18:47 Cy Schubert (cy) 

security/krb5*: Flavorize with default and ldap flavors

This provides a binary package to users who require MIT KRB5 with LDAP
support. This patch does not change the current, now default, package
name.

PR:		277015

    9926898

18:35 Cy Schubert (cy) 

security/krb5: krb5-121 is now default

krb5-121 is the default krb5 package. While at it remove krb5-119
from the "supported" list.

    7228a09

13:45 Cy Schubert (cy) 

security/krb5-120: Welcome new krb5 1.20

Welcome the new krb5-120 (1.20) from MIT.

krb5-118 is now deprecated and scheduled for removal a year from
now.

    d33c01d

13:45 Cy Schubert (cy) 

security/krb5: Remove expirred krb5 version

This makefile was not updated when krb5-117 was removed.

Fixes:		e2dd87ef868d82a7b51410eedd638c76340c88fa

    94d5d2c

17:06 Fernando Apesteguía (fernape) 

security/sssd: Fix package with SMB=on

While here, add comment in security/krb5 to remember the obscure dependency in
security/sssd so it does not break again.

PR:	244778
Reported by:	tommyhp2@gmail.com
Tested by:	tommyhp2@gmail.com
MFH:		2021Q2 (build fix)

    11964e7

08:09 Mathieu Arnold (mat) 

One more small cleanup, forgotten yesterday.
Reported by:	lwhsu

    cf118cc

14:31 Mathieu Arnold (mat) 

Remove # $FreeBSD$ from Makefiles.

    305f148

11:00 rene 

security/krb5: Remove option for non-existant krb5-116

 

05:01 cy 

Welcome the new KRB5 1.19 (krb5-119)

In addition, deprecate krb5-117 to retire one year after the release
of krb5-119: Feb 1, 2022.

krb5-119 becomes the default krb5 port.

 

02:42 cy 

Welcome the new KRB5 1.18 (krb5-118)

In addition, deprecate krb5-116 to retire one year after the release
of krb5-118: Feb 12, 2021.

Major changes in 1.18 (2020-02-12)
==================================

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.
  Replay cache filenames using the new format end with ".rcache2" by
  default.

* setuid programs will automatically ignore environment variables that
  normally affect krb5 API functions, even if the caller does not use
  krb5_init_secure_context().

* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
  credential forwarding during GSSAPI authentication unless the KDC
  sets the ok-as-delegate bit in the service ticket.

* Use the permitted_enctypes krb5.conf setting as the default value
  for default_tkt_enctypes and default_tgs_enctypes.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account
  name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified
  by X.509 certificate.  (Requires support for certificate lookup from
  a third-party KDB module.)

* Remove support for an old ("draft 9") variant of PKINIT.

* Add support for Microsoft NegoEx.  (Requires one or more third-party
  GSS modules implementing NegoEx mechanisms.)

* Honor the transited-policy-checked ticket flag on application
  servers, eliminating the requirement to configure capaths on
  servers in some scenarios.

User experience:

* Add support for "dns_canonicalize_hostname=fallback""`, causing
  host-based principal names to be tried first without DNS
  canonicalization, and again with DNS canonicalization if the
  un-canonicalized server is not found.

* Expand single-component hostnames in host-based principal names when
  DNS canonicalization is not used, adding the system's first DNS
  search path as a suffix.  Add a "qualify_shortname" krb5.conf
  relation to override this suffix or disable expansion.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS
  security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
  messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity
  Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11
  support can always be tested.

 

14:11 cy 

krb5-115 is now history.

 

20:29 cy 

Welcome the new KRB5 1.17 (krb5-117).

Major changes in 1.17 (2019-01-08)
==================================

Administrator experience:

* A new Kerberos database module using the Lightning Memory-Mapped
  Database library (LMDB) has been added.  The LMDB KDB module should
  be more performant and more robust than the DB2 module, and may
  become the default module for new databases in a future release.

* "kdb5_util dump" will no longer dump policy entries when specific
  principal names are requested.

Developer experience:

* The new krb5_get_etype_info() API can be used to retrieve enctype,
  salt, and string-to-key parameters from the KDC for a client
  principal.

* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
  principal names to be used with GSS-API functions.

