mangle the version in the watch file.
        * Remove conflicts with packages already not present in oldstable.
        * Remove versioned build-dependencies satisfied by oldstable.
        * Remove versioned Replaces for versions older than oldstable.
      krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency
        * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
          malformed messages may result in NULL pointer use, double-frees, or
          exposure of information.  (CVE-2008-0062, CVE-2008-0063)
        * MITKRB5-SA-2008-002: If the file descriptor limit is larger than
          FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
          array overrun and memory corruption may result.  (CVE-2008-0947)
      krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low
        * Apply cross-build patch from Neil Williams.  (Closes: #465294)
        * Document in comments that configuration management via debconf should
          be disabled before making manual changes to /etc/default/krb5-kdc and
          /etc/default/krb5-admin-server.  (Closes: #443326)
        * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind.
          Thanks, Dwayne Litzenberger.  (Closes: #443331)
        * Don't stop the servers in runlevel S.  This isn't a real runlevel and
          cannot be switched to, so the links are extraneous.
        * Use binary:Version instead of Source-Version in debian/control.
        * Depend on openbsd-inetd | inet-superserver instead of on update-inetd,
          since inetd implementations may provide their own update-inetd.
        * Improve quoting and formatting in the postinsts for krb5-kdc and
          krb5-admin-server.  Error on failure to load debconf, since we do
          depend on it.  Support reconfigure.
        * Fix file locations in the krb524 doc-base control file.
        * Add the info documentation to all doc-base control files.
        * Fix a variety of man page errors uncovered by man --warnings.
        * Wrap Depends and Conflicts fields in debian/control.
        * dpkg-dev now compresses duplicate relations, so no need for lintian
        * Add an override for the empty plugin directory in libkrb53.
        * Update standards version to 3.7.3 (no changes required).
        * Translation updates:
          - Finnish, thanks Esko Arajärvi.  (Closes: #451146)
          - Dutch, thanks Vincent Zweije.  (Closes: #460589)
      krb5 (1.6.dfsg.3~beta1-2) unstable; urgency=low
        *  Move pkinit into a new package krb5-pkinit.  We don't want pkinit to
          always be installed because this pulls in an openssl dependency and
          most people don't need it.  However we want the plugin available when
          needed, Closes: #444938
        * I had hoped to wait for the upstream release, but that is being a bit slow.
      krb5 (1.6.dfsg.3~beta1-1) unstable; urgency=low
        * New Upstream release
          - Fix krb5_set_default_tgs_enctypes, Closes: #413838
      krb5 (1.6.dfsg.1-7) unstable; urgency=emergency
        * mit-sa-2007-6:
            - CVE 2007-3999 rpc library buffer overflow
            - CVE 2007-uninitialized kadmin pointer
      krb5 (1.6.dfsg.1-6) unstable; urgency=low
        * Don't depend on libkeyutils-dev on non-Linux architectures.  Thanks,
          Petr Salinger.  (Closes: #430215)
        * Restore support for the RUN_KADMIND setting as written by debconf.
          Thanks, Christoph Neerfeld.  (Closes: #429535)
        * Wrap the build-depends line now that dpkg in oldstable supports this.
        * Update debconf templates and debian/control long package descriptions
          as suggested by the debian-l10n-english team as part of the Smith
          review project.  Thanks to Christian Perrier for the coordination
          work.  (Closes: #428195)
        * Debconf translation updates:
          - Galician, thanks Jacobo Tarrio.  (Closes: #429511)
          - Portuguese, thanks Miguel Figueiredo.  (Closes: #429592)
          - Basque, thanks Piarres Beobide.  (Closes: #429637)
          - Japanese, thanks TANAKA, Atushi.  (Closes: #429844)
          - Vietnamese, thanks Clytie Siddall.  (Closes: #429907)
          - German, thanks Helge Kreutzmann.  (Closes: #430561)
          - Czech, thanks Miroslav Kure.  (Closes: #431203)
          - Russian, thanks Yuri Kozlov.  (Closes: #431247)
          - French, thanks Christian Perrier.
