www-apache/mod_auth_kerb: add Debian patch metadata

Signed-off-by: Sam James <sam@gentoo.org>

1 files changed, 22 insertions, 0 deletions

diff --git a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
index d0421a0eb6ea..fb402de44a8d 100644
--- a/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
+++ b/www-apache/mod_auth_kerb/files/mod_auth_kerb-5.4-api-change-krb5.patch
@@ -1,5 +1,27 @@
 https://sources.debian.org/data/main/liba/libapache-mod-auth-kerb/5.4-2.5/debian/patches/0011-Always-use-NONE-replay-cache-type.patch
 https://bugs.gentoo.org/830208
+
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 23 Nov 2020 09:30:22 -0500
+Subject: Always use NONE replay cache type
+
+It's 2020.  Any MIT Kerberos in the wild supports the none replay
+cache type.  The previous code used an internal function to detect
+that replay cache type; that function is no longer available.
+Instead, assume it is present.
+
+An alternative would be to enable the default replay cache.  It was
+originally disabled because of problems between Microsoft
+authenticators and 2004-era MIT Kerberos 1.3.  That's probably a good
+idea.  It probably closes off security attacks, although analyzing the
+impact of replays in cases where neither channel binding nor
+per-message services are used is difficult.  I believe that a replay
+cache is not strictly necessary in the common configuration where
+mod-auth-kerb is used over a TLS-protected connection where the client
+properly verifies the TLS certificate presented by the server prior to
+sending a GSS token.
+
+I have elected not to enable replay cache to affect a minimal change.
 --- a/src/mod_auth_kerb.c
 +++ b/src/mod_auth_kerb.c
 @@ -2061,28 +2061,6 @@