* KDC and kadmind modules which call com_err() will now write to the
  log file in a format more consistent with other log messages.

* Programs which use large numbers of memory credential caches should
  perform better.

Protocol evolution:

* The SPAKE pre-authentication mechanism is now supported.  This
  mechanism protects against password dictionary attacks without
  requiring any additional infrastructure such as certificates.  SPAKE
  is enabled by default on clients, but must be manually enabled on
  the KDC for this release.

* PKINIT freshness tokens are now supported.  Freshness tokens can
  protect against scenarios where an attacker uses temporary access to
  a smart card to generate authentication requests for the future.

* Password change operations now prefer TCP over UDP, to avoid
  spurious error messages about replays when a response packet is
  dropped.

* The KDC now supports cross-realm S4U2Self requests when used with a
  third-party KDB module such as Samba's.  The client code for
  cross-realm S4U2Self requests is also now more robust.

User experience:

* The new ktutil addent -f flag can be used to fetch salt information
  from the KDC for password-based keys.

* The new kdestroy -p option can be used to destroy a credential cache
  within a collection by client principal name.

* The Kerberos man page has been restored, and documents the
  environment variables that affect programs using the Kerberos
  library.

Changes to the FreeBSD krb5* ports include:

* CONFLICTS updated in krb5-115 and krb5-116 taking krb5-117 in
  consideration.

* The default krb5 port is now krb5-117.

* MIT's practice is to EOL KRB5 n-2. krb5-115 is deprecated and set
  to expire Jan 31, 2020.

 

20:26 cy 

Now that krb5-114 is gone, remove the option too.

 

20:16 cy 

Make krb5-116 default.

 

04:18 cy 

Welcome the new security/krb5-116 port. This port follows MIT's
KRB5 1.16 releases.

Major changes in 1.16 (2017-12-05)
==================================

Administrator experience:

* The KDC can match PKINIT client certificates against the
  "pkinit_cert_match" string attribute on the client principal entry,
  using the same syntax as the existing "pkinit_cert_match" profile
  option.

* The ktutil addent command supports the "-k 0" option to ignore the
  key version, and the "-s" option to use a non-default salt string.

* kpropd supports a --pid-file option to write a pid file at startup,
  when it is run in standalone mode.

* The "encrypted_challenge_indicator" realm option can be used to
  attach an authentication indicator to tickets obtained using FAST
  encrypted challenge pre-authentication.

* Localization support can be disabled at build time with the
  --disable-nls configure option.

Developer experience:

* The kdcpolicy pluggable interface allows modules control whether
  tickets are issued by the KDC.

* The kadm5_auth pluggable interface allows modules to control whether
  kadmind grants access to a kadmin request.

* The certauth pluggable interface allows modules to control which
  PKINIT client certificates can authenticate to which client
  principals.

* KDB modules can use the client and KDC interface IP addresses to
  determine whether to allow an AS request.

* GSS applications can query the bit strength of a krb5 GSS context
  using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
  gss_inquire_sec_context_by_oid().

* GSS applications can query the impersonator name of a krb5 GSS
  credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
  gss_inquire_cred_by_oid().

* kdcpreauth modules can query the KDC for the canonicalized requested
  client principal name, or match a principal name against the
  requested client principal name with canonicalization.

Protocol evolution:

* The client library will continue to try pre-authentication
  mechanisms after most failure conditions.

* The KDC will issue trivially renewable tickets (where the renewable
  lifetime is equal to or less than the ticket lifetime) if requested
  by the client, to be friendlier to scripts.

* The client library will use a random nonce for TGS requests instead
  of the current system time.

* For the RC4 string-to-key or PAC operations, UTF-16 is supported
  (previously only UCS-2 was supported).

* When matching PKINIT client certificates, UPN SANs will be matched
  correctly as UPNs, with canonicalization.

User experience:

* Dates after the year 2038 are accepted (provided that the platform
  time facilities support them), through the year 2106.

* Automatic credential cache selection based on the client realm will
  take into account the fallback realm and the service hostname.

* Referral and alternate cross-realm TGTs will not be cached, avoiding
  some scenarios where they can be added to the credential cache
  multiple times.

* A German translation has been added.