      krb5 (1.6.dfsg.1-5) unstable; urgency=emergency
        * MIT-SA-2007-4: The kadmin RPC library can free an uninitialized
          pointer or write past the end of a stack buffer.  This may lead to
          execution of arbitrary code.  (CVE-2007-2442, CVE-2007-2443)
        * MIT-SA-2007-5: kadmind is vulnerable to a stack buffer overflow that
          may lead to execution of arbitrary code.  (CVE-2007-2798)
      krb5 (1.6.dfsg.1-4) unstable; urgency=low
        *  Make --deps switch to krb5-config include dependent libraries; otherwise do not, Closes: #422985
        * Include copyright statement for remaining IETF draft, Closes: #393380
      krb5 (1.6.dfsg.1-3) unstable; urgency=low
        * Upstream bug #5552: krb5_get_init_creds  needs to not dereference
          gic_opts if it is null.  Instead, assume that it is default options,
          Closes: #422687
      krb5 (1.6.dfsg.1-2) unstable; urgency=low
        * Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1
        * Upload 1.6 to unstable
      krb5 (1.6.dfsg.1-1) experimental; urgency=low
        * Oops, I failed to understand how the version numbers work.  Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series.  We will use 1.6.dfsg.1 for 1.6.1.
        * Update to update-inetd dependency, Closes: #420748
      krb5 (1.6.1.dfsg-1) experimental; urgency=low
        * Depend on keyutils-lib-dev so we consistently get keyring cache support
        * New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318
        * New Upstream release
            - Update shlibs for new API
        * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
      krb5 (1.6.dfsg-1) experimental; urgency=low
        * New 1.6 release from upstream.
        * Update copyright
      krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low
        * New upstream release
        * Remove IETF RFCs, Closes: #393380
        * Update copyright file based on new copyrights upstearm
      krb5 (1.4.4-8) unstable; urgency=emergency
        * MIT-SA-2007-1: telnet allows  login as an arbitrary user when
          presented with a specially crafted username; CVE-2007-0956
        * krb5_klog_syslog has a trivial buffer overflow that can be exploited
          by network data; CVE-2007-0957.  The upstream patch is very intrusive
          because it fixes each call to syslog to have proper length checking as
          well as the actual krb5_klog_syslog internals to use vsnprintf rather
          than vsprintf.  I have chosen to only include the change to
          krb5_klog_syslog for sarge.  This is sufficient to fix the problem but
          is much smaller and less intrusive.   (MIT-SA-2007-2)
        * MIT-SA-2007-3: The GSS-API library can cause a double free if
          applications treat certain errors decoding a message as errors that
          require freeing the output buffer.  At least the gssapi rpc library
          does this, so kadmind is vulnerable.    Fix the gssapi library because
          the spec allows applications to treat errors this way.  CVE-2007-1216
        * New Japanese translation, thanks TANAKA Atushi, Closes: #414382
      krb5 (1.4.4-7) unstable; urgency=low
        * Translation updates:
          - New Portuguese translation, thanks Rui Branco.  (Closes: #409318)
      krb5 (1.4.4-6) unstable; urgency=emergency
        * MIT-SA-2006-2: kadmind and rpc library call through function pointer
          to freed memory (CVE-2006-6143).  Null out xp_auth unless it is
          associated with an rpcsec_gss connection.
      krb5 (1.4.4-5) unstable; urgency=low
        * Translation updates:
          - New Spanish translation, thanks Fernando Cerezal.  (Closes: #402986)
      krb5 (1.4.4-4) unstable; urgency=low
        * Remove the check for pthread_mutexattr_setrobust_np in the thread
          initialization code.  This was only needed on Solaris 9 and has been
          removed upstream, and was causing FTBFS with glibc 2.5.  Thanks,
          Martin Pitt.  (Closes: #396166)
        * Translation updates:
          - New Romanian translation, thanks stan ioan-eugen.  (Closes: #395347)
      krb5 (1.4.4-3) unstable; urgency=low
        * Don't require the presence of debconf during the postrm.  Thanks to
          Bill Allombert for the report.  (Closes: #388784)
        * Fix uses of hyphens instead of minus signs in the man pages.
      krb5 (1.4.4-2) unstable; urgency=low
        * Patch from Alejandro R. Sedeno to allow 32-bit and 64-bit krb4 ticket
          files to be used on the same system.  Similar to a patch included in
          MIT Kerberos 1.5 but backported  because of missing byte order macros.
      krb5 (1.4.4-1) unstable; urgency=low
        * New upstream release.
        * Stop using --exec to start and stop services since then services will
          not be stopped properly during an upgrade.  (Closes: #385039)
        * Rewrite the init scripts to include LSB information and to use the LSB
          logging functions.  krb5-kdc and krb5-admin-server now depend on
          lsb-base (>= 3.0-6) for the LSB functions.
      krb5 (1.4.4~beta1-1) unstable; urgency=low
        * New upstream version including several memory leak fixes
        * Install upstream changelog
      krb5 (1.4.3-9) unstable; urgency=high
        * Add error checking to setuid, setreuid  to avoid local privilege
          escalation ; fixes krb5-sa-2006-1, CVE-2006-3084, CVE-2006-3083
        * Update standards version to 3.7.2 (no changes required).
