new upstream bugfix release from the LTM branch

Bug #1086304 reported by Timo Aaltonen on 2012-12-04
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned
Precise
High
Timo Aaltonen

Bug Description

SSSD 1.8.6 was released on Jan 29th, and it is the latest release from the current LTM (Long Term Maintenance) branch. 12.04 was released with 1.8.2, so the following summarizes the changes since:

1.8.3:
Highlights
    Numerous manpage and translation updates
    LDAP: Handle situations where the RootDSE isn't available anonymously
    LDAP: Fix regression for users using non-standard LDAP attributes for user information
Tickets Fixed
#1183 sssd.conf man page does not list autofs in the list of known services
#1219 Warn on 'make update-po' if there are manpages not listed in po4a.cfg
#1249 Unable to lookup user aliases with proxy provider.
#1258 SSSD should attempt to get the RootDSE after binding
#1265 document the possible performance gains of disabling referral chasing
#1278 Inadequate info in man page for "ldap_disable_paging" feature
#1290 No info in sssd manpages for "ldap_sasl_minssf"
#1295 Fix erronous reference to the 'allow' access_provider
#1300 autofs: maximum key name must be PATH_MAX
#1307 sdap_check_aliases must not error when detects the same user
#1312 group members are now lowercased in case insensitive domains
#1315 New SSSD does not fetch renewable tickets
#1320 Auth fails for user with non-default attribute names

1.8.4:
Highlights
    Fix a bug causing AD servers not to fail over properly when the KDC on the primary server is down
    Fix an endianness bug on big-endian systems when looking up services
    Fix a segfault dealing with nested groups
    Make the nowait cache updates work for netgroups
    Fix a regression that broke domains with use_fully_qualified_names = True
Tickets Fixed
#1206 RHEL5 detection in sssd.spec.in does not work
#1321 Warning in debug log about nscd
#1322 Special-case LDAP_SIZELIMIT_EXCEEDED when handling ldap return codes
#1324 LDAP provider needs to use all available servers for GSSAPI if the child times out
#1325 heimdal: configure: Kerberos locator plugin cannot be build
#1329 Group enumeration fails in proxy provider
#1333 Potential NULL dereference in proxy provider
#1335 sss_groupadd no longer detects duplicate GID numbers
#1338 sssd does not provide maps for automounter when custom schema is being used
#1340 SSSD netgroups do not honor entry_cache_nowait_percentage
#1343 sssd_be crashed with SIGSEGV in _tevent_schedule_immediate()
#1344 Loading of selinux user maps broken
#1348 Service lookups by port number doesn't work on s390x/ppc64 arches

1.8.5:
Highlights
    Fixed a potential segfault when SRV records are used to discover services
    The client libraries now use robust mutexes to avoid a potential deadlock if a thread was cancelled while holding a mutex
    Do not return an error when the SELinux support is not configured
    Fixed returning an error to the PAM stack when the SSSD was performing authentication but the kpasswd server was unreachable
    The SSSD used to skip a whole nesting level instead of a single already processed group when loading nested group membership structure
    Added support for terminating idle connections and make the idle timeout configurable
    The sss_ssh_knownostsproxy command no longer aborts when processing a host without DNS records
    The shadowLastChange attribute is noe correctly updated with days since the Epoch, not seconds
Tickets Fixed
#1356 SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
#1271 Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
#1360 Provide "service filter" for SELinux context
#1354 Add support for terminating idle connections
#1452 KRB5: Only return PAM error for unreachable kpasswd when performing chpass
#1419 Fixed wrong number in shadowLastChange
#1460 Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
#1515 KRB5: Return PAM_AUTH_ERR on incorrect password
#1364 FO: Check server validity before setting status

1.8.6:
Highlights
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
  when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads
  in autofs and ssh responder
* Handle servers that return an empty string as the value of namingContext,
  in particular Novell eDirectory
* The netgroup midpoint cache refresh works as documented in the manual page
* The sssd_pam responder processes pending requests after reconnect
Tickets fixed:
#1542 User authentication using LDAP doesn't work
#1581 sssd_be crashes while looking up users
#1717 Limit requests coalescing in time
#1683 arithmetic bug in the SSSD causes netgroup midpoint refresh to be always
 set to 10 seconds
#1655 Login fails - sssd_be module polling fd indefinitely and gets killed
#1781 sssd: Out-of-bounds read flaws in autofs and ssh services responders
#1528 SSSD_NSS failure to gracefully restart after sbus failure
#1783 Group lookup fails and takes ~60s to return to shell if member dn is
  incorrect
#1782 TOCTOU race conditions by copying and removing directory trees

