- Update from version 4.4.0 to 4.5.0
- Update o0f rootfile
- sobump requires shipping of core programs poppler (covered by update patch) and perl
together with addons cups-filters and spandsp (covered by PAK_VER updates in patch
series.
- Changelog is t6oo long to include here. For details see the ChangeLog file in the
source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- This package was used by the asterisk addon which was dropped some time ago so
spandsp is no longer needed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- In six places <td class'base'> has been used instead of <td class='base'>
- This patch fixes that error - tested on my vm testbed. Selecting Inspect Element now
shows the corrrect result rather than class 'base' being set to null.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- Update from version 5.18.0 to 6.1.0
- Update of rootfile
- Changelog
There is no changelog in the source tarball or in the kernel site where the source
tarballs are available from. xfs.org, which normally provides access to the git
repository, fails to connect. xfs.wiki.kernel.org has no changelog info in it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 22.11.0 to 23.01.0
- Update of rootfile
- sobump checked with find-dependencies but not other programs other than from poppler
are flagged up.
- Changelog
Release 23.01.0:
core:
* PDFDoc::sign: Fix crash if font can't be found
* PDFDoc::sign: Try Arial to sign if Helvetica isn't found
* FoFiType1::parse: Be more flexible parsing the encoding content. Issue #1324
* Gfx::opBeginMarkedContent: Support Span with Name. Issue #1327
* Splash: Avoid color issues due to implicit rounding
* Splash: Fix crash on malformed file.
* CairoOutputDev: Ignore text rendering mode for type3 fonts
* Remove unused FoFiType1::load function
build system:
* Increase minimum required versions of several dependencies
* Improve include path handling
qt6:
- Use less deprecated functions
Release 22.12.0:
core:
* Form::addFontToDefaultResources: Be stubborn in finding a font we can use.
Issue #1272
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 4.1.1 to 4.2.0
- Update of rootfile
- Changelog
Changes from versions 4.1.1 to version 4.2.0
Binary compatible with MPFR 4.0.* and 4.1.*, though some minor changes in
the behavior of the formatted output functions may be visible, regarded as
underspecified behavior or bug fixes (see below).
New functions mpfr_cosu, mpfr_sinu, mpfr_tanu, mpfr_acosu, mpfr_asinu,
mpfr_atanu and mpfr_atan2u.
New functions mpfr_cospi, mpfr_sinpi, mpfr_tanpi, mpfr_acospi, mpfr_asinpi,
mpfr_atanpi and mpfr_atan2pi.
New functions mpfr_log2p1, mpfr_log10p1, mpfr_exp2m1, mpfr_exp10m1 and
mpfr_compound_si.
New functions mpfr_fmod_ui, mpfr_powr, mpfr_pown, mpfr_pow_uj, mpfr_pow_sj
and mpfr_rootn_si (mpfr_pown is actually a macro defined as an alias for
mpfr_pow_sj).
Bug fixes.
In particular, for the formatted output functions (mpfr_printf, etc.),
the case where the precision consists only of a period has been fixed
to be like .0 as specified in the ISO C standard, and the manual has
been corrected and clarified.
The macros of the custom interface have also been fixed: they now behave
like functions (except a minor limitation for mpfr_custom_init_set).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 5.40 to 5.44
- Update of rootfile not required
- Changelog
* release 5.44
* Handle nan's so that we don't get internal floating point exceptions
when they are enabled (Vincent Mihalkovic)
* PR/397: Restore the ability to process files from stdin immediately.
* fixed various clustefuzz issues
* Fix error detection for decompression code (Vincent Mihalkovic)
* Add MAGIC_NO_COMPRESS_FORK and use it to produce a more
meaningful error message if we are sandboxing.
