| 2013-01-30 08:46:11 |
Timo Aaltonen |
description |
SSSD 1.8.5 was released on Oct 7th, and it is the latest release from the current LTM (Long Term Maintenance) branch. 12.04 was released with 1.8.2, so the following summarizes the changes since:
1.8.3:
Highlights
Numerous manpage and translation updates
LDAP: Handle situations where the RootDSE isn't available anonymously
LDAP: Fix regression for users using non-standard LDAP attributes for user information
Tickets Fixed
#1183 sssd.conf man page does not list autofs in the list of known services
#1219 Warn on 'make update-po' if there are manpages not listed in po4a.cfg
#1249 Unable to lookup user aliases with proxy provider.
#1258 SSSD should attempt to get the RootDSE after binding
#1265 document the possible performance gains of disabling referral chasing
#1278 Inadequate info in man page for "ldap_disable_paging" feature
#1290 No info in sssd manpages for "ldap_sasl_minssf"
#1295 Fix erronous reference to the 'allow' access_provider
#1300 autofs: maximum key name must be PATH_MAX
#1307 sdap_check_aliases must not error when detects the same user
#1312 group members are now lowercased in case insensitive domains
#1315 New SSSD does not fetch renewable tickets
#1320 Auth fails for user with non-default attribute names
1.8.4:
Highlights
Fix a bug causing AD servers not to fail over properly when the KDC on the primary server is down
Fix an endianness bug on big-endian systems when looking up services
Fix a segfault dealing with nested groups
Make the nowait cache updates work for netgroups
Fix a regression that broke domains with use_fully_qualified_names = True
Tickets Fixed
#1206 RHEL5 detection in sssd.spec.in does not work
#1321 Warning in debug log about nscd
#1322 Special-case LDAP_SIZELIMIT_EXCEEDED when handling ldap return codes
#1324 LDAP provider needs to use all available servers for GSSAPI if the child times out
#1325 heimdal: configure: Kerberos locator plugin cannot be build
#1329 Group enumeration fails in proxy provider
#1333 Potential NULL dereference in proxy provider
#1335 sss_groupadd no longer detects duplicate GID numbers
#1338 sssd does not provide maps for automounter when custom schema is being used
#1340 SSSD netgroups do not honor entry_cache_nowait_percentage
#1343 sssd_be crashed with SIGSEGV in _tevent_schedule_immediate()
#1344 Loading of selinux user maps broken
#1348 Service lookups by port number doesn't work on s390x/ppc64 arches
1.8.5:
Highlights
Fixed a potential segfault when SRV records are used to discover services
The client libraries now use robust mutexes to avoid a potential deadlock if a thread was cancelled while holding a mutex
Do not return an error when the SELinux support is not configured
Fixed returning an error to the PAM stack when the SSSD was performing authentication but the kpasswd server was unreachable
The SSSD used to skip a whole nesting level instead of a single already processed group when loading nested group membership structure
Added support for terminating idle connections and make the idle timeout configurable
The sss_ssh_knownostsproxy command no longer aborts when processing a host without DNS records
The shadowLastChange attribute is noe correctly updated with days since the Epoch, not seconds
Tickets Fixed
#1356 SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
#1271 Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
#1360 Provide "service filter" for SELinux context
#1354 Add support for terminating idle connections
#1452 KRB5: Only return PAM error for unreachable kpasswd when performing chpass
#1419 Fixed wrong number in shadowLastChange
#1460 Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
#1515 KRB5: Return PAM_AUTH_ERR on incorrect password
#1364 FO: Check server validity before setting status
diffstat:
Makefile.am | 12
configure.ac | 15
contrib/sssd.spec.in | 12
po/LINGUAS | 1
po/de.po | 32
po/es.po | 70 -
po/fr.po | 79 -
po/hu.po | 46
po/id.po | 50
po/it.po | 65 -
po/ja.po | 93 -
po/nb.po | 1476 +++++++++++++++++++++++
po/nl.po | 70 -
po/pl.po | 158 +-
po/pt.po | 69 -
po/ru.po | 62
po/sssd.pot | 26
po/sv.po | 52
po/tg.po | 32
po/uk.po | 200 ++-
po/zh_TW.po | 54
src/confdb/confdb.h | 5
src/config/SSSDConfig.py | 2
src/config/SSSDConfigTest.py | 3
src/config/etc/sssd.api.conf | 1
src/config/etc/sssd.api.d/sssd-proxy.conf | 1
src/db/sysdb.c | 16
src/db/sysdb.h | 2
src/db/sysdb_ops.c | 46
src/doxy.config.in | 7
src/external/krb5.m4 | 15
src/krb5_plugin/sssd_krb5_locator_plugin.c | 3
src/man/include/local.xml | 20
src/man/po/cs.po | 1064 +++++++++-------
src/man/po/es.po | 1076 +++++++++--------
src/man/po/fr.po | 1099 +++++++++--------
src/man/po/ja.po | 1217 +++++++++++--------
src/man/po/nl.po | 1072 +++++++++--------
src/man/po/po4a.cfg | 1
src/man/po/pt.po | 1072 +++++++++--------
src/man/po/ru.po | 1070 +++++++++--------
src/man/po/sssd-docs.pot | 1044 +++++++++-------
src/man/po/tg.po | 1070 +++++++++--------
src/man/po/uk.po | 1691 +++++++++++++++++++--------
src/man/sss_groupadd.8.xml | 2
src/man/sss_groupdel.8.xml | 2
src/man/sss_groupmod.8.xml | 2
src/man/sss_groupshow.8.xml | 2
src/man/sss_ssh_knownhostsproxy.1.xml | 2
src/man/sss_useradd.8.xml | 2
src/man/sss_userdel.8.xml | 2
src/man/sss_usermod.8.xml | 2
src/man/sssd-ldap.5.xml | 33
src/man/sssd.conf.5.xml | 121 +
src/providers/data_provider_fo.c | 27
src/providers/dp_backend.h | 1
src/providers/fail_over.c | 13
src/providers/fail_over.h | 2
src/providers/ipa/ipa_hbac.doxy.in | 7
src/providers/ipa/ipa_session.c | 2
src/providers/krb5/krb5_auth.c | 20
src/providers/krb5/krb5_child.c | 102 +
src/providers/ldap/ldap_auth.c | 4
src/providers/ldap/ldap_child.c | 18
src/providers/ldap/sdap_async.c | 66 -
src/providers/ldap/sdap_async_autofs.c | 2
src/providers/ldap/sdap_async_connection.c | 180 ++
src/providers/ldap/sdap_async_groups.c | 24
src/providers/ldap/sdap_async_initgroups.c | 18
src/providers/proxy/proxy.h | 1
src/providers/proxy/proxy_id.c | 731 ++++++-----
src/providers/proxy/proxy_init.c | 4
src/responder/common/responder.h | 3
src/responder/common/responder_common.c | 95 +
src/responder/nss/nsssrv_cmd.c | 16
src/responder/nss/nsssrv_netgroup.c | 10
src/sss_client/autofs/sss_autofs.c | 6
src/sss_client/common.c | 127 +-
src/sss_client/nss_services.c | 16
src/sss_client/pam_sss.c | 118 +
src/sss_client/ssh/sss_ssh_client.c | 8
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 94 -
src/sss_client/sudo/sss_sudo.c | 6
src/sss_client/sudo/sss_sudo.doxy.in | 7
src/tests/sysdb-tests.c | 143 ++
src/util/murmurhash3.c | 4
src/util/sss_krb5.c | 145 ++
src/util/sss_krb5.h | 8
version.m4 | 2
89 files changed, 10508 insertions(+), 5963 deletions(-)
The large diff in proxy_id.c was due to https://fedorahosted.org/sssd/ticket/1249. |
SSSD 1.8.6 was released on Jan 29th, and it is the latest release from the current LTM (Long Term Maintenance) branch. 12.04 was released with 1.8.2, so the following summarizes the changes since:
1.8.3:
Highlights
Numerous manpage and translation updates
LDAP: Handle situations where the RootDSE isn't available anonymously
LDAP: Fix regression for users using non-standard LDAP attributes for user information
Tickets Fixed
#1183 sssd.conf man page does not list autofs in the list of known services
#1219 Warn on 'make update-po' if there are manpages not listed in po4a.cfg
#1249 Unable to lookup user aliases with proxy provider.
