summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/debian-local/0001-Debian-HURD-compatibility.patch135
-rw-r--r--debian/patches/debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch66
-rw-r--r--debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch36
-rw-r--r--debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch41
-rw-r--r--debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch34
-rw-r--r--debian/patches/debian-local/0006-Add-substpdf-target.patch40
-rw-r--r--debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch102
-rw-r--r--debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch109
-rw-r--r--debian/patches/series11
-rw-r--r--debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch63
-rw-r--r--debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch33
-rw-r--r--debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch33
12 files changed, 703 insertions, 0 deletions
diff --git a/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
new file mode 100644
index 000000000..9f7778fcd
--- /dev/null
+++ b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
@@ -0,0 +1,135 @@
+From 85fcf9fc43e0b10fd0f90e056200ed028e50d297 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 26 Dec 2011 18:05:13 -0500
+Subject: Debian: HURD compatibility
+
+HURD has no MAXPATHLEN or MAXHOSTLEN.
+
+Patch-Category: debian-local
+---
+ src/clients/ksu/ksu.h | 4 ++++
+ src/include/k5-int.h | 3 +++
+ src/kadmin/ktutil/ktutil_funcs.c | 4 ++++
+ src/kprop/kprop_util.c | 4 ++++
+ src/lib/gssapi/spnego/spnego_mech.c | 3 +++
+ src/lib/krb5/os/sn2princ.c | 4 ++++
+ src/plugins/kdb/db2/libdb2/include/db-int.h | 4 ++++
+ src/tests/resolve/resolve.c | 4 ++++
+ 8 files changed, 30 insertions(+)
+
+diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
+index 3bf0bd4384..f680b332c3 100644
+--- a/src/clients/ksu/ksu.h
++++ b/src/clients/ksu/ksu.h
+@@ -56,6 +56,10 @@
+ #define MAX_CMD 2048 /* this is temp, should use realloc instead,
+ as done in most of the code */
+
++#ifndef MAXPATHLEN
++# define MAXPATHLEN 4096
++#endif
++
+
+ extern int optind;
+ extern char * optarg;
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 652242207a..e4f1678be6 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -589,6 +589,9 @@ extern char *strdup (const char *);
+ #ifdef HAVE_SYS_PARAM_H
+ #include <sys/param.h> /* MAXPATHLEN */
+ #endif
++#ifndef MAXPATHLEN
++# define MAXPATHLEN 4096
++#endif
+
+ #ifdef HAVE_SYS_FILE_H
+ #include <sys/file.h> /* prototypes for file-related
+diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c
+index 6d119a2b64..fb7fa22f54 100644
+--- a/src/kadmin/ktutil/ktutil_funcs.c
++++ b/src/kadmin/ktutil/ktutil_funcs.c
+@@ -34,6 +34,10 @@
+ #include <string.h>
+ #include <ctype.h>
+
++#ifndef MAXPATHLEN
++# define MAXPATHLEN 4096
++#endif
++
+ /*
+ * Free a kt_list
+ */
+diff --git a/src/kprop/kprop_util.c b/src/kprop/kprop_util.c
+index c32d174b95..d72ab18967 100644
+--- a/src/kprop/kprop_util.c
++++ b/src/kprop/kprop_util.c
+@@ -32,6 +32,10 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+
++#ifndef MAXHOSTNAMELEN
++#define MAXHOSTNAMELEN 256
++#endif
++
+ /*
+ * Convert an IPv4 or IPv6 socket address to a newly allocated krb5_address.