* Add built-in lzip decompression support (Michal Gorny)
* Add built-in zstd decompression support (Martin Rodriguez Reboredo)
* release 5.43
* Add octal indirect magic (Michal Gorny)
* PR/374: avoid infinite loop in non-wide code (piru)
* PR/373: Obey MAGIC_CONTINUE with multiple magic files (vismarli)
* Fix bug with large flist (Florian Weimer)
* PR/364: Detect non-nul-terminated core filenames from QEMU
(mam-ableton)
* PR/359: Add support for http://ndjson.org/ (darose)
* PR/362: Fix wide printing (ro-ee)
* PR/358: Fix width for -f - (jpalus)
* PR/356: Fix JSON constant parsing (davewhite)
* release 5.42
* PR/348: add missing cases to prevent file from aborting on
random magic files.
* PR/351: octalify filenames when not raw before printing.
* fix regex cacheing bug (Dirk Mueller)
* merge file_regcomp and file_regerror() to simplify the code
and reduce memory requirements for storing regexes (Dirk Mueller)
* cache regex (Dirk Mueller)
* detect filesystem full by flushing output (Dirk Mueller)
* implement running decompressor programs using
posix_spawnp(2) instead of vfork(2)
* Add support for msdos dates and times
* use the system byte swapping functions if available (Werner Fink)
* release 5.41
* Avinash Sonawane: Fix tzname detection
* Fix relationship tests with "search" magic, don't short circuit
logic
* Fix memory leak in compile mode
* PR/272: kiefermat: Only set returnval = 1 when we printed something
(in all cases print or !print). This simplifies the logic and fixes
the issue in the PR with -k and --mime-type there was no continuation
printed before the default case.
* PR/270: Don't translate unprintable characters in %s magic formats
when -r
* PR/269: Avoid undefined behavior with clang (adding offset to NULL)
* Add a new flag (f) that requires that the match is a full word,
not a partial word match.
* Add varint types (unused)
* PR/256: mutableVoid: If the file is less than 3 bytes, use the file
length to determine type
* PR/259: aleksandr.v.novichkov: mime printing through indirect magic
is not taken into account, use match directly so that it does.
* count the total bytes found not the total byte positions
in order to determine encoding (Anatol Belski)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3400000 to 3400100
- Update of rootfile not required
- Changelog
3.40.1
-Fix the --safe command-line option to the CLI such that it correctly disallows
the use of SQL functions like writefile() that can cause harmful side-effects.
-Fix a potential infinite loop in the memsys5 alternative memory allocator. This
bug was introduced by a performance optimization in version 3.39.0.
-Various other obscure fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.1.7 to 3.2.4
- Update of rootfile
- find-dependencies run and only thing showing as depending on the libs are knot itself.
- Changelog
Knot DNS 3.2.4 (2022-12-12)
Improvements:
- knotd: significant speed-up of catalog zone update processing
- knotd: new runtime check if RRSIG lifetime is lower than RRSIG refresh
- knotd: reworked zone re-bootstrap scheduling to be less progressive
- mod-synthrecord: module can work with CIDR-style reverse zones #826
- python: new libknot wrappers for some dname transformation functions
- doc: a few fixes and improvements
Bugfixes:
- knotd: incomplete zone is received when IXFR falls back to AXFR due to
connection timeout if primary puts initial SOA only to the first message
- knotd: first zone re-bootstrap is planned after 24 hours
- knotd: EDNS EXPIRE option is present in outgoing transfer of a catalog zone
- knotd: catalog zone can expire upon EDNS EXPIRE processing
- knotd: DNSSEC signing doesn't fail if no offline KSK records available
Knot DNS 3.2.3 (2022-11-20)
Improvements:
- knotd: new per-zone DS push configuration option (see 'zone.ds-push')
- libs: upgraded embedded libngtcp2 to 0.11.0
Bugfixes:
- knsupdate: program crashes when sending an update
- knotd: server drops more responses over UDP under higher load
- knotd: missing EDNS padding in responses over QUIC
- knotd: some memory issues when handling unusual QUIC traffic
- kxdpgun: broken IPv4 source subnet processing
- kdig: incorrect handling of unsent data over QUIC
Knot DNS 3.2.2 (2022-11-01)
Features:
- knotd,kxdpgun: support for VLAN (802.1Q) traffic in the XDP mode
- knotd: added configurable delay upon D-Bus initialization (see 'server.dbus-init-delay')
- kdig: support for JSON (RFC 8427) output format (see '+json')