 

08:01 cy 

Follow up on r455423.

Pointy hat to:	rene

 

00:14 cy 

Now that krb5 1.15.1 is GA, make krb5-115 default.

 

05:26 cy 

Remove expired krb5-112. It was mistakenly "re-added" by r427588.

 

00:54 cy 

Welcome the new security/krb5-115 port. This port follows MIT's
KRB5 1.15 releases.

To support this new ports:

- The security/krb5 port includes an option to use this port instead
  of krb5-114 as its base. krb5-114 will remain the default until the
  next release of KRB5 1.15 (if it's stable of course).

- MIT by default deprecates KRB5 two versions back from the current
  release. krb5-113 has been deprecated and will expire one year from
  now.

 

05:02 cy 

This is the second part of two commits, the first being r403749.

Adopt the same port structure as used by the cfengine family of ports:

security/krb5 is renamed to security/krb5-114.

A brand new security/krb5 now becomes a master port for the family of
security/krb5-* ports. The default installs krb5-1.14. There is no
functional change to the port build nor does the name of the latest krb5
port and package change. Users can continue to install security/krb5
to track the latest major version of security/krb5.

Users wishing to install a specific version branch of krb5 can continue
to install any of the security/krb5-* ports or by setting KRB5_VERSION
in make.conf make.conf or including the branch on the make command line
during build:

	make KRB5_VERSIN=NNN

make -V VERSIONS lists available versions.

security/krb5-appl has been updated to support this change (also fixing
a typo in the krb5-appl/Makefile).

Inspired by:            sysutils/cfengine

 

08:47 cy 

Introduce the new krb5 1.14:

- move (copy) krb5 (krb5 1.13.2) to krb5-113 (new, added)
- update krb5 1.13.2 --> 1.14
- update CONFLICTS in krb5, krb5-112 and krb5-113.
- update krb5-appl to allow optional dependency on krb5-113.
- update security/Makefile with copied krb5-113.
- deprecate and expire krb5-112 (krb5-1.12) on November 20, 2016, as it
  will EOL twelve months after the release of krb5-1.14.

 

06:59 cy 

Add sonames and minor versioned library names.

PR:             203882

 

07:29 cy 

Bump PORTREVISION.

 

07:13 cy 

Fix READLINE option.
Add support for libedit (LIBEDIT option).
Both command line editing options now supported by RADIO button.

 

13:01 cy 

Remove configuration argument used during testing.

 

07:18 cy 

Fix build under 11-CURRENT. r378417 introduced a libreadline link
workaround due to libtool not working with 11-CURRENT at the time.
The workaround now causes grief under 11-CURRENT and needs to be
removed.

PR:		202782

 

20:27 cy 

MIT KRB5 ports build unusable binaries due to incorrect linking
when build under poudriere. This commit fixes that.

 

15:16 cy 

Fix armv5 build.

PR:		200100
Submitted by:	mikael.urankar@gmail.com

 

13:12 cy 

Update 1.13.1 --> 1.13.2

 

19:06 tijl 

- Display a stage-qa warning when ports use PREFIX/var instead of /var
- Add --localstatedir=/var to _LATE_CONFIGURE_ARGS (like --mandir) but not
  when CONFIGURE_ARGS already sets it.  (GNU configure scripts set it to
  PREFIX/var when PREFIX != /usr.)
- Add --localstatedir="${PREFIX}/var" to CONFIGURE_ARGS in some ports so
  they aren't affected by this change (for now at least).  This commit is
  meant to ensure that new ports don't make the same mistake.

- games/acm: the configure script in this port is very old; instead of
  patching it more, just replace GNU_CONFIGURE with HAS_CONFIGURE.
- irc/charybdis: it already used /var but adding --localstatedir=/var
  changed the behaviour of the configure script; adjust the port to this.

PR:		199506
Exp-run by:	antoine
Approved by:	portmgr (antoine)

 

18:49 cy 

dvertise CPE data for Kerberos.

PR:		197465

 

20:59 cy 

Fix broken rpath.

Submitted by:	hrs

 

01:27 cy 

Update 1.13 --> 1.13.1, incorporates MITKRB5-SA-2015-001 (committed in
r378417).