        * Translation updates.
          - Russian, thanks Yuri Kozlov.  (Closes: #380303)
      krb5 (1.4.3-8) unstable; urgency=low
        * Defer seeding of the random number generator in kadmind until after
          forking and backgrounding, since otherwise blocking on /dev/random may
          block system startup.  (Closes: #364308)
        * Update config.{guess,sub}.  (Closes: #373727)
        * Better fix for error handling of a zero-length keytab.  Thanks,
          Rainer Weikusat.
      krb5 (1.4.3-7) unstable; urgency=low
        * Fix double free caused by a zero-length keytab.  Thanks, Steve
          Langasek.  (Closes: #344295)
        * Fix segfault in krb5_kuserok if the local name doesn't correspond to a
          local account.  (Discovered in bug #354133.)
        * Build a separate libkrb5-dbg package containing the detached debugging
          information for libkrb53 and libkadm55.
        * Update debhelper compatibility level to V5 since the dh_strip behavior
          around debug packages changes in V5 and we should use the current
          interface from the beginning.
        * Translation updates.
          - Dutch, thanks Vincent Zweije.  (Closes: #360444)
          - Galician, thanks Jacobo Tarrio.  (Closes: #361809)
      krb5 (1.4.3-6) unstable; urgency=low
        * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is
          passed in.  Fixes a segfault in racoon from ipsec-tools.  Thanks,
          Daniel Kahn Gillmor.  (Closes: #351877)
        * v5passwdd is gone, so remove the debconf template, the prompts, and
          the code to start and stop it from the init script.  Thanks, Greg
        * Fix incorrect option names in krb5.conf(5).  Thanks, Martin v.
          Loewis.  (Closes: #347643)
        * Translation updates.
          - Danish, thanks Claus Hindsgaul.  (Closes: #350041)
      krb5 (1.4.3-5) unstable; urgency=medium
        * Configure with --enable-shared --enable-static so that libkrb5-dev
          gets static libraries.
        * Fix double free in getting credentials, Closes: #344543
      krb5 (1.4.3-4) unstable; urgency=high
        * Fix problem when libpthreads is dynamically loaded into a program
          causing mutexes to sometimes be used and sometimes not be used.  If
          the library starts out without threads support it will never start
          using threads support; doing anything else causes hangs.
      krb5 (1.4.3-3) unstable; urgency=low
        * Additional internal pthread symbols have to be declared weak on Hurd.
          Thanks, Michael Banck.  (Closes: #341608)
        * Build on GNU/kFreeBSD.  Thanks, Petr Salinger.  (Closes: #261712)
        * Change the default KDC enctype to 3DES to match upstream (the
          difference was probably a mismerge).
        * Remove /etc/default/krb5-admin-server on purge.  (Closes: #333161)
        * Document the behavior of klogind and kshd if the user has no .k5login
          file.  Remove vestigial .rhosts references.  (Closes: #250966)
        * Document krb5-rsh-server authorization defaults in README.Debian.
        * Enable kinit -a to match the man page.  (Closes: #232431)
        * Remove the patch to tightly bind libkrb4 to libdes425.  This should no
          longer be necessary with symbol versioning.
        * Upstream has removed the file with questionable licensing, so the
          upstream tarball is no longer repacked.  Remove the get-orig-source
          target in debian/rules and the notes in copyright and README.Debian.
        * Add a watch file.
        * Translation updates.
          - German, thanks jens.  (Closes: #330925)
      krb5 (1.4.3-2) unstable; urgency=low
        * Conflict with libauthen-krb5-perl (<< 1.4-5) because of krb5_init_ets.
        * Update uploader address.
        * Conflict with libapache-mod-auth-kerb because it accesses library
          internals in a way that breaks.
      krb5 (1.4.3-1) experimental; urgency=low
        * New upstream release.
        * Install ac_check_krb5 for use by aclocal.
      krb5 (1.4.2-1) UNRELEASED; urgency=low
        * New upstream version.  (Closes: #293077)
          - kadmind4, v5passwdd, and v5passwd are no longer included.
          - Increase the libkrb53 shlibs version dependency.  Programs linked
            against this version will not work with an older libkrb53.
          - Rebuild should fix link problems on powerpc.  (Closes: #329709)
        * Re-enable optimization on m68k to stop hiding the toolchain problem.
        * Don't build crypto code -O3.  It uncovers too many gcc bugs.
