Bug 1308984 - Add strict requires on crypto-policies
Summary: Add strict requires on crypto-policies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 23
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Robbie Harwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-16 16:28 UTC by Lukas Slebodnik
Modified: 2016-02-21 16:24 UTC (History)
5 users (show)

Fixed In Version: krb5-1.14-8.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-21 12:57:41 UTC


Attachments (Terms of Use)

Description Lukas Slebodnik 2016-02-16 16:28:34 UTC
Description of problem:
There is a know issue with krb5 and inclusion of nonexistent files
BZ1274424. There is a workaround in fedora 23+ for issue with crypto-policies.
However the solution is not sufficient. Because old version of crypto-policies does not contain such file and therefore link can be broken.

And it's hard to explain someone that it's not enough to upgrade krb5-* to the latest version for fixing issues caused by broken symbolic link.

Therefore there shoudl be stricter requires on crypto-policies.

Version-Release number of selected component (if applicable):
sh$ rpm -qf /etc/krb5.conf.d/crypto-policies 
krb5-libs-1.14-7.fc23.x86_64

How reproducible:
Deterministic

Actual results:
The latest krb5-libs can be installed with old version of crypto-policies

sh$ rpm -q krb5-libs crypto-policies
krb5-libs-1.14-4.fc23.x86_64
crypto-policies-20150518-3.gitffe885e.fc23.noarch

sh$ file /etc/krb5.conf.d/crypto-policies 
/etc/krb5.conf.d/crypto-policies: broken symbolic link to /etc/crypto-policies/back-ends/krb5.config


Expected results:
krb5-libs has strict requires for crypto-policies which contains file /etc/crypto-policies/back-ends/krb5.config
and therefore update of krb5-libs will require update of crypto-policies as well
and will prevent issues with broken symbolic link.

Additional info:
You might use 
Requires: crypto-policies >= 20151104-1

or
Requires: /etc/crypto-policies/back-ends/krb5.config

sh$ rpm -q --whatprovides /etc/crypto-policies/back-ends/krb5.config
crypto-policies-20151104-1.gitf1cba5f.fc23.noarch

Comment 1 Fedora Update System 2016-02-16 17:57:28 UTC
krb5-1.14-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8be51f14b

Comment 2 Robbie Harwood 2016-02-16 17:59:51 UTC
Fixed in rawhide as well.

Comment 3 Fedora Update System 2016-02-17 06:26:21 UTC
krb5-1.14-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8be51f14b

Comment 4 Fedora Update System 2016-02-21 12:57:36 UTC
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-02-21 16:18:15 UTC
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-02-21 16:24:23 UTC
krb5-1.14-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.