 

21:15 cy 

Fix gcc5 build for DragonFly BSD.

PR:		197561
Submitted by:	marino

 

03:39 cy 

Correct various packaging issues:

 - Libraries are not installed stripped;
 - pkgconfig files should be installed to libdata;
 - Use of deprecated @dirrm[try]

PR:		PR/197338
Submitted by:	delphij

 

20:47 cy 

Address: krb5 -- Vulnerabilities in kadmind, libgssrpc,
gss_process_context_token VU#540092

CVE-2014-5352: gss_process_context_token() incorrectly frees context

CVE-2014-9421: kadmind doubly frees partial deserialization results

CVE-2014-9422: kadmind incorrectly validates server principal name

CVE-2014-9423: libgssrpc server applications leak uninitialized bytes

Security:	VUXML: 24ce5597-acab-11e4-a847-206a8a720317
Security:	MIT KRB5: VU#540092
Security:	CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423

 

11:44 antoine 

- Remove support for EXTRACT_PRESERVE_OWNERSHIP
- Update a few comments related to extract

Differential Revision:	https://reviews.freebsd.org/D1189
With hat:	portmgr

 

17:05 cy 

Fix LATEST_LINK.

 

19:44 cy 

MIT Kerberos released 1.13; 1.12 becomes a maintenance release,
1.11 remains a maintenance release.

- Update security/krb5 1.12.2 --> 1.13
- Copy the old security/krb5 1.12.2 to security/krb5-112
  (now a maintenance release supported by MIT)
- Move the old krb5-maint (1.11.5: old maintenance release) to
  security/krb5-111 (the old maintenance release still supported by MIT)

 

18:32 cy 

Update 1.12.1 --> 1.12.2.

Add readline non-default option.

 

18:34 tijl 

net/openldap24-*:
- Convert to USES=libtool and bump dependent ports
- Avoid USE_AUTOTOOLS
- Don't use PTHREAD_LIBS
- Use MAKE_CMD

databases/glom:
- Drop :keepla
- Add INSTALL_TARGET=install-strip

databases/libgda4* databases/libgda5*:
- Convert to USES=libtool and bump dependent ports
- USES=tar:xz
- Use INSTALL_TARGET=install-strip
- Use @sample

databases/libgdamm:
- Drop :keepla
- USES=tar:bzip2
- Use INSTALL_TARGET=install-strip

databases/libgdamm5:
- Add INSTALL_TARGET=install-strip
- Drop --enable-static (inherited from old repocopy)

devel/anjuta x11-toolkits/py-gnome-extras:
- Drop :keepla

dns/powerdns dns/powerdns-devel:
- Convert to USES=libtool
- Add INSTALL_TARGET=install-strip
- Disable static modules
- Stop creating library symlinks with .0 suffix, not needed for dynamically
  opened modules

mail/dovecot2:
- Add USES=libtool

mail/dovecot2-pigeonhole:
- Drop CONFIGURE_TARGET (incorrect for Dragonfly)
- Add USES=libtool and INSTALL_TARGET=install-strip

math/gnumeric:
- USES=libtool tar:xz

Approved by:	portmgr (implicit, bump unstaged ports)

 

19:59 cy 

Fix build when KRB5_HOME != LOCALBASE.

Submitted by:	hrs

 

03:53 cy 

Finely tune KRB5_HOME test when using LIB_DEPENDS. in the case when
KRB5_HOME is set to LOCALBASE.

 

02:55 cy 

Remove extraneious MAN assignments.

 

15:55 brd 

- Add a startup script for kpropd

PR:		183502
Submitted by:	brd@
Approved by:	bdrewery@

 

03:45 cy 

Fix new patch.

Point hat to:	self

 

02:21 cy 

KRB5_HOME no longer works with LIB_DEPENDS. Mark broken when set.

 

20:06 cy 

1. Fix build when using clang 3.4.
2. RTM_OLDADD and RTM_OLDDEL were removed from -stable. Thanks alfred@ for
   this patch.
3. Stagify.

Submitted by:	alfred (#2)

 

13:49 cy 

Update 1.12 --> 1.12.1

 

05:19 cy 

Update krb5 to 1.12. Security/krb5 tracks MIT KRB5 current release.