        * Fix compilation on Hurd.  Thanks, Michael Banck.  (Closes: #324305)
        * Always initialize the output token in gss_init_sec_context, even with
          an unknown mechanism.  (Closes: #311977)
        * rcp should fall back to /usr/bin/netkit-rcp, not /usr/bin/rpc.
        * Add the missing shared library depends for libkadm55.
        * Use dh_install rather than dh_movefiles and enable --fail-missing to
          be sure to pick up any new upstream files.
        * Avoid test -a in maintainer scripts.
        * Expand and reformat the documentation and sample kdc.conf file.
        * Add a doc-base file for the krb425 migration guide.
        * Ignore lintian warnings about the library package names.  We'll fix
          them the next time upstream changes SONAMEs.
        * Conflict with packages that used internal symbols not part of the
          public ABI
        * Use "MIT Kerberos" rather than krb5 in the krb5-doc short description.
        * Remove the saved patches that have been applied upstream or are no
          longer applied to the package, update the remaining patches, and move
          them into debian/patches.
        * Break out the other patches of interest for ease submitting them
        * Translation updates.
          - Vietnamese, thanks Clytie Siddall.  (Closes: #319704)
      krb5 (1.3.6-5) unstable; urgency=high
        * Disable optimization on m68k to attempt to work around a gcc 4.0 bug.
      krb5 (1.3.6-4) unstable; urgency=high
        [ Russ Allbery ]
        * Fix a mistake in variable names that caused the package to be built
          without optimization.
        * Allow whitespace before comments in krb5.conf.  Thanks, Jeremie
          Koenig.  (Closes: #314609)
        * GCC 4.0 compile fixes, thanks Daniel Schepler.  (Closes: #315618)
        * Avoid "say yes" in debconf templates.  (Closes: #306883)
        * Update Czech translation, thanks Miroslav Kure.
        * Update French translation, thanks Christian Perrier.  (Closes: #307748)
        * Update Portuguese (Brazil) translation, thanks André Luís Lopes.
        * New Vietnamese translation, thanks Clytie Siddall.  (Closes: #312172)
        * Update standards version to 3.6.2 (no changes required).
        * DAK can now handle not repeating maintainers in uploaders.
        [ Sam Hartman ]
        * Fix double free in krb5_recvauth; critical because it is in the code
          path for kpropd and may allow arbitrary code execution.
        * krb5_unparse_name overflows allocated storage by one byte on 0 element
          principal name.  (CAN-2005-1175, VU#885830)
        * Do not free unallocated storage in the KDC's TCP request handling
          path.  (CAN-2005-1174, VU#259798)
      krb5 (1.3.6-3) unstable; urgency=low
        * krb5-kdc: Install a commented-out line for kpropd with update-inetd.
          Add dependency on netbase for update-inetd.  (Closes: #293182)
        * krb5-kdc: Ask with debconf whether the user wishes to delete the KDC
          database on purge, modelled after how postgresql handles the same
          situation.  (Closes: #289358)
        * Close leak in the arcfour crypto support.  Thanks, fumihiko kakuma.
          (Closes: #244595)
        * krb5-config should never return -I/usr/include.  (Closes: #165521)
        * Write manual pages for fakeka, krb524init, kadmind4, and v5passwdd.
          Backport from upstream the manual pages for krb5-config and krb524d.
          (Closes: #78953, #96437)
        * Fix paths in manual pages to match the Debian defaults.  Fix service
          in the inetd.conf example in the kpropd man page to work with Debian
          /etc/services.  (Closes: #157736)
        * Fix references to kerberos(1) in the rlogin and kinit man pages and
          include kerberos.1 in krb5-doc.  (Closes: #154381, #154384)
        * Add more detailed information about each package to the extended
          descriptions.  (Closes: #135517)
        * krb5-doc: Include info pages.  (Closes: #292512)
        * krb5-doc: Fix two minor variable name problems in the texinfo docs.
        * Let dh_installdebconf set the debconf dependency.
        * Update standards version to 3.6.1.
          - Support noopt in DEB_BUILD_OPTIONS.
          - Let debhelper take care of calling ldconfig appropriately.
          - Remove calls to dh_undocumented.
          - Remove lintian overrides for links to the undocumented man page.
          - Install kdc.conf template in /usr/share/krb5-kdc rather than
            /usr/share/krb5 (policy 10.7.3 states the directory should be named
            after the package).
          - Symlink the kdc.conf template to /usr/share/doc/krb5-kdc/examples
            per policy 10.7.3 since it's also a useful example.
        * Update debhelper compatibility level to V4.
          - Remove all *.conffiles control files.  They're no longer needed.
        * rules generally cleaned up.  Commented out and unused debhelper programs
          removed as the set being run wasn't comprehensive anyway.  Invocation
          order now matches the debhelper examples.
        * Removed (s) from copyright to make lintian happier.
        * Removed unnecessary lintian override for libkrb53.
        * Add lintian overrides for the duplicate dependencies on krb5 libraries.
      krb5 (1.3.6-2) unstable; urgency=high
        * Package priority to standard
        * Fix buffer overflow in slc_add_reply in telnet.c (CAN-2005-0469)
        * Fix telnet.c env_opt_add buffer overflow (CAN-2005-0468)
        * Note that both of these vulnerabilities are client-side
          vulnerabilities that can be exploited only by a server.
      krb5 (1.3.6-1) unstable; urgency=medium
        * New upstream version
        * Changing a password afwter the size of password history has been
          reduced may  double free or write past end of an arry; fix
          (CAN-2004-1189 / CERT VU#948033)
        * Conflict between krb5-kdc and kerberos4kth-kdc; also deals with
          krb5-admin-server conflict indirectly, Closes: #274763
      krb5 (1.3.5-1) unstable; urgency=low
        * New pt_br debconf translation, Cluses: #278734
        * New upstream version
        * Part of the fix to #261712: allow ftpd to build on gnu/bsd
      krb5 (1.3.4-4) unstable; urgency=high
        * Fix what is hopefully the last remnant of the patch to gettextize the
          debconf without making the code consistent, thanks Thimo Neubauer,
          Closes: #271456
        * Fix krb5_newrealm man page to better describe dependencies, thanks
          Rachel Elizabeth Dillon , Closes: #269685
      krb5 (1.3.4-3) unstable; urgency=high
        * Initial Czech translations thanks to  Miroslav Kure, Closes: #264366
        * Updated French debconf translation, thanks Martin Quinson, Closes: #264941
        * KDC and clients double-free on error conditions (CAN-2004-0642  VU#795632)
        *krb5_rd_cred() double-frees on error conditions(CAN-2004-0643 , CERT
          VU#866472 )
        * ASN.1 decoder in MIT Kerberos 5 releases krb5-1.3.4 and
          earlier allows unauthenticated remote attackers to induce
          infinite loop, causing denial of service, including in KDC
          code  (CAN-2004-0644 , CERT VU#550464)
        * Fix double free in krb524d  handling of encrypted ticket contents
      krb5 (1.3.4-2) unstable; urgency=low
        * Fix doc-base files, Closes: #262916
      krb5 (1.3.4-1) unstable; urgency=low
        * New upstream version
        * Update krb5-doc to include pointers to the right html documents,
          Closes: #203321
        * Patches to find res_search on amd64 and to include new Debian ports in
          shared library building, Closes: #261712
        * Install default file for krb5-admin-server, Closes: #262428
        * Patch from Russ Allbery to only prompt for a password once in krb4
          when null is passed in to krb_get_in_pw_tkt, Closes: #262192
        * New pt_br translation, thanks Andre Luis Lopes, Closes: #254115
        * New French translation, thanks Christian Perrier, closes: #253685
      krb5 (1.3.3-2) unstable; urgency=high
        * Fix buffer overflow in krb5_aname_to_localname; potential remote root
          exploit in some fairly limited circumstances.  You are not vulnerable
          unless you have enabled aname_to_lname rules in krb5.conf  (CAN-2004-0523)
        * Fix kadmind template formatting, thanks  Christian Perrier
      krb5 (1.3.3-1) unstable; urgency=low
        * New upstream version
        * Gettextize my debconf templates, thanks Martin Quinson    , Closes:
        * Don't remove /etc/krb5.conf on libkrb53 purge
      krb5 (1.3.2-2) unstable; urgency=low
        * Don't check for /etc/krb5kdc/kadm5.keytab, Closes: #235966
        * Fix dangling symlink, Closes: #203622
      krb5 (1.3.2-1) unstable; urgency=low
        * New Upstream Release, Closes: #223485
        * Includes upstream patch to ignore unknown address families, Closes: #206851
        * Include note that encrypted services are not enabled, Closes: #232115
        * Up shlib deps because of new features in auth context
      krb5 (1.3-3) unstable; urgency=low
        * Don't clear the key schedule so krb4 callers can use it,  Closes: #203566
        * Use alternatives system for rcp, Closes: #218392
      krb5 (1.3-2) unstable; urgency=low
        * Include patch to MIT Bug #1681, an incompatible change to etype_info2.