diffstat:
 Makefile.am | 19
 configure.ac | 19
 contrib/sssd.spec.in | 12
 po/LINGUAS | 1
 po/de.po | 32
 po/es.po | 70 -
 po/fr.po | 79 -
 po/hu.po | 46
 po/id.po | 50
 po/it.po | 65 -
 po/ja.po | 93 -
 po/nb.po | 1476 +++++++++++++++++++++++
 po/nl.po | 70 -
 po/pl.po | 158 +-
 po/pt.po | 69 -
 po/ru.po | 62
 po/sssd.pot | 26
 po/sv.po | 52
 po/tg.po | 32
 po/uk.po | 200 ++-
 po/zh_TW.po | 54
 src/confdb/confdb.h | 5
 src/config/SSSDConfig.py | 2
 src/config/SSSDConfigTest.py | 3
 src/config/etc/sssd.api.conf | 1
 src/config/etc/sssd.api.d/sssd-proxy.conf | 1
 src/db/sysdb.c | 16
 src/db/sysdb.h | 2
 src/db/sysdb_ops.c | 46
 src/doxy.config.in | 7
 src/external/krb5.m4 | 15
 src/krb5_plugin/sssd_krb5_locator_plugin.c | 3
 src/man/include/local.xml | 20
 src/man/po/cs.po | 1064 +++++++++-------
 src/man/po/es.po | 1076 +++++++++--------
 src/man/po/fr.po | 1099 +++++++++--------
 src/man/po/ja.po | 1217 +++++++++++--------
 src/man/po/nl.po | 1072 +++++++++--------
 src/man/po/po4a.cfg | 1
 src/man/po/pt.po | 1072 +++++++++--------
 src/man/po/ru.po | 1070 +++++++++--------
 src/man/po/sssd-docs.pot | 1044 +++++++++-------
 src/man/po/tg.po | 1070 +++++++++--------
 src/man/po/uk.po | 1691 +++++++++++++++++++--------
 src/man/sss_groupadd.8.xml | 2
 src/man/sss_groupdel.8.xml | 2
 src/man/sss_groupmod.8.xml | 2
 src/man/sss_groupshow.8.xml | 2
 src/man/sss_ssh_knownhostsproxy.1.xml | 2
 src/man/sss_useradd.8.xml | 2
 src/man/sss_userdel.8.xml | 2
 src/man/sss_usermod.8.xml | 2
 src/man/sssd-ldap.5.xml | 33
 src/man/sssd.conf.5.xml | 121 +
 src/monitor/monitor.c | 73 -
 src/providers/data_provider_fo.c | 27
 src/providers/dp_backend.h | 1
 src/providers/fail_over.c | 13
 src/providers/fail_over.h | 2
 src/providers/ipa/ipa_hbac.doxy.in | 7
 src/providers/ipa/ipa_init.c | 13
 src/providers/ipa/ipa_session.c | 2
 src/providers/krb5/krb5_auth.c | 23
 src/providers/krb5/krb5_child.c | 102 +
 src/providers/ldap/ldap_auth.c | 4
 src/providers/ldap/ldap_child.c | 18
 src/providers/ldap/sdap.c | 8
 src/providers/ldap/sdap_async.c | 66 -
 src/providers/ldap/sdap_async_autofs.c | 2
 src/providers/ldap/sdap_async_connection.c | 180 ++
 src/providers/ldap/sdap_async_groups.c | 48
 src/providers/ldap/sdap_async_initgroups.c | 18
 src/providers/proxy/proxy.h | 1
 src/providers/proxy/proxy_id.c | 731 ++++++-----
 src/providers/proxy/proxy_init.c | 4
 src/responder/autofs/autofssrv_cmd.c | 6
 src/responder/common/responder.h | 3
 src/responder/common/responder_cmd.c | 2
 src/responder/common/responder_common.c | 95 +
 src/responder/common/responder_dp.c | 34
 src/responder/nss/nsssrv_cmd.c | 16
 src/responder/nss/nsssrv_netgroup.c | 10
 src/responder/nss/nsssrv_services.c | 2
 src/responder/pam/pamsrv.c | 5
 src/responder/pam/pamsrv_cmd.c | 29
 src/responder/ssh/sshsrv_cmd.c | 8
 src/sss_client/autofs/sss_autofs.c | 6
 src/sss_client/common.c | 127 +-
 src/sss_client/nss_services.c | 16
 src/sss_client/pam_sss.c | 118 +
 src/sss_client/ssh/sss_ssh_client.c | 8
 src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 94 -
 src/sss_client/sudo/sss_sudo.c | 6
 src/sss_client/sudo/sss_sudo.doxy.in | 7
 src/tests/files-tests.c | 6
 src/tests/sysdb-tests.c | 143 ++
 src/tools/files.c | 913 ++++++++------
 src/tools/tools_util.c | 28
 src/tools/tools_util.h | 5
 src/util/auth_utils.h | 42
 src/util/murmurhash3.c | 4
 src/util/sss_krb5.c | 145 ++
 src/util/sss_krb5.h | 8
 version.m4 | 2
 104 files changed, 11250 insertions(+), 6433 deletions(-)

The large diff in proxy_id.c was due to https://fedorahosted.org/sssd/ticket/1249.

Timo Aaltonen (tjaalton) on 2012-12-04
Changed in sssd (Ubuntu):
status: New → Invalid
Changed in sssd (Ubuntu Precise):
assignee: nobody → Timo Aaltonen (tjaalton)
importance: Undecided → Medium
status: New → In Progress
importance: Medium → High
Timo Aaltonen (tjaalton) on 2013-01-30
description: updated

Hello Timo, or anyone else affected,

Accepted sssd into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sssd/1.8.6-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Timo Aaltonen (tjaalton) on 2013-02-05
tags: added: verification-done
removed: verification-needed
Timo Aaltonen (tjaalton) wrote :

This bug was fixed in the package sssd - 1.8.6-0ubuntu0.2

---------------
sssd (1.8.6-0ubuntu0.2) precise-proposed; urgency=low

  * rules: Really install the new pam-auth-update file for password
    changes. (LP: #1086272)
  * rules: Pass --datadir, so the path in autogenerated python files is
    correctly substituted. (LP: #1079938)

Changed in sssd (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers