ELSA-2010-0258

Описание

[2.2.14-15]

• update backport for selecting which key to use for validation so that it prefers services with the local host name as the instance, from HEAD (more of #450776)

[2.2.14-14]

• backport the 'multiple_ccaches' option from HEAD, requiring that it be enabled to not immediately remove an old ccache when asked to create a new one (#463417)

[2.2.14-13]

• add patch to add the 'chpw_prompt' option, to allow the older behavior of attempting a password-change during authentication if libkrb5 detects an expired password, based on patch from Olivier Fourdan (#509092)

[2.2.14-12]

• dont vary the password prompt depending on whether or not the user exists or is known to the KDC (CVE-2009-1384, #505265)
• prefer using the 'host' service when verifying that a TGT isnt forged, from HEAD (#450776)

[2.2.14-11]

• dont enforce minimum_uid when no_user_check is also used, from HEAD (#490404)
• dont try to get password-changing creds with all of the flags set that we would request for a TGT (#489015)