- kdig: support for PROXYv2 (see '+proxy') (Gift for Peter van Dijk)
Improvements:
- mod-geoip: module respects the server configuration of answer rotation
- libs: upgraded embedded libngtcp2 to 0.10.0
- tests: improved robustness of some unit tests
- doc: added description of zone bootstrap re-planning
Bugfixes:
- knotd: catalog confusion when a member is added and immediately deleted #818
- knotd: defective handling of short messages with PROXYv2 header #816
- knotd: inconsistent processing of malformed messages with PROXYv2 header #817
- kxdpgun: incorrect XDP mode is logged
- packaging: outdated dependency check in RPM packages
Knot DNS 3.2.1 (2022-09-09)
Improvements:
- libknot: added compatibility with libbpf 1.0 and libxdp
- libknot: removed some trailing white space characters from textual RR format
- libs: upgraded embedded libngtcp2 to 0.8.1
Bugfixes:
- knotd: some non-DNS packets not passed to OS if XDP mode enabled
- knotd: inappropriate log about QUIC port change if QUIC not enabled
- knotd/kxdpgun: various memory leaks related to QUIC and TCP
- kxdpgun: can crash at high rates in emulated XDP mode
- tests: broken XDP-TCP test on 32-bit platforms
- kdig: failed to build with enabled QUIC on OpenBSD
- systemd: failed to start server due to TemporaryFileSystem setting
- packaging: missing knot-dnssecutils package on CentOS 7
Knot DNS 3.2.0 (2022-08-22)
Features:
- knotd: finalized TCP over XDP implementation
- knotd: initial implementation of DNS over QUIC in the XDP mode (see 'xdp.quic')
- knotd: new incremental DNSKEY management for multi-signer deployment (see 'policy.dnskey-management')
- knotd: support for remote grouping in configuration (see 'groups' section)
- knotd: implemented EDNS Expire option (RFC 7314)
- knotd: NSEC3 salt is changed with every ZSK rollover if lifetime is set to -1
- knotd: support for PROXY v2 protocol over UDP (Thanks to Robert Edmonds) #762
- knotd: support for key labels with PKCS #11 keystore (see 'keystore.key-label')
- knotd: SVCB/HTTPS treatment according to draft-ietf-dnsop-svcb-https
- keymgr: new JSON output format (see '-j' parameter) for listing keys or zones (Thanks to JP Mens)
- kxdpgun: support for DNS over QUIC with some testing modes (see '-U' parameter)
- kdig: new DNS over QUIC support (see '+quic')
Improvements:
- knotd: reduced memory consumption when processing IXFR, DNSSEC, catalog, or DDNS
- knotd: RRSIG refresh values don't have to match in the mode Offline KSK
- knotd: better decision whether AXFR fallback is needed upon a refresh error
- knotd: NSEC3 resalt event was merged with the DNSSEC event
- knotd: server logs when the connection to remote was taken from the pool
- knotd: server logs zone expiration time when the zone is loaded
- knotd: DS check verifies removal of old DS during algorithm rollover
- knotd: DNSSEC-related records can be updated via DDNS
- knotd: new 'xdp.udp' configuration option for disabling UDP over XDP
- knotd: outgoing NOTIFY is replanned if failed
- knotd: configuration checks if zone MIN interval values are lower or equal to MAX ones
- knotd: DNSSEC-related zone semantic checks use DNSSEC validation
- knotd: new configuration value 'query' for setting ACL action
- knotd: new check on near end of imported Offline KSK records
- knotd/knotc: implemented zone catalog purge, including orphaned member zones
- knotc: interactive mode supports catalog zone completion, value completion, and more
- knotc: new default brief and colorized output from zone status
- knotc: unified empty values in zone status output
- keymgr: DNSKEY TTL is taken from KSR in the Offline KSK mode
- kjournalprint: path to journal DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kcatalogprint: path to catalog DB is automatically taken from the configuration,
which can be specified using '-c', '-C' (or '-D')
- kzonesign: added automatic configuration file detection and '-C' parameter
for configuration DB specificaion
- kzonesign: all CPU threads are used for DNSSEC validation
- libknot: dname pointer cannot point to another dname pointer when encoding RRsets #765
- libknot: QNAME case is preserved in knot_pkt_t 'wire' field (Thanks to Robert Edmonds) #780
- libknot: reduced memory consumption of the XDP mode
- libknot: XDP filter supports up to 256 NIC queues
- kxdpgun: new options for specifying source and remote MAC addresses
- utils: extended logging of LMDB-related errors
- utils: improved error outputs