          This change will break  clients between 1.3 beta1 and 1.3-1 talking to
          1.3-2 KDCs, but is necessary because of a protocol bug.
      krb5 (1.3-1) unstable; urgency=medium
        * New upstream version--finally 1.3 is released, Closes: #199573
        * Don't depend on com_err in libcrypto, Closes: #201005
        * Urgency is medium because the only code change is removing a single
          call to com_err and this package not being in testing is blocking
          other packages.  The beta has been in unstable more than 10 days.
        * Update shlibs again to avoid long-term references to a beta in the archive
      krb5 (1.2.99-1.3.beta5-1) unstable; urgency=low
        * New upstream version
      krb5 (1.2.99-1.3.beta4-1) unstable; urgency=low
        * Fix rpath on generated binaries and in krb5-config, Closes: #198124
        * Fix build-depends to require comerr-dev with correct shlibs,
        Closes: #197650
        * New upstream version
        * Don't generate /etc/krb5kdc/kadm5.keytab as 1.3 does not require it
          except for kadmind4
      krb5 (1.2.99-1.3.beta3-4) unstable; urgency=low
        * Add replaces for libkadm55 on libkrb53
      krb5 (1.2.99-1.3.beta3-3) unstable; urgency=low
        * One more try at avoiding autoconf dependency
      krb5 (1.2.99-1.3.beta3-2) unstable; urgency=low
        * Touch some more files to defeat autoheader
      krb5 (1.2.99-1.3.beta3-1) unstable; urgency=low
        * Fix dh_makeshlibs call so dependencies are correct
        * New upstream version
        * Patch from Steve Langasek          for versioned symbols; adapted to
          better fit  the build system and to work for all libraries
        * This version builds with GCC 3.3, Closes: #195571
        * Move the rest of the administration libraries into libkadm55 to reduce
          space required by libkrb53.
        * libkrb53 conflicts with current openafs-krb5 because of ABI changes in
      krb5 (1.2.99-1.3.beta2-1) experimental; urgency=low
        * New upstream version
        * Include a patch from upstream CVS (post beta2) to fix renewable tickets.
      krb5 (1.2.99-1.3.beta1-1) experimental; urgency=low
        * New upstream pre-release
        * Update copyright
        * Add db_stop calls to krb5-kdc.postinst and krb5-admin-server.postinst
        * Install a fakeka binary
        * Install libkrb524.a even though upstream does not
        * kdc defaults to no v4 support per upstream change.
      krb5 (1.2.99-1.3.alpha3-1) experimental; urgency=low
        * New upstream pre-release
          - ftp no longer segfaults on wildcards,  Closes: #175495
          - Clock skew is returned on clock skew with preauth, Closes: #98855
          - Preauthentication has been reworked to improve interoperability with
          older implementations and to comply with Kerberos Clarifications,
          Closes: #169014
          - Typo in man page fixed, Closes: #127302
        * Remove dangling symlink, Closes: #133244
        * Depend on sufficiently new com_err and libss
        * Build the crypto library -O9 as it seems to help performance a lot.
        * Bump up shared library versions; all the public libraries have new
      krb5 (1.2.7-3) unstable; urgency=high
        *  Patch for CERT VU#623217 and VU#442569: Cryptographic weaknesses in
          Kerberos 4
            - Add -X option to krb5kdc and krb524d.  By default  cross-realm is
          no longer supported for krb4 as it is a security hole.
            - Add protection to isolate krb5 keys from krb4 especially for the
          TGS key
           - Remove support for the MIT extension to krb4 to use 3DES keys as it
          is insecure.
        * Patch to various DOS issues where the KDC assumes principal names have
          certain components.  Fixes CAN-2003-0072
        *  VU#516825: Additional errors in XDR that may lead to denial of
        * Fix template bug in v5passwd template, Closes: #172565
      krb5 (1.2.7-2) unstable; urgency=low
        * Remove declaration of errno from krb.h
      krb5 (1.2.7-1) unstable; urgency=high
        * New upstream version
        * Still urgency high until the kadmin4 fix gets into testing
        * Don't declare errno so glibc will be happy; applying upstream as well,
          Closes :#168528
        * Remove pidfile argument from start-stop-daemon call for restarting
          krb5kdc  so it actually works, Closes: #174881
      krb5 (1.2.6-2) unstable; urgency=high
        * Security fix for buffer overflow in kadmind4 (mitsa-2002-2)
        * If bison is too good for yacc compatibility then we're to good for
          bison,  Closes: #165655
        * Include readme.debian if we're going to reference it, Closes: #166399
        * Fix readme.debian comments to be correct
      krb5 (1.2.6-1) unstable; urgency=low
        * New upstream version
        * Important: upstream has introduced a new way of handling AFS tickets
          within krb524d; long-term this may allow the use of ticket keys other
          than DES with AFS, but short-term this will break AFS because OpenAFS
          has not yet released servers that support the new mechanism.  If you
          run AFS servers and don't want them to break, please look at README.debian
        * This includes a fix for 162794 as that is now in the upstream
        * For now, libkrb5-dev is going to be priority extra.  If anyone
          complains I'll attempt to fight the comerr-dev dependency battle;
          honestly I think comerr-dev is common enough and on enough systems
          that it rates optional but the maintainer does not, Closes: #145165
        * Fix restart to restart krb524d, Closes: #162477
      krb5 (1.2.5-3) unstable; urgency=high
        * Try to fix diversion handling for real this time, Closes: #155514
      krb5 (1.2.5-2) unstable; urgency=high
        * We are still installing a krb5.conf.template; don't as that is
          kerberos-configs's job.