+ * There is similar code elsewhere in the tree, so this should possibly become
+diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
+index 9d6027ce80..585d8a6581 100644
+--- a/src/lib/gssapi/spnego/spnego_mech.c
++++ b/src/lib/gssapi/spnego/spnego_mech.c
+@@ -65,6 +65,9 @@
+ #include "gssapiP_spnego.h"
+ #include <gssapi_err_generic.h>
+
++#ifndef MAXHOSTNAMELEN
++#define MAXHOSTNAMELEN 256
++#endif
+
+ #undef g_token_size
+ #undef g_verify_token_header
+diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
+index 5932fd9b3f..187daa84d6 100644
+--- a/src/lib/krb5/os/sn2princ.c
++++ b/src/lib/krb5/os/sn2princ.c
+@@ -126,6 +126,10 @@ find_trailer(const char *hostname)
+ return p;
+ }
+
++#ifndef MAXHOSTNAMELEN
++# define MAXHOSTNAMELEN 256
++#endif
++
+ krb5_error_code KRB5_CALLCONV
+ krb5_sname_to_principal(krb5_context context, const char *hostname,
+ const char *sname, krb5_int32 type,
+diff --git a/src/plugins/kdb/db2/libdb2/include/db-int.h b/src/plugins/kdb/db2/libdb2/include/db-int.h
+index 7e981d4a5f..d83b3b6a6f 100644
+--- a/src/plugins/kdb/db2/libdb2/include/db-int.h
++++ b/src/plugins/kdb/db2/libdb2/include/db-int.h
+@@ -280,4 +280,8 @@ void __dbpanic __P((DB *dbp));
+ #ifndef O_BINARY
+ #define O_BINARY 0 /* Needed for Win32 compiles */
+ #endif
++
++#ifndef MAXPATHLEN
++# define MAXPATHLEN 4096
++#endif
+ #endif /* _DB_INT_H_ */
+diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c
+index 7339d21bd9..38f725322b 100644
+--- a/src/tests/resolve/resolve.c
++++ b/src/tests/resolve/resolve.c
+@@ -73,6 +73,10 @@ char *strchr();
+ #include <netinet/in.h>
+ #include <netdb.h>
+
++#ifndef MAXHOSTNAMELEN
++# define MAXHOSTNAMELEN 256
++#endif
++
+ int
+ main(argc, argv)
+ int argc;
diff --git a/debian/patches/debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch b/debian/patches/debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch
new file mode 100644
index 000000000..3f6a4bd0a
--- /dev/null
+++ b/debian/patches/debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch
@@ -0,0 +1,66 @@
+From 8cbb465da2e4ae37b8afd884910506422eadd0f8 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 26 Dec 2011 18:19:53 -0500
+Subject: debian: Handle multi-arch paths in krb5-config
+
+We cannot use @libdir@ because that will include the
+multi-arch prefix in the built krb5-config, but we want krb5-config to
+be identical on all arches so that krb5-multidev can be multi-arch:
+same. So, instead, figure out our multi-arch tripple by calling CC
+directly.
+
+Based on an approach suggested by Hugh McMaster.
+
+Also include --deps in the usage output, since it is a valid argument.
+
+Patch-Category: debian-local
+---
+ src/build-tools/krb5-config.in | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+index f6184da3fb..ac2f5827d3 100755
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
+@@ -26,11 +26,18 @@
+
+ # Configurable parameters set by autoconf
+ version_string="Kerberos 5 release @KRB5_VERSION@"
++CC=${CC-cc}
++tripple=`$CC -print-multiarch 2>/dev/null|| ( $CC -dumpmachine | sed 's/-pc//' )`
++if [ x$tripple = x ]; then
++ echo >&2 Failed to find installation architecture
++ exit 2
++fi
++
+
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-includedir=@includedir@
+-libdir=@libdir@
++includedir=@prefix@/include/mit-krb5
++libdir=@prefix@/lib/${tripple}/mit-krb5
+ CC_LINK='@CC_LINK@'
+ KDB5_DB_LIB=@KDB5_DB_LIB@
+ LDFLAGS='@LDFLAGS@'
+@@ -138,6 +145,7 @@ if test -n "$do_help"; then
+ echo " [--defktname] Show built-in default keytab name"
+ echo " [--defcktname] Show built-in default client keytab name"
+ echo " [--cflags] Compile time CFLAGS"
++ echo " [--deps] Include dependent libraries"
+ echo " [--libs] List libraries required to link [LIBRARIES]"
+ echo "Libraries:"
+ echo " krb5 Kerberos 5 application"
+@@ -208,12 +216,7 @@ fi
+
+
+ if test -n "$do_libs"; then
+- # Assumes /usr/lib is the standard library directory everywhere...
+- if test "$libdir" = /usr/lib; then
+- libdirarg=
+- else
+ libdirarg="-L$libdir"
+- fi
+ # Ugly gross hack for our build tree
+ lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
+ -e 's/\$(PURE)//' \
diff --git a/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
new file mode 100644
index 000000000..bb5aac91b
--- /dev/null
+++ b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
@@ -0,0 +1,36 @@
+From d0706297a8a7a9fb45deb0973e15506dc31b1c83 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 26 Dec 2011 18:20:11 -0500
+Subject: debian: osconf.hin path changes
+
+Patch-Category: debian-local
+---
+ src/include/osconf.hin | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/include/osconf.hin b/src/include/osconf.hin
+index c24717be67..c103424955 100644
+--- a/src/include/osconf.hin
++++ b/src/include/osconf.hin
+@@ -70,8 +70,8 @@
+ #endif
+
+ #define KDC_DIR "@LOCALSTATEDIR/krb5kdc"
+-#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc"
+-#define DEFAULT_KDB_FILE KDC_DIR "/principal"
++#define KDC_RUN_DIR "/run/krb5kdc"
++#define DEFAULT_KDB_FILE "/var/lib/krb5kdc/principal"
+ #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
+ #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
+ /* Used by old admin server */
+@@ -125,8 +125,8 @@
+ * krb5 replica support follows
+ */
+
+-#define KPROP_DEFAULT_FILE KDC_DIR "/replica_datatrans"
+-#define KPROPD_DEFAULT_FILE KDC_DIR "/from_master"
++#define KPROP_DEFAULT_FILE "/var/lib/krb5kdc/replica_datatrans"
++#define KPROPD_DEFAULT_FILE "/var/lib/krb5kdc/from_master"
+ #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util"
+ #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop"
+ #define KPROPD_DEFAULT_KRB_DB DEFAULT_KDB_FILE
diff --git a/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
new file mode 100644
index 000000000..e28dd7065
--- /dev/null
+++ b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
@@ -0,0 +1,41 @@
+From de937376c58397109ef2bf087ce4073caa37fb29 Mon Sep 17 00:00:00 2001
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 26 Dec 2011 18:12:39 -0500
+Subject: debian: install ldap library in subdirectory
+
+Debian received a request to install the internal ldap library not in
+the main lib directory.
+
+We are changing SHLIB_DIRS from the default that upstream sets in the
+makefile includes; assign unconditionally the full value.
+
+Patch-Category: debian-local
+---
+ src/plugins/kdb/ldap/Makefile.in | 1 +
+ src/plugins/kdb/ldap/ldap_util/Makefile.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/plugins/kdb/ldap/Makefile.in b/src/plugins/kdb/ldap/Makefile.in
+index 94df816eb5..2ed562b110 100644
+--- a/src/plugins/kdb/ldap/Makefile.in
++++ b/src/plugins/kdb/ldap/Makefile.in
+@@ -20,6 +20,7 @@ SHLIB_EXPDEPS = \
+ $(TOPLIBD)/libkrb5$(SHLIBEXT) \
+ $(TOPLIBD)/lib$(SUPPORT_LIBNAME)$(SHLIBEXT)
+ SHLIB_EXPLIBS= -lkdb_ldap $(GSSRPC_LIBS) -lkrb5 -lcom_err -lk5crypto -lkrb5support $(LIBS)
++SHLIB_DIRS=-L$(TOPLIBD) -Wl,-rpath,$(KRB5_LIBDIR)/krb5
+
+ SRCS= $(srcdir)/ldap_exp.c
+
+diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+index 8669c2436c..2d92a26be5 100644
+--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+@@ -2,6 +2,7 @@ mydir=plugins$(S)kdb$(S)ldap$(S)ldap_util
+ BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
+ DEFINES = -DKDB4_DISABLE
+ LOCALINCLUDES = -I. -I$(srcdir)/../libkdb_ldap -I$(top_srcdir)/lib/kdb
++PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) -Wl,-rpath,$(KRB5_LIBDIR)/krb5
+ #KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS)
+ KDB_DEP_LIB=$(DL_LIB) -lkdb_ldap $(THREAD_LINKOPTS)
+
diff --git a/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
new file mode 100644
index 000000000..501ae30a5
--- /dev/null
+++ b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
@@ -0,0 +1,34 @@
+From dd3d9bb7d1c07fd5e12b5a0595a8aa351cdaff82 Mon Sep 17 00:00:00 2001
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Fri, 29 Mar 2013 17:18:40 -0400
+Subject: gssapi: never unload mechanisms
+
+It turns out that many GSSAPI mechanisms link to the main gss-api
+library creating a circular reference. Depending on how the linker
+breaks the cycle at process exit time, the linker may unload the GSS
+library after unloading the mechanisms. The explicit dlclose from the
+GSS library tends to cause a libdl assertion failure at that
+point. So, never unload plugins. They are refcounted, so dlopen
+handles will not leak, although obviously the memory from the plugin
+is never reclaimed.