#1258 SSSD should attempt to get the RootDSE after binding
#1265 document the possible performance gains of disabling referral chasing
#1278 Inadequate info in man page for "ldap_disable_paging" feature
#1290 No info in sssd manpages for "ldap_sasl_minssf"
#1295 Fix erronous reference to the 'allow' access_provider
#1300 autofs: maximum key name must be PATH_MAX
#1307 sdap_check_aliases must not error when detects the same user
#1312 group members are now lowercased in case insensitive domains
#1315 New SSSD does not fetch renewable tickets
#1320 Auth fails for user with non-default attribute names
1.8.4:
Highlights
Fix a bug causing AD servers not to fail over properly when the KDC on the primary server is down
Fix an endianness bug on big-endian systems when looking up services
Fix a segfault dealing with nested groups
Make the nowait cache updates work for netgroups
Fix a regression that broke domains with use_fully_qualified_names = True
Tickets Fixed
#1206 RHEL5 detection in sssd.spec.in does not work
#1321 Warning in debug log about nscd
#1322 Special-case LDAP_SIZELIMIT_EXCEEDED when handling ldap return codes
#1324 LDAP provider needs to use all available servers for GSSAPI if the child times out
#1325 heimdal: configure: Kerberos locator plugin cannot be build
#1329 Group enumeration fails in proxy provider
#1333 Potential NULL dereference in proxy provider
#1335 sss_groupadd no longer detects duplicate GID numbers
#1338 sssd does not provide maps for automounter when custom schema is being used
#1340 SSSD netgroups do not honor entry_cache_nowait_percentage
#1343 sssd_be crashed with SIGSEGV in _tevent_schedule_immediate()
#1344 Loading of selinux user maps broken
#1348 Service lookups by port number doesn't work on s390x/ppc64 arches
1.8.5:
Highlights
Fixed a potential segfault when SRV records are used to discover services
The client libraries now use robust mutexes to avoid a potential deadlock if a thread was cancelled while holding a mutex
Do not return an error when the SELinux support is not configured
Fixed returning an error to the PAM stack when the SSSD was performing authentication but the kpasswd server was unreachable
The SSSD used to skip a whole nesting level instead of a single already processed group when loading nested group membership structure
Added support for terminating idle connections and make the idle timeout configurable
The sss_ssh_knownostsproxy command no longer aborts when processing a host without DNS records
The shadowLastChange attribute is noe correctly updated with days since the Epoch, not seconds
Tickets Fixed
#1356 SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
#1271 Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
#1360 Provide "service filter" for SELinux context
#1354 Add support for terminating idle connections
#1452 KRB5: Only return PAM error for unreachable kpasswd when performing chpass
#1419 Fixed wrong number in shadowLastChange
#1460 Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
#1515 KRB5: Return PAM_AUTH_ERR on incorrect password
#1364 FO: Check server validity before setting status
1.8.6:
Highlights
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads
in autofs and ssh responder
* Handle servers that return an empty string as the value of namingContext,
in particular Novell eDirectory
* The netgroup midpoint cache refresh works as documented in the manual page
* The sssd_pam responder processes pending requests after reconnect
Tickets fixed:
#1542 User authentication using LDAP doesn't work
#1581 sssd_be crashes while looking up users
#1717 Limit requests coalescing in time
#1683 arithmetic bug in the SSSD causes netgroup midpoint refresh to be always
set to 10 seconds
#1655 Login fails - sssd_be module polling fd indefinitely and gets killed