        * The MIT KDC was not sending etype info padata; this couldcreate a
          problem  if you require preauth and have unusual salts; patch from
          upstream CVS
          * Add readme to krb5-user, Closes: #152670
        * Fix typo in alternatives handling so man page symlinks are handled
          correctely, Closes: #152707
        * Include XDR encoding patch for krb5-sa-2002-01; same patch as the
          woody security update
      krb5 (1.2.5-1) unstable; urgency=low
        * New upstream version;  not really any patches that will actually
          affect Debian at all, as we pulled them into 1.2.4 packages from
          upstream CVS
        * Stop shipping patches that upstream has accepted and released
        * Update included upstream PGP signature
        * Fix diversion handling; it was fairly broken in 1.2.4.  All we divert
          now is rcp
        * Ftp should not be diverted, closes: #146171
        * Fix overly small fixed length buffer in kuserok, closes: #145106
      krb5 (1.2.4-5) unstable; urgency=low
        * Pull up bugfix from 1.2.5 beta1  to src/lib/krb5/asn.1/asn1_get.c
        * This should be the last thing we need from 1.2.5; Debian has all the
          1.2.5 changes besides the API reorg.  I'm not checking an API reorg
          this close to woody release.
      krb5 (1.2.4-4) unstable; urgency=low
        * Suggest rather than recommend krb5-user from libkrb53, closes: #140116
        * Fix null pointer dereference in krb5 library; pull patch from  1.2.5 beta1
      krb5 (1.2.4-3) unstable; urgency=medium
        * Move from non-us to main
      krb5 (1.2.4-2) unstable; urgency=low
        * Don't respect umask when writing out srvtabs; you always want them
          0600 and if you don't you can chmod later, closes: #135988
        * To work with Heimdal, accept encrypted creds in
          gss_accept_sec_context, closes: #135962
        * Fix kadmin ACL bug.  Targets (a cool but undocumented ACL feature)
          didn't work quite right.  They do now.
      krb5 (1.2.4-1) unstable; urgency=low
        * Don't check address in krb5_rd_cred; upstream patch also applied to
          their CVS, closes: #132226
        * Patch from Ken Raeburn to improve over-the-wire errors from KDC,
          included because I happened to be testing it and it seemed to work
        * New upstream release
      krb5 (1.2.3-2) unstable; urgency=low
        * We want to be able to use krb4 and libssl's libcrypto in the same
          program.  To do this, we make libkrb4 bind libdes425 -Bsymbolic and we
          allow krb_mk_priv and krb_rd_priv to take null schedule arguments.
      krb5 (1.2.3-1) unstable; urgency=low
        * New upstream version, closes: #110932
        * Use alternatives for rsh, closes: #122710
        * Major version of libkadm5 bumped; we no longer conflict with heimdal there
      krb5 (1.2.2-8) unstable; urgency=low
        * Oops, call htons around port numbers in kprop patch
        * Register with doc-base, closes: #100463
        * Move krb5.conf and kdc.conf manpages into krb5-doc; krb5-doc now
          conflicts with heimdal-docs, closes: #121141
      krb5 (1.2.2-7) unstable; urgency=low
            * Forward only tickets we believe the remote side knows the enctype
          of, closes: #99320
        * Start krb5-kdc and krb5-admin-server before RPC services, thanks Hein
          Roehrig, closes: #88604
        * Install krb5.conf and kdc.conf man pages in krb5-user.  This is not
          ideal but installing them in krb5-config won't work as they are
          implementation dependent, closes: #109522
        * Install kprop manpage, thanks Steve   Langasek, closes: #120040
        * Fix FHS  paths with kprop; store files in /var/lib/krb5kdc, thanks
          again Steve, closes: #120050
        * Telnet help should open a connection to the host help not give you a
          usage message, thanks Graeme Mathieson <graeme@mathie.cx> for a patch
          which will be sent upstream, closes: #118730
        * Fix kprop handling of service name.  If we can't find what we are
          looking for in /etc/services default to the obvious correct answer;
          thanks Steve, will commit  upstream, closes: #120010
      krb5 (1.2.2-6) unstable; urgency=high
        * Include telnetd security patch for ring buffer issue from upstream
        * Conflict with the right Heimdal libs, closes: #103872
      krb5 (1.2.2-5) unstable; urgency=low
        * Use krb5-config; remove our own krb5.conf handling..  Note this is the
          krb5-config package for /etc/krb5.conf, not the krb5-config library
          helper command.
