Fixes a bug introduced in 2.20.0 with unintended Authorization header
stripping for redirects using default ports (http/80, https/443).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745132abc0)
[Peter: mention fix from 2.20.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
LICENSE update: replaced http address with https.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 42bebd1e7c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
setup.py explicitly listed a maximum allowed version of python-requests,
causing runtime failures with the python-requests version we have:
Loaded image: docker-enp.bin.cloud.barco.com/eis/baseos-docker-snmp:0.1.0
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 6, in <module>
from pkg_resources import load_entry_point
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3123, in <module>
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3107, in _call_aside
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3136, in _initialize_master_working_set
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 580, in _build_master
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 593, in _build_from_requirements
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 781, in resolve
pkg_resources.DistributionNotFound: The 'requests!=2.11.0,!=2.12.2,!=2.18.0,<2.19,>=2.6.1' distribution was not found and is required by docker-compose
FAIL
Upstream regularly updates setup.py as new python-requests releases are
made, but it is unknown why new python-requests releases (which are supposed
to be backwards compatible) should not be allowed right away.
Add a path submitted upstream to only disallow new major versions, similar
to how the other dependencies are handled.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53261d8082)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There are various versions shipped in linux-firmware. In the past we
decided that it was up to the developer to filter out the ones they want
for their specific kernel version, so install them all.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6a6f9306d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
luvi fails to run when it was build with CMake 3.12+:
```
[string "return require('init')(...)"]:1: module 'init' not found:
no field package.preload['init']
no file './init.lua'
no file '/usr/share/luajit-2.0.5/init.lua'
no file '/usr/local/share/lua/5.1/init.lua'
no file '/usr/local/share/lua/5.1/init/init.lua'
no file '/usr/share/lua/5.1/init.lua'
no file '/usr/share/lua/5.1/init/init.lua'
no file './init.so'
no file '/usr/local/lib/lua/5.1/init.so'
no file '/usr/lib/lua/5.1/init.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
```
Looking at link.txt for the luvi executable shows that `-rdynamic` is
not set anymore in CMake 3.12. This has the effect, that symbols are
missing in the `.dynsym` section in the binary.
The patch, sets `ENABLE_EXPORTS` to true in CMakeLists.txt to force setting
`-rdynamic` explicitly.
Upstream status: b8781653dcb8815a3019a77baf4f3b7f7a255ebe
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56d2ac54dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2018-4437,
CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, and
CVE-2018-4464. Additionally, it fixes a couple of build failures in
unusual build configurations.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html
More details on the issues covered by security fixes can be found
in the corresponding security advisory:
https://webkitgtk.org/security/WSA-2018-0009.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bbfaf1d40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update to version 2018.11 to resolve the following build failure:
corelib/channel_curl.c: In function ‘channel_map_curl_error’:
corelib/channel_curl.c:298:2: error: duplicate case value
case CURLE_SSL_CACERT:
^
corelib/channel_curl.c:297:2: error: previously used here
case CURLE_PEER_FAILED_VERIFICATION:
^
when building with CONFIG_DOWNLOAD=y. This issue is happening since
the libcurl bump to 7.62.0.
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1040b18634)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
1.15.7 contains a number of bugfixes. From the changes file:
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
https://nginx.org/en/CHANGES
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc60c57f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgpgme installs a gpgme-config script, it should be tweaked using
the <pkg>_CONFIG_SCRIPTS mechanism. This is generally useful and is
going to be particularly important with per-package directories.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3df53aa11d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants for uclibc-ng.
This fixes the following strace build errors:
In file included from xlat/pollflags.h:4:0,
from poll.c:34:
./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
# define static_assert _Static_assert
^
xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
^~~~~~~~~~~~~
./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
# define static_assert _Static_assert
^
xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
^~~~~~~~~~~~~
Fixes:
http://autobuild.buildroot.net/results/5a0112b7a2c81fa5253c9adc93efe415256cd811
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 95f11fb25d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When one of BR2_PACKAGE_FFTW_PRECISION_* is enabled, liquid-dsp links
against fftw3f, fftw3 or fftw3l, but forgets to add the fftw package
in its dependencies. It works fine in practice because "fftw" is
before "liquid-dsp" in the alphabetic ordering, but building with
"make liquid-dsp" or with per-package directory causes a build
failure.
Fix that by adding the missing dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Reviewed-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2517fa73ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sdl2_net configure script uses pkg-config to finx sdl2. If it
doesn't find pkg-config, it tries to locate sdl2-config, and defaults
to /usr/bin/sdl2-config, which causes the build to fail with:
arm-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '-I/usr/include/SDL2'
Fix this by adding host-pkgconf to the dependencies of sdl2_net. We
could have added the right autoconf cache variable to tell the
configure script where sdl2-config is located, but since pkg-config is
tried first, let's use that.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2a1bcb1b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the build of the target wine, the build of host wine also
needs bison and flex, otherwise the build fails with:
checking for flex... no
configure: error: no suitable flex found. Please install the 'flex' package.