#1781 sssd: Out-of-bounds read flaws in autofs and ssh services responders
#1528 SSSD_NSS failure to gracefully restart after sbus failure
#1783 Group lookup fails and takes ~60s to return to shell if member dn is
incorrect
#1782 TOCTOU race conditions by copying and removing directory trees
diffstat:
Makefile.am | 19
configure.ac | 19
contrib/sssd.spec.in | 12
po/LINGUAS | 1
po/de.po | 32
po/es.po | 70 -
po/fr.po | 79 -
po/hu.po | 46
po/id.po | 50
po/it.po | 65 -
po/ja.po | 93 -
po/nb.po | 1476 +++++++++++++++++++++++
po/nl.po | 70 -
po/pl.po | 158 +-
po/pt.po | 69 -
po/ru.po | 62
po/sssd.pot | 26
po/sv.po | 52
po/tg.po | 32
po/uk.po | 200 ++-
po/zh_TW.po | 54
src/confdb/confdb.h | 5
src/config/SSSDConfig.py | 2
src/config/SSSDConfigTest.py | 3
src/config/etc/sssd.api.conf | 1
src/config/etc/sssd.api.d/sssd-proxy.conf | 1
src/db/sysdb.c | 16
src/db/sysdb.h | 2
src/db/sysdb_ops.c | 46
src/doxy.config.in | 7
src/external/krb5.m4 | 15
src/krb5_plugin/sssd_krb5_locator_plugin.c | 3
src/man/include/local.xml | 20
src/man/po/cs.po | 1064 +++++++++-------
src/man/po/es.po | 1076 +++++++++--------
src/man/po/fr.po | 1099 +++++++++--------
src/man/po/ja.po | 1217 +++++++++++--------
src/man/po/nl.po | 1072 +++++++++--------
src/man/po/po4a.cfg | 1
src/man/po/pt.po | 1072 +++++++++--------
src/man/po/ru.po | 1070 +++++++++--------
src/man/po/sssd-docs.pot | 1044 +++++++++-------
src/man/po/tg.po | 1070 +++++++++--------
src/man/po/uk.po | 1691 +++++++++++++++++++--------
src/man/sss_groupadd.8.xml | 2
src/man/sss_groupdel.8.xml | 2
src/man/sss_groupmod.8.xml | 2
src/man/sss_groupshow.8.xml | 2
src/man/sss_ssh_knownhostsproxy.1.xml | 2
src/man/sss_useradd.8.xml | 2
src/man/sss_userdel.8.xml | 2
src/man/sss_usermod.8.xml | 2
src/man/sssd-ldap.5.xml | 33
src/man/sssd.conf.5.xml | 121 +
src/monitor/monitor.c | 73 -
src/providers/data_provider_fo.c | 27
src/providers/dp_backend.h | 1
src/providers/fail_over.c | 13
src/providers/fail_over.h | 2
src/providers/ipa/ipa_hbac.doxy.in | 7
src/providers/ipa/ipa_init.c | 13
src/providers/ipa/ipa_session.c | 2
src/providers/krb5/krb5_auth.c | 23
src/providers/krb5/krb5_child.c | 102 +
src/providers/ldap/ldap_auth.c | 4
src/providers/ldap/ldap_child.c | 18
src/providers/ldap/sdap.c | 8
src/providers/ldap/sdap_async.c | 66 -
src/providers/ldap/sdap_async_autofs.c | 2
src/providers/ldap/sdap_async_connection.c | 180 ++
src/providers/ldap/sdap_async_groups.c | 48
src/providers/ldap/sdap_async_initgroups.c | 18
src/providers/proxy/proxy.h | 1
src/providers/proxy/proxy_id.c | 731 ++++++-----
src/providers/proxy/proxy_init.c | 4
src/responder/autofs/autofssrv_cmd.c | 6
src/responder/common/responder.h | 3
src/responder/common/responder_cmd.c | 2
src/responder/common/responder_common.c | 95 +
src/responder/common/responder_dp.c | 34
src/responder/nss/nsssrv_cmd.c | 16
src/responder/nss/nsssrv_netgroup.c | 10
src/responder/nss/nsssrv_services.c | 2
src/responder/pam/pamsrv.c | 5
src/responder/pam/pamsrv_cmd.c | 29
src/responder/ssh/sshsrv_cmd.c | 8
src/sss_client/autofs/sss_autofs.c | 6
src/sss_client/common.c | 127 +-
src/sss_client/nss_services.c | 16
src/sss_client/pam_sss.c | 118 +
src/sss_client/ssh/sss_ssh_client.c | 8
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 94 -
src/sss_client/sudo/sss_sudo.c | 6
src/sss_client/sudo/sss_sudo.doxy.in | 7
src/tests/files-tests.c | 6
src/tests/sysdb-tests.c | 143 ++
src/tools/files.c | 913 ++++++++------
src/tools/tools_util.c | 28
src/tools/tools_util.h | 5
src/util/auth_utils.h | 42
src/util/murmurhash3.c | 4
src/util/sss_krb5.c | 145 ++
src/util/sss_krb5.h | 8
version.m4 | 2
104 files changed, 11250 insertions(+), 6433 deletions(-)
The large diff in proxy_id.c was due to https://fedorahosted.org/sssd/ticket/1249. |
|