Adjust the newly created krb5-maint with a new portname and conflicts.
Krb5-maint is a maintenance release for those who wish to use the previous
release of krb5. krb5-maint remains at 1.11.3.

Adjust CONFLICTS in security/heimdal and security/srp to account for the
newly repocopied krb5-maint.

Adjust security/Makefile to include krb5-maint.

 

20:50 cy 

pkg-plist fixup.

 

03:45 cy 

Add LDAP support.

PR:		184557
Submitted by:	Erick Turnquist <jhujhiti@adjectivism.org>

 

22:55 bapt 

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

 

16:58 bapt 

Convert to new perl framework
Convert USE_GMAKE to USES=gmake

 

16:40 antoine 

Add an empty directory created by the port to pkg-plist

Approved by:	portmgr (miwi)

 

04:45 cy 

Update krb5 1.11.2 --> 1.11.3.

This is a bugfix release.

* Fix a UDP ping-pong vulnerability in the kpasswd (password changing)
  service.  [CVE-2002-2443]

* Improve interoperability with some Windows native PKINIT clients.

Security:	CVE-2002-2443

 

18:10 ak 

- Convert USE_GETTEXT to USES (part 3)

Approved by:	portmgr (bapt)

 

00:41 cy 

Update 1.11.1 --> 1.11.2

Major changes in 1.11.2 (2013-04-12)
====================================

This is a bugfix release.

* Incremental propagation could erroneously act as if a slave's
  database were current after the slave received a full dump that
  failed to load.

* gss_import_sec_context incorrectly set internal state that
  identifies whether an imported context is from an interposer
  mechanism or from the underlying mechanism.

Feature safe:	yes

 

19:33 cs 

- Remove A/An in COMMENT
- Trim Header where applicable

 

16:10 cy 

Reset ulog if database load failed.
Avoids a slave reporting it is current when a full resync fails.

Obtained
from:	https://github.com/rbasch/krb5/commit/2ef5ae0607d1c317a936e439b4be7a6f5184dc

 

20:03 cy 

Update 1.11 --> 1.11.1.

Security:	Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].

 

14:15 cy 

Fix verto.h missing build error on some systems.

The following contributed by mandree@:
	- Header standardization.

	- Make use of OptionsNG.

	- Make portlint happy.

 

04:03 cy 

Update 1.10.3 --> 1.11

 

02:10 cy 

Fix plist.

Feature safe:	yes

 

18:59 cy 

Update krb5 1.9.2 --> 1.10.3

Feature safe:	yes

 

19:20 cy 

Fix build of security/krb5 with clang.

PR:             169740
Submitted by:           Niclas Zeising <zeising@daemonic.se>

05:26 dinoex 

- update png to 1.5.10

07:41 pav 

- pointyhat kludge - tetex drags in port-OpenSSL on 7.X, but only as a build
  dependency. Yet this triggers autodetection code in bsd.openssl.mk and
  OpenSSL dependency is registered with the resulting package, creating a
  discord between INDEX and actual package. Work around by explicitly recording
  the dependency in a way that INDEX build will see.

OK'ed by:       cy (maintainer)
Feature safe:   yes

04:33 cy 

PORTREVISION bump.

PR:             163272
Feature safe:   yes

04:31 cy 

Apply patch for MITKRB5-SA-2011-007, KDC null pointer dereference in TGS
handling.

PR:             163272
Submitted by:   zi
Security:       6c7d9a35-2608-11e1-89b4-001ec9578670
Feature safe:   yes

20:38 cy 

Update 1.9.1 --> 1.9.2. This is a bugfix release.

Feature safe:   yes

15:55 cy 

Apply patch from MIT KRB5 GIT tree commit: 043533c2f13d2bc69316.

libgssrpc was ignorant of the remote address of the kadmin socket,
even when it's IPv4.  This made old-style GSSAPI authentication fail
because it uses the wrong channel bindings.  Fix this problem by making
clnttcp_create() get the remote address from the socket using getpeername()
if the caller doesn't provide it and it's an IPv4 address.

PR:             160500
Submitted by:   Ben Kaduk <kaduk@mit.edu>

04:03 cy 

Update 1.9 --> 1.9.1.

