Julien Rische f77c0a573c kdb: fix vulnerability in GCD rules handling ... The initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding special case for the check_allowed_to_delegate() function: if the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules, not actually checking a specific S4U2Proxy request. In commit e86807b5, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos a441fbe3. However, a mistake resulted in this mechanism to apply in cases where target service argument is set AND unset. This results in S4U2Proxy requests to be accepted regardless of the fact there is a matching service delegation rule or not. This vulnerability does not affect services having RBCD (resource-based constrained delegation) rules. This fixes CVE-2024-2698 Signed-off-by: Julien Rische <jrische@redhat.com>		2024-06-10 12:46:05 +02:00
..
_static/css	docs: tune RTD to display lists with disc and left margin	2022-05-10 15:52:41 +03:00
api	batch: add keeponly option	2024-05-22 10:03:38 +02:00
designs	kdb: fix vulnerability in GCD rules handling	2024-06-10 12:46:05 +02:00
examples	Have all the scripts run in python 3 by default	2018-02-15 18:43:12 +01:00
guide	logging: do not reference loggers in arguments and attributes	2017-07-14 15:55:59 +02:00
workshop	docs: Mention that Keycloak requires openid scope	2023-11-17 11:56:19 -05:00
conf.py	Change doc theme to 'book'	2023-05-03 18:21:12 +02:00
constraints.txt	ap: Constrain supported docutils	2022-07-26 12:36:41 -04:00
index.rst	doc: generate API Reference	2022-11-16 14:46:17 -05:00
Makefile	doc/Makefile: run sphinx in serial mode	2024-01-23 13:19:37 +01:00
requirements.txt	Replace netifaces with ifaddr	2024-05-03 16:35:19 -04:00
workshop.rst	workshop: add chapter 12: External IdP support	2022-05-10 15:52:41 +03:00