+
+ticket: 7135
+
+Patch-Category: debian-local
+---
+ src/lib/gssapi/mechglue/g_initialize.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
+index 0ad11c0b02..a3926e166e 100644
+--- a/src/lib/gssapi/mechglue/g_initialize.c
++++ b/src/lib/gssapi/mechglue/g_initialize.c
+@@ -559,8 +559,6 @@ releaseMechInfo(gss_mech_info *pCf)
+ generic_gss_release_oid(&minor_status, &cf->mech_type);
+ if (cf->freeMech)
+ zapfree(cf->mech, sizeof(*cf->mech));
+- if (cf->dl_handle != NULL)
+- krb5int_close_plugin(cf->dl_handle);
+ if (cf->int_mech_type != GSS_C_NO_OID)
+ generic_gss_release_oid(&minor_status, &cf->int_mech_type);
+
diff --git a/debian/patches/debian-local/0006-Add-substpdf-target.patch b/debian/patches/debian-local/0006-Add-substpdf-target.patch
new file mode 100644
index 000000000..7a287f162
--- /dev/null
+++ b/debian/patches/debian-local/0006-Add-substpdf-target.patch
@@ -0,0 +1,40 @@
+From cbb7f2bbb739cc8766cacc64141a1a5a87642692 Mon Sep 17 00:00:00 2001
+From: Ben Kaduk <kaduk@mit.edu>
+Date: Fri, 29 Mar 2013 20:53:37 -0400
+Subject: Add substpdf target
+
+Akin to substhtml, so that we can build PDF documents without
+overwriting the upstream-provided versions and causing debian/rules clean
+to not return to the original state.
+
+Patch-Category: debian-local
+---
+ src/doc/Makefile.in | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
+index 1fb5fea927..043de76fa5 100644
+--- a/src/doc/Makefile.in
++++ b/src/doc/Makefile.in
+@@ -87,6 +87,21 @@ pdf: $(PDFDIR)
+ rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla \
+ )
+
++substpdf: rst_composite
++ $(SPHINX_BUILD) -t pathsubs -b latex -q rst_composite pdf_subst
++ mv pdf_subst/Makefile pdf_subst/GMakefile
++ (cd pdf_subst && \
++ for i in $(PDFDOCS); do \
++ texfile=`echo $${i}.tex` && \
++ idxfile=`echo $${i}.idx` && \
++ pdflatex $(LATEXOPTS) $$texfile && \
++ pdflatex $(LATEXOPTS) $$texfile && \
++ makeindex -s python.ist $$idxfile || true; \
++ pdflatex $(LATEXOPTS) $$texfile && \
++ pdflatex $(LATEXOPTS) $$texfile; done && \
++ rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla \
++ )
++
+ # Use doxygen to generate API documentation, translate it into RST
+ # format, and then create a composite of $(docsrc)'s RST and the
+ # generated files in rst_composite. Used by the html and substhtml targets.
diff --git a/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
new file mode 100644
index 000000000..1c67b9a42
--- /dev/null
+++ b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
@@ -0,0 +1,102 @@
+From baeaf3b108107146437608f3fc14249e3cdaed99 Mon Sep 17 00:00:00 2001
+From: Jelmer Vernooij <jelmer@debian.org>
+Date: Wed, 27 Aug 2014 16:40:29 -0400
+Subject: Fix pkg-config library/include paths
+
+Include library and include flags in pkg-config files, so they work when the
+symlinks provided by libkrb5-dev are not installed.
+
+Patch-Category: debian-local
+---
+ src/build-tools/gssrpc.pc.in | 4 ++--
+ src/build-tools/kadm-client.pc.in | 4 ++--
+ src/build-tools/kadm-server.pc.in | 4 ++--
+ src/build-tools/kdb.pc.in | 4 ++--
+ src/build-tools/mit-krb5-gssapi.pc.in | 4 ++--
+ src/build-tools/mit-krb5.pc.in | 4 ++--
+ 6 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in
+index ca909217eb..e08c2e840a 100644
+--- a/src/build-tools/gssrpc.pc.in
++++ b/src/build-tools/gssrpc.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+ vendor=MIT
+
+ Name: gssrpc
+diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in
+index c8d1cd1262..de56a75213 100644
+--- a/src/build-tools/kadm-client.pc.in
++++ b/src/build-tools/kadm-client.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+
+ Name: kadm-client
+ Description: Kerberos administration client library
+diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in
+index cd2f86c649..a73ff86cfe 100644
+--- a/src/build-tools/kadm-server.pc.in
++++ b/src/build-tools/kadm-server.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+
+ Name: kadm-server
+ Description: Kerberos administration server library
+diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in
+index 461a8d01d0..356501d38c 100644
+--- a/src/build-tools/kdb.pc.in
++++ b/src/build-tools/kdb.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+
+ KDB5_DB_LIB=@KDB5_DB_LIB@
+
+diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in
+index 7b91b19f19..b2b243630c 100644
+--- a/src/build-tools/mit-krb5-gssapi.pc.in
++++ b/src/build-tools/mit-krb5-gssapi.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+
+ Name: mit-krb5-gssapi
+ Description: Kerberos implementation of the GSSAPI
+diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in
+index 030881512f..058e75f24d 100644
+--- a/src/build-tools/mit-krb5.pc.in
++++ b/src/build-tools/mit-krb5.pc.in
+@@ -1,7 +1,7 @@
+ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
++libdir=@libdir@/mit-krb5
++includedir=@includedir@/mit-krb5
+
+ defccname=@DEFCCNAME@
+ defktname=@DEFKTNAME@
diff --git a/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
new file mode 100644
index 000000000..6465bb039
--- /dev/null
+++ b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
@@ -0,0 +1,109 @@
+From d2a401455564fa2a51c78a0856492dfe3329a68f Mon Sep 17 00:00:00 2001
+From: Jelmer Vernooij <jelmer@debian.org>
+Date: Wed, 3 Sep 2014 22:41:55 -0400
+Subject: Use -isystem for include paths
+
+ This is necessary so Kerberos headers files are classified as "system headers"
+ by the compiler, and thus not subject to the same strict warnings as
+ other headers (which breaks compilation if -Werror is specified).
+ .
+ This fixes the build of folks using -Werror and including Kerberos headers
+ when the latter are installed in a non-standard location (e.g.
+ /usr/include/tuple/mit-krb5, as Debian is doing).
+(cherry picked from commit d8520c1d1c218e3c766009abc728b207c0421232)
+
+Author: Jelmer Vernooij <jelmer@debian.org>
+Bug-Debian: http://bugs.debian.org/751760
+Patch-Category: debian-local
+---
+ src/build-tools/gssrpc.pc.in | 2 +-
+ src/build-tools/kadm-client.pc.in | 2 +-
+ src/build-tools/kadm-server.pc.in | 2 +-
+ src/build-tools/kdb.pc.in | 2 +-
+ src/build-tools/krb5-config.in | 2 +-
+ src/build-tools/mit-krb5-gssapi.pc.in | 2 +-
+ src/build-tools/mit-krb5.pc.in | 2 +-
+ 7 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in
+index e08c2e840a..fb4f489f87 100644
+--- a/src/build-tools/gssrpc.pc.in
++++ b/src/build-tools/gssrpc.pc.in
+@@ -7,6 +7,6 @@ vendor=MIT
+ Name: gssrpc
+ Description: GSSAPI RPC implementation
+ Version: @KRB5_VERSION@
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lgssrpc
+ Requires.private: mit-krb5-gssapi
+diff --git a/src/build-tools/kadm-client.pc.in b/src/build-tools/kadm-client.pc.in
+index de56a75213..47541ac2af 100644
+--- a/src/build-tools/kadm-client.pc.in
++++ b/src/build-tools/kadm-client.pc.in
+@@ -7,5 +7,5 @@ Name: kadm-client
+ Description: Kerberos administration client library
+ Version: @KRB5_VERSION@
+ Requires.private: mit-krb5-gssapi gssrpc
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lkadm5clnt_mit
+diff --git a/src/build-tools/kadm-server.pc.in b/src/build-tools/kadm-server.pc.in
+index a73ff86cfe..5ce4b733c4 100644
+--- a/src/build-tools/kadm-server.pc.in
++++ b/src/build-tools/kadm-server.pc.in
+@@ -7,5 +7,5 @@ Name: kadm-server
+ Description: Kerberos administration server library
+ Version: @KRB5_VERSION@
+ Requires.private: kdb mit-krb5-gssapi
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lkadm5srv_mit
+diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in
+index 356501d38c..d39eeef889 100644
+--- a/src/build-tools/kdb.pc.in
++++ b/src/build-tools/kdb.pc.in
+@@ -9,6 +9,6 @@ Name: kdb
+ Description: Kerberos database access libraries
+ Version: @KRB5_VERSION@
+ Requires.private: mit-krb5-gssapi mit-krb5 gssrpc
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lkdb5
+ Libs.private: ${KDB5_DB_LIB}
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+index ac2f5827d3..010457e153 100755
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
+@@ -208,7 +208,7 @@ fi
+
+ if test -n "$do_cflags"; then
+ if test x"$includedir" != x"/usr/include" ; then
+- echo "-I${includedir}"
++ echo "-isystem ${includedir}"
+ else
+ echo ''
+ fi
+diff --git a/src/build-tools/mit-krb5-gssapi.pc.in b/src/build-tools/mit-krb5-gssapi.pc.in
+index b2b243630c..f919222699 100644
+--- a/src/build-tools/mit-krb5-gssapi.pc.in
++++ b/src/build-tools/mit-krb5-gssapi.pc.in
+@@ -7,5 +7,5 @@ Name: mit-krb5-gssapi
+ Description: Kerberos implementation of the GSSAPI
+ Version: @KRB5_VERSION@
+ Requires.private: mit-krb5
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lgssapi_krb5
+diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in
+index 058e75f24d..455427a42e 100644
+--- a/src/build-tools/mit-krb5.pc.in
++++ b/src/build-tools/mit-krb5.pc.in
+@@ -10,6 +10,6 @@ defcktname=@DEFCKTNAME@
+ Name: mit-krb5
+ Description: An implementation of Kerberos network authentication
+ Version: @KRB5_VERSION@
+-Cflags: -I${includedir}
++Cflags: -isystem ${includedir}
+ Libs: -L${libdir} -lkrb5 -lk5crypto -lcom_err
+ Libs.private: -lkrb5support
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000000000..af6dbebb6
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,11 @@
+debian-local/0001-Debian-HURD-compatibility.patch
+debian-local/0002-debian-Handle-multi-arch-paths-in-krb5-config.patch
+debian-local/0003-debian-osconf.hin-path-changes.patch
+debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
+debian-local/0005-gssapi-never-unload-mechanisms.patch
+debian-local/0006-Add-substpdf-target.patch
+debian-local/0007-Fix-pkg-config-library-include-paths.patch
+debian-local/0008-Use-isystem-for-include-paths.patch
+upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
+upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
+upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
diff --git a/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
new file mode 100644
index 000000000..9f2b9a013
--- /dev/null
+++ b/debian/patches/upstream/0009-Remove-erroneous-text-from-kinit-man-page.patch
@@ -0,0 +1,63 @@
+From d7c778325a6f690dc16213e797dbdc3a84458ae8 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 7 Jan 2019 21:09:34 +0200
+Subject: Remove erroneous text from kinit man page
+
+Commit 4c4859fa83295db5c26f47b96c719060cfd9e2b1 changed the kinit man
+page to state that kinit -E (enterprise) implies -C (canonicalize).
+The client does not automatically set the canonicalize option when
+getting tickets for an enterprise principal, and Windows KDCs can
+issue tickets for enterprise principals without canonicalizing the
+principal (contrary to the implication of RFC 6806 section 5). Remove
+the misleading text.
+
+[ghudson@mit.edu: updated RST man page and regenerated nroff file;
+rewrote commit message]
+
+(cherry picked from commit 8e31335a7722a2f7f1722506befe4fd26d3e3f3f)
+
+ticket: 8779
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ doc/user/user_commands/kinit.rst | 3 +--
+ src/man/kinit.man | 5 ++---
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
+index d692e2791a..e12e88a372 100644
+--- a/doc/user/user_commands/kinit.rst
++++ b/doc/user/user_commands/kinit.rst
+@@ -92,8 +92,7 @@ OPTIONS
+ requested.
+
+ **-E**
+- treats the principal name as an enterprise name (implies the
+- **-C** option).
++ treats the principal name as an enterprise name.
+
+ **-v**
+ requests that the ticket-granting ticket in the cache (with the
+diff --git a/src/man/kinit.man b/src/man/kinit.man
+index d121cff749..a3dcfe26cc 100644
+--- a/src/man/kinit.man
++++ b/src/man/kinit.man
+@@ -1,6 +1,6 @@
+ .\" Man page generated from reStructuredText.
+ .
+-.TH "KINIT" "1" " " "1.17" "MIT Kerberos"
++.TH "KINIT" "1" " " "1.18" "MIT Kerberos"
+ .SH NAME
+ kinit \- obtain and cache Kerberos ticket-granting ticket
+ .
+@@ -113,8 +113,7 @@ KDC to reply with a different client principal from the one
+ requested.
+ .TP
+ \fB\-E\fP
+-treats the principal name as an enterprise name (implies the
+-\fB\-C\fP option).
++treats the principal name as an enterprise name.
+ .TP
+ \fB\-v\fP
+ requests that the ticket\-granting ticket in the cache (with the
diff --git a/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
new file mode 100644
index 000000000..0dde59dc9
--- /dev/null
+++ b/debian/patches/upstream/0010-Fix-memory-leak-in-none-replay-cache-type.patch
@@ -0,0 +1,33 @@
+From c736896c4a0e6402e4876163647e320b1fc62d21 Mon Sep 17 00:00:00 2001
+From: Corene Casper <C.Casper@Dell.com>
+Date: Sat, 16 Feb 2019 00:49:26 -0500
+Subject: Fix memory leak in 'none' replay cache type
+
+Commit 0f06098e2ab419d02e89a1ca6bc9f2828f6bdb1e fixed part of a memory
+leak in the 'none' replay cache type by freeing the outer container,
+but we also need to free the mutex.
+
+[ghudson@mit.edu: wrote commit message]
+
+(cherry picked from commit af2a3115cb8feb5174151b4b40223ae45aa9db17)
+
+ticket: 8783
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ src/lib/krb5/rcache/rc_none.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c
+index e30aed09f1..0b2274df7f 100644
+--- a/src/lib/krb5/rcache/rc_none.c
++++ b/src/lib/krb5/rcache/rc_none.c
+@@ -50,6 +50,7 @@ krb5_rc_none_noargs(krb5_context ctx, krb5_rcache rc)
+ static krb5_error_code KRB5_CALLCONV
+ krb5_rc_none_close(krb5_context ctx, krb5_rcache rc)
+ {
++ k5_mutex_destroy(&rc->lock);
+ free (rc);
+ return 0;
+ }
diff --git a/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
new file mode 100644
index 000000000..5f2411c98
--- /dev/null
+++ b/debian/patches/upstream/0011-Document-the-double-colon-behavior-of-DIR-ccaches.patch
@@ -0,0 +1,33 @@
+From a243df875ff905d1c676bd726b19bafea07b628c Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 6 Mar 2019 18:01:50 -0500
+Subject: Document the double-colon behavior of DIR ccaches
+
+(cherry picked from commit 5ba6e02a7b96ddd15dde01db0f9aff3d65773a8e)
+
+ticket: 8789
+version_fixed: 1.17.1
+
+Patch-Category: upstream
+---
+ doc/basic/ccache_def.rst | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
+index d147f0d7aa..53542adde9 100644
+--- a/doc/basic/ccache_def.rst
++++ b/doc/basic/ccache_def.rst
+@@ -51,6 +51,13 @@ library.
+ requirement is for parent directory to exist and the current
+ process must have permissions to create the directory if it does
+ not exist. See :ref:`col_ccache` for details. New in release 1.10.
++ The following residual forms are supported:
++
++ * DIR:dirname
++ * DIR::dirpath/filename - a single cache within the directory
++
++ Switching to a ccache of the latter type causes it to become the
++ primary for the directory.
+
+ #. **FILE** caches are the simplest and most portable. A simple flat
+ file format is used to store one credential after another. This is