- kdig: query has AD bit set by default
- doc: various improvements
Bugfixes:
- knotd: zone changeset is stored to journal even if disabled
- knotd: journal not applied to zone file if zone file changed during reload
- knotd: possible out-of-order processing or postponed zone events to far future
- knotd: incorrect TTL is used if updated RRSet is empty over control interface
- knotd/libs: serial arithmetics not used for RRSIG expiration processing
- knsupdate: incorrect RRTYPE in the question section
Compatibility:
- knotd: default value for 'zone.journal-max-depth' was lowered to 20
- knotd: default value for 'policy.nsec3-iterations' was lowered to 0
- knotd: default value for 'policy.rrsig-refresh' is propagation delay + zone maximum TTL
- knotd: server fails to load configuration if 'policy.rrsig-refresh' is too low
- knotd: configuration option 'server.listen-xdp' has no effect
- knotd: new configuration check on deprecated DNSSEC algorithm
- knotc: new '-e' parameter for full zone status output
- keymgr: new '-e' parameter for full key list output
- keymgr: brief key listing mode is enabled by default
- keymgr: renamed parameter '-d' to '-D'
- knsupdate: default TTL is set to 3600
- knsupdate: default zone is empty
- kjournalprint: renamed parameter '-c' to '-H'
- python/libknot: removed compatibility with Python 2
Packaging:
- systemd: removed knot.tmpfile
- systemd: added some hardening options
- distro: Debian 9 and Ubuntu 16.04 no longer supported
- distro: packages for CentOS 7 are built in a separate COPR repository
- kzonecheck/kzonesign/knsec3hash: moved to new package knot-dnssecutils
Knot DNS 3.1.9 (2022-08-10)
Improvements:
- knotd: new configuration checks on unsupported catalog settings
- knotd: semantic check issues have notice log level in the soft mode
- keymgr: command generate-ksr automatically sets 'from' parameter to last
offline KSK records' timestamp if it's not specified
- keymgr: command show-offline starts from the first offline KSK record set
if 'from' parameter isn't specified
- kcatalogprint: new parameters for filtering catalog or member zone
- mod-probe: default rate limit was increased to 100000
- libknot: default control timeout was increased to 30 seconds
- python/libknot: various exceptions are raised from class KnotCtl
- doc: some improvements
Bugfixes:
- knotd: incomplete outgoing IXFR is responded if journal history is inconsistent
- knotd: manually triggered zone flush is suppressed if disabled zone synchronization
- knotd: failed to configure XDP listen interface without port specification
- knotd: de-cataloged member zone's file isn't deleted #805
- knotd: member zone leaks memory when reloading catalog during dynamic configuration change
- knotd: server can crash when reloading modules with DNSSEC signing (Thanks to iqinlongfei)
- knotd: server crashes during shutdown if PKCS #11 keystore is used
- keymgr: command del-all-old isn't applied to all keys in the removed state
- kxdpgun: user specified network interface isn't used
- libs: fixed compilation on illumos derivatives (Thanks to Nick Ewins)
Knot DNS 3.1.8 (2022-04-28)
Features:
- knotd: optional automatic ACL for XFR and NOTIFY (see 'remote.automatic-acl')
- knotd: new soft zone semantic check mode for allowing defective zone loading
- knotc: added zone transfer freeze state to the zone status output
Improvements:
- knotd: added configuration check for serial policy of generated catalogs
Bugfixes:
- knotd/libknot: the server can crash when validating a malformed TSIG record
- knotd: outgoing zone transfer freeze not preserved during server reload
- knotd: catalog UPDATE not processed if previous UPDATE processing not finished #790
- knotd: zone refresh not started if planned during server reload
- knotd: generated catalogs can be queried over UDP
- knotd/utils: failed to open LMDB database if too many stale slots occupy the lock table
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.13.1 to 2.14
- Update of rootfile
- Changelog
2.14 Featured release
lcms2 now implements ICC specification 4.4
New multi-threaded plug-in
several fixes to keep fuzzers happy
Remove check on DLL when CMS_NO_REGISTER_KEYWORD is used
Added more validation against broken profiles
Add more help to several tools
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 590 to 608
- Update of rootfile not required
- Changelog
Major changes between "less" versions 590 and 608
* Add the --header option (github #43).
* Add the --no-number-headers option (github #178).
* Add the --status-line option.
* Add the --redraw-on-quit option (github #36).
* Add the --search-options option (github #213).
* Add the --exit-follow-on-close option (github #244).
* Add 'H' color type to set color of header lines.
* Add #version conditional to lesskey.
* Add += syntax to variable section in lesskey files.
* Allow option name in -- command to end with '=' in addition to '\n'.
* Add $HOME/.config to possible locations of lesskey file (github #153).
* Add $XDG_STATE_HOME and $HOME/.local/state to possible locations
of history file (github #223).
* Don't read or write history file in secure mode (github #201).
* Fix display of multibyte and double-width chars in prompt.
* Fix ESC-BACKSPACE command when BACKSPACE key does not send 0x08
(github #188).
* Add more \k codes to lesskey format.
* Fix bug when empty file is modified while viewing it.
* Fix bug when parsing a malformed lesskey file (githb #234).
* Fix bug scrolling history when --incsearch is set (github #214).
* Fix buffer overflow when invoking lessecho with more than 63 -m/-n
options (github #198).
* Fix buffer overflow in bin_file (github #271).
* Fix bug restoring color at end of highlighted text.
* Fix bug in parsing lesskey file.
* Defer moving cursor to lower left in some more cases.
* Suppress TAB filename expansion in some cases where it doesn't make sense.
* Fix termlib detection when compiler doesn't accept
calls to undeclared functions.
* Fix bug in input of non-ASCII characters on Windows (github #247)
* Escape filenames when invoking LESSCLOSE.
* Fix bug using multibyte UTF-8 char in search string
with --incsearch (github #273).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This patch will gracefully terminate the daemon when it loses its
connection to the OpenVPN daemon.
Fixes: #12963
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 4.17.3 to 4.17.4
- Update of rootfile (Only the x86_64 rootfile updated with this patch)
- Changelog
Release Notes for Samba 4.17.4
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
RC4-HMAC Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
o CVE-2022-37967: This is the Samba CVE for the Windows
Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!
samba-tool got a new 'domain trust modify' subcommand
This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
Changes since 4.17.3
o Jeremy Allison <jra@samba.org>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15237: CVE-2022-37966.
* BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
o Ralph Boehme <slow@samba.org>
* BUG 15240: CVE-2022-38023.
* BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
o Stefan Metzmacher <metze@samba.org>
* BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
Windows.
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
vulnerability.
* BUG 15206: libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4().
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15230: Memory leak in snprintf replacement functions.
* BUG 15237: CVE-2022-37966.
* BUG 15240: CVE-2022-38023.
* BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression).
o Noel Power <noel.power@suse.com>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Anoop C S <anoopcs@samba.org>
* BUG 15198: Prevent EBADF errors with vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15237: CVE-2022-37966.
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15257: Stack smashing in net offlinejoin requestodj.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15231: CVE-2022-37967.
* BUG 15237: CVE-2022-37966.
o Nicolas Williams <nico@twosigma.com>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