(and similarly for bison once host-flex is provided)
This was detected using per-package directories. It used to "work"
because host-wine comes alphabetically after host-flex and host-bison,
which are dependencies of target wine.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4d153b16a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0de2c9c76c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1af5232138)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
liboping.c: In function 'ping_host_add':
liboping.c:207:9: error: '%s' directive output may be truncated writing
up to 255 bytes into a region of size 243 [-Werror=format-truncation=]
"%s: %s", function, message);
^~
liboping.c:1644:40:
ping_set_error (obj, "getaddrinfo", errmsg);
~~~~~~
liboping.c:206:2: note: 'snprintf' output between 14 and 269 bytes into
a destination of size 256
snprintf (obj->errmsg, sizeof (obj->errmsg),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"%s: %s", function, message);
Fixes:
- http://autobuild.buildroot.org/results/b12d86388b495a96194e0bcbb5c19a4e35cbc53d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8361c53eac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The logic to ensure at least one compression backend is selected was not
updated when lz4, xz and zstd were introduced - Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[Peter: add comment as suggested by Peter Seiderer]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84aeb4419f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
prosody is not available for Lua 5.3, but only 5.1 & 5.2.
prosody needs the module BitOp which is included in LuaJIT
note: the actual config is working only LuaJIT
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 768a9b9dd7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported in bug #11426, the ppsfind shell script uses /bin/bash,
but the Buildroot pps-tools package doesn't depend on bash. In fact,
upstream has fixed the problem, and the script can now be used with a
POSIX shell, and the shebang is /bin/sh.
This commit therefore bumps pps-tools to the latest upstream commit,
which is precisely this fix.
Fixes bug #11426.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c89726d9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Lynx configure script uses pkg-config when available:
checking for nios2-buildroot-linux-gnu-pkg-config... /home/thomas/projets/buildroot/output/host/bin/pkg-config
checking pkg-config for openssl... yes
[...]
checking pkg-config for ncurses... yes
Using pkg-config avoids build failures such as:
checking for _nc_freeall... no
configure: error: Configuration does not support color-styles
make: *** [/home/test/autobuild/run/instance-1/output/build/lynx-2.8.9rel.1/.stamp_configured] Error 1
When building with "make lynx", so that pkg-config is not built
before. The issue is that in this case, lynx configure script picks up
the ncurses6-config script for the host ncurses instead of the one in
staging. Using pkg-config solves that nicely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67ee7f9eb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43b4d3ae45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 379306e8f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fstatfs/statfs on aarch64 seems broken, add a patch from uClibc-ng
upstream git to fix it.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2179ca4a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, the go compiler will spawn as many jobs as there are CPUs
available, thus possibily over-shooting the limits set by the user.
Make it abide by the user's wish, and specify the number of jobs allowed
to run.
We can do so without fear of a package failing to build in parallel,
because they were already all building in parallel, as that is the
default for the go compiler.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5af65f6557)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass -Werror=shadow in args of cc.compiles in meson.build otherwise test
will always succeed, causing -Werror=shadow to be passed, even on older gcc versions.
GCC 4.8 changed the behaviour of -Werror=shadow to no longer complain about
local variable declariations shadowing functions, which systemd has. From
the changelog:
The option -Wshadow no longer warns if a declaration shadows a function
declaration, unless the former declares a function or pointer to function,
because this is a common and valid case in real-world code.
https://www.gnu.org/software/gcc/gcc-4.8/changes.html
Fixes:
- http://autobuild.buildroot.org/results/ffd71c473d3b29618c18cd2e04705370266696f2
[Peter: extend commit message, add gcc 4.8 link]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 76cf905c7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-17961: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving errorhandler
setup. NOTE: this issue exists because of an incomplete fix for
CVE-2018-17183.
- CVE-2018-18284: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving the 1Policy
operator.
- CVE-2018-19409: An issue was discovered in Artifex Ghostscript before
9.26. LockSafetyParams is not checked correctly if another device is
used.
- CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because available
stack space is not checked when the device remains the same.
- CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
setcolorspace type confusion.
- CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
JBIG2Decode type confusion.
For more details, see the release notes:
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e52b02677a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
domoticz will fail to build with python and older cmake
Indeed, find_package(PythonLibs 3.4) will not recognize python 3.7 until
cmake 3.7 and the following commit:
c31573b964
To fix this, add a call to find_package(PythonInterp). Indeed, if
FindPythonInterp has already found the major and minor version, that
version will be inserted between the user supplied versions and the
stock version list since cmake in version 3.1 and
3816cd2dc7
Fixes:
- http://autobuild.buildroot.org/results/8e82501a7b49da628ec026132ffca44c0c813040
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7367a8cd59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
For more information, see the changelog:
https://www.openssl.org/news/cl102.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3301b6e1b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PLATFORM is an environment variable used by xfsprogs' configure script
to determine the platform for which the applications are being built. If
we set some incorrect/unsupported value through e.g: export, this will
be picked up by xfsprogs' configure script and used as-is and assigned
to PKG_PLATFORM, which will lead to build failures.
If PLATFORM was empty/unset, then uname on the host building xfsprogs
gets used to determine the build platform, which again could be
incorrect if we e.g: built xfsprogs on a Darwin system.
Since we are obviously building for Linux, let's just make sure we
define it that way which solves both issues.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 257a2118be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
- CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.8.7.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