        * Conflict with kerberos4kth-services, closes: #93303
        * Update config.guess and config.sub, closes: #97585
        * Have telnetd depend on krb5-rsh-server.  I suspect this will make
          people grumpy and we need a better fix.  Really, Kerberized rlogin is
          better than telnetd from a security standpoint, so I'm OK with it for
          now.  Closes: #96695
      krb5 (1.2.2-4) unstable; urgency=low
        * Fix shared libraries to build with gcc not ld to properly include
          -lgcc symbols, closes: #94407
      krb5 (1.2.2-3) unstable; urgency=high
        * Fix vulnerability with glob call.  CERT claims that Linux is not
          vulnerable, but I believe the krb5 implementation is.  The result of
          glob was copied  into a fixed-sized buffer.  This fixes that
          closes: #93689
        * Provide ftp-server not ftpd, closes: #93531
        * Do not link kadm5clnt against kdb5.
      krb5 (1.2.2-2) unstable; urgency=low
        * Work to provide an alternative for telnet and to be a telnet-client,
          closes: 87914
          * libkrb5-dev depends on comerr-dev, closes: #87489
        * Make clean target remove configure-stamp
      krb5 (1.2.2-1) unstable; urgency=low
        * New Upstream version, Closes: #82546
        * Depend on debconf, closes: #87490
        * Fix debconf formatting issue, closes: #84447
        * Create sample ACL file, closes: #84448
        * Fix lintian warnings and override as appropriate
        * Upgrade to policy 3.5 moving stuff out of examples.
      krb5 (1.2.1-9) unstable; urgency=low
        * Do not use TIOCGLTC anywhere
        * Build without TCL, closes: #81977
        * Fix krb5-admin-server restart, closes: #81070
        * With the new dpkg-source, files get diffed in the wrong order  for us
          to prevent autoconf from getting run just by mangling things and
          making sure we change every configure script.  So, touch every
          configure script  in debian/rules.
      krb5 (1.2.1-8) unstable; urgency=low
        * Use separate build directory because the source tree supports it and
          it works around failures in the upstream clean target, closes: #78954
        * Make sure we modify all the configure scripts since we modify
          aclocal.m4 so that time stamps don't cause autoconf to be run.
        * Add bison and debhelper as build-depends, closes: #79643
        * New maintainer address
      krb5 (1.2.1-7) unstable; urgency=low
        * Do not conflict with libss.a
        * Upload to Debian(Closes: BUG#78499)
      krb5 (1.2.1-6) unstable; urgency=low
        * Fix kpasswd manpage.
        * Split out libkadm5 to avoid Heimdal conflict
        * Conflict with kerberos4kth.
        * Remove runpaths from libs and executables.
      krb5 (1.2.1-5) unstable; urgency=low
        * If libkrb53 was preconfigured, then krb5.conf could overide explicit
          user input.
      krb5 (1.2.1-4) unstable; urgency=low
        * Write init.d scripts for kdc and admin server.
        * Ask what admin programs to run and what krb4 mode to use.
        * Populate initial kdc.conf if needed.
        * New script (krb5_newrealm) to set up a Kerberos realm
        * Document KDC issues.
        * Make libkrb53.config work again so libkrb53 installs
      krb5 (1.2.1-3) unstable; urgency=low
        * Add KDC packages
        * Install login.krb5  Sadly, it is needed to make forwarded credentials
          work.  This is unfortunate; it is not a  good login program.
      krb5 (1.2.1-2) unstable; urgency=low
        * Add copyright and README.debian
        * Ship kadmin in krb5-user.
        * Add services to inetd.conf
        * Add support for generating krb5.conf
      krb5 (1.2.1-1) unstable; urgency=low
        * Initial Release.