Comment 5 for bug 489418

I released 1.7+dfsg-3 to Debian unstable. That includes a fix to this
bug. I'd recommend that Ubuntu sync that version into a karmic update
once it hits squeeze in order to address this issue. The code changes
between what's in karmic now and 1.7+dfsg-3 are all reasonably
important bug fixes including a number of user visible memory leak
fixes, fixes to the lockout problem and fixes to some rare crashes.
There were no code changes between 1.7 beta3 and 1.7; I have hand
picked patches that resolve important problems people were having for
any code changes since the version in karmic.

I understand you try to be conservative about what you accept in an
update, although I think it will probably be easier to evaluate the
debian diff than to subset the changes I've made. I've tried to show
what all is involved below so you can estimate whether my proposal is
a viable option. Specific patches are all in the debian krb5 git repo
if you do want to subset.

The diffs to the code are reasonably small and
address specific bug fixes:

2 3 src/appl/gssftp/ftpd/ftpd.c
7 0 src/lib/gssapi/spnego/spnego_mech.c
17 13 src/lib/kadm5/srv/server_acl.c
16 25 src/lib/kdb/kdb_default.c
1 1 src/lib/krb5/krb/chpw.c
1 2 src/lib/krb5/krb/get_in_tkt.c
1 1 src/lib/krb5/krb/kerrs.c
3 1 src/lib/krb5/krb/pac.c
2 0 src/lib/krb5/krb/t_pac.c
8 2 src/lib/krb5/rcache/rc_none.c
3 3 src/patchlevel.h
7 0 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
14 14 src/util/profile/prof_file.c
3 0 src/util/profile/prof_int.h
2 7 src/util/profile/prof_tree.c

Here are the fixes that involve code changes:
  * Several fixes applied after the 1.7 release:
      - 6506: correctly handle keytab vs stash file
    - 6508: kadmind ACL parsing could reference uninitialized memory
    - 6509: kadmind can reference null pointer on ACL error
    - 6511: uninitialized memory passed to krb5_free_error in change
    password client path
    - 6514: none replay cache memory leak
    - 6515: profile library mutex performance improvements
    - 6541: memory leak in PAC verify code
    - 6542: Check for null characters in pkinit certs
    - 6543: login vs user order in ftpd sometimes wrong
    - 6551: Memory leak in spnego accept_sec_context error path
  * Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP:
    #489418)

If you do not choose to accept the full Debian version, I strongly
recommend you take at least the fix to the lockout bug, 6543 (can
cause people to be unable to log into ftpd), 6542 (security concern
about accepting bogus certificates for authentication), and all the
memory leaks.

In addition to the code changes, this version includes:

* autoconf was rerun as part of transition from 1.7beta3 to 1.7
9 9 src/appl/libpty/configure
9 9 src/appl/telnet/configure
10 10 src/configure
9 9 src/appl/bsd/configure
9 9 src/appl/gssftp/configure

The following documentation updates were pulled in moving from
1.7.dfsg~beta3 to 1.7. You probably don't strictly need these, but it
should be fairly easy to see they are harmless.
77 25 README
22 3 doc/CHANGES
1021 939 doc/admin-guide.ps
83 2 doc/copyright.texinfo
873 792 doc/install-guide.ps
65 2 doc/krb5-admin.html
165 105 doc/krb5-admin.info
65 2 doc/krb5-install.html
152 92 doc/krb5-install.info
65 2 doc/krb5-user.html
98 38 doc/krb5-user.info
882 801 doc/user-guide.ps

In addition, the following packaging changes were made:

42 0 debian/changelog
2 2 debian/control # fix LP #472080
3 4 debian/prepsource # my script not called by build process
1 1 debian/rules # work around change in dh_makeshlibs
1 1 debian/watch #new URI for upstream sources