-----BEGIN PGP SIGNED MESSAGE----- Yesterday's announcement of buffer overruns in Kerberos caused some folks to upgrade to krb5-1.1.1 as part of the process of fixing the problem. It turns out that if you compile krb5-1.1 or krb5-1.1.1 with the --without-krb4 option, a dangling "else" clause is activated in login.c that has disastrous results. The patch below deals with this. -Jeff Schiller and Tom Yu for the Kerberos Development Team Index: login.c =================================================================== RCS file: /cvs/krbdev/krb5/src/appl/bsd/login.c,v retrieving revision 5.77 retrieving revision 5.78 diff -c -r5.77 -r5.78 *** login.c 1999/12/15 02:14:55 5.77 - --- login.c 2000/02/06 21:57:32 5.78 *************** *** 1455,1465 **** #ifdef KRB5_GET_TICKETS if (login_krb5_get_tickets) dofork(); - - else #endif #ifdef KRB4_GET_TICKETS ! if (login_krb4_get_tickets) ! dofork(); #endif /* If the user's shell does not do job control we should put it in a - --- 1455,1464 ---- #ifdef KRB5_GET_TICKETS if (login_krb5_get_tickets) dofork(); #endif #ifdef KRB4_GET_TICKETS ! else if (login_krb4_get_tickets) ! dofork(); #endif /* If the user's shell does not do job control we should put it in a *************** *** 1587,1597 **** #ifdef KRB5_GET_TICKETS if (forwarded_v5_tickets) destroy_tickets(); - - else #endif #ifdef KRB4_GET_TICKETS ! if (got_v4_tickets) ! destroy_tickets(); #endif #ifdef OQUOTA - --- 1586,1595 ---- #ifdef KRB5_GET_TICKETS if (forwarded_v5_tickets) destroy_tickets(); #endif #ifdef KRB4_GET_TICKETS ! else if (got_v4_tickets) ! destroy_tickets(); #endif #ifdef OQUOTA -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Comment: Processed by Mailcrypt 3.5b6, an Emacs/PGP interface Charset: noconv iQCVAwUBOSLw4MUtR20Nv5BtAQFa/wP8CUO0o1S73YIVTEdVekJzJ+M4/H6Xeoce 0onrh4ZYt1LePEtXtoEqksqvr0DdvCxpfPdaCtkjPOu9uTTFPSjG5OyBBhlKw/Ho m87ypQ/ZPckf8MT76UZv7FNmrDdoHCgO0YgM21IksCd7YUtOhFoUd9J53Etn3CTa MxpTT6EpgHc= =/605 -----END PGP SIGNATURE-----