PR:             158520
Submitted by:   Ryan Steinmetz <rpsfa@rit.edu>

00:39 cy 

Apply patch for MITKRB5-SA-2011-004, kadmind invalid pointer free()
[CVE-2011-0285]

Security:       MITKRB5-SA-2011-004, CVE-2011-0285
Feature safe:   yes

21:03 cy 

Bump PORTREVISION.

21:02 cy 

Adjust krb5-config when $KRB5_HOME is specified. This will allow applications
linking aganst the MIT krb5 libraries to link using the correct ones.

00:19 cy 

Apply patch for MITKRB5-SA-2011-003, KDC vulnerable to double-free when
PKINIT enabled.

Obtained from:  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt
Security:       MITKRB5-SA-2011-003, CVE-2011-0284
Feature safe:   yes

01:04 cy 

Apply fixes for kpropd denial of service (MITKRB5-SA-2011-001) and KDC
denial of service (MITKRB5-SA-2011-002).

Security:       MITKRB5-SA-2011-001 (CVE-2010-4022),
                MITKRB5-SA-2011-002 (CVE-2011-0281)

15:06 cy 

Remove the OpenSSL port requirement. The base OpenSSL will work too.

Feature safe:   yes

01:04 cy 

Update from 1.8.3_2 to 1.9.

07:34 ade 

Sync to new bsd.autotools.mk

02:09 cy 

Fix security vulnerabilities CVE-2010-1324, CVE-2010-1323, CVE-2010-4020,
CVE-2010-4021, and CVE-2010-1322.

PR:             152755
Submitted by:   wollman
Security:       CVE-2010-1324, CVE-2010-1323, CVE-2010-4020, CVE-2010-4021,
                and CVE-2010-1322.
Feature safe:   Yes

04:37 cy 

Enable ksu DEBUG (-D) flag.

22:37 cy 

Update to 1.8.3.

PR:             149299
Submitted by:   gwollman

05:14 cy 

Apply patch for MIT KRB5 security vulnerability MITKRB5-SA-2010-005.

PR:             146939
Submitted by:   wollman
Security:       MIT krb5 Security Advisory 2010-005

00:01 pgollucci 

- No longer broken on -current b/c of utmpx changes

PR:             ports/146384
Submitted by:   pgollucci@ (myself), others
Approved by:    maintainer timeout (cy@, 16 days)

03:48 cy 

Welcome the new krb5-1.8.1. Significant changes include the removal of
the MIT KRB5 applications (now in a separate tarball and port).

03:23 cy 

MFkrb5-17.

20:21 pav 

- Mark BROKEN: does not compile

Reported by:    pointyhat

06:47 dinoex 

- update to 1.4.1
Reviewed by:    exp8 run on pointyhat
Supported by:   miwi

06:48 miwi 

- Mark BROKEN: fails to build with new utmpx

Reported by:    pointyhat

11:46 dinoex 

- update to jpeg-8

21:37 cy 

Remove commented out option from a bygone era.

20:02 cy 

Remove redundant length check.

19:36 mezz 

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

13:57 dinoex 

- bump all port that indirectly depends on libjpeg and have not yet been bumped
or updated
Requested by:   edwin

21:01 cy 

Convert missing WANT_KRB5_DOC pieces.

Add HTML documentation OPTION knob.

23:06 cy 

Implement OPTIONS menu.

Implement options that will allow the user to:

        - rename ftp and ftpd to kftp and kftpd
        - rename telnet and telnetd to ktelnet and ktelnetd
        - rename rlogin to krlogin
        - rename rsh to krsh
        - rename rcp to krcp

This avoids shadowing by or being shadowed by, depending on one's PATH,
system utilities of the same name.

19:26 cy 

Fixes for multiple vulnerabilities.

Security:       US-CERT Technical Cyber Security Alert TA08-079B --
                        MIT Kerberos Updates for Multiple Vulnerabilities
                US-CERT Vulnerability Note VU#895609,
                US-CERT Vulnerability Note VU#374121
                MIT krb5 Security Advisory 2008-001
                MIT krb5 Security Advisory 2008-002

14:53 cy 

Fix pkinit install brokenness under 5.5 and 6.2.

Approved by:    portmgr (linimon)