diff --git a/sssd-1.15.2.tar.gz b/sssd-1.15.2.tar.gz deleted file mode 100644 index a63a517..0000000 --- a/sssd-1.15.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4cd5fcb314d77a58029a216b7e6001c6cb41c5b784cf570c5761c97d1c12d264 -size 5248134 diff --git a/sssd-1.15.2.tar.gz.asc b/sssd-1.15.2.tar.gz.asc deleted file mode 100644 index e5f29b8..0000000 --- a/sssd-1.15.2.tar.gz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iEYEABECAAYFAljJcscACgkQHsardTLnvCVCdwCgj0g3CSbz/gIS37W553d0QI7i -waoAnRN8+lQjwHQS+76q5nz2eSdRLnIG -=4tQo ------END PGP SIGNATURE----- diff --git a/sssd-1.16.0.tar.gz b/sssd-1.16.0.tar.gz new file mode 100644 index 0000000..c469694 --- /dev/null +++ b/sssd-1.16.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f +size 5899127 diff --git a/sssd-1.16.0.tar.gz.asc b/sssd-1.16.0.tar.gz.asc new file mode 100644 index 0000000..d789a3d --- /dev/null +++ b/sssd-1.16.0.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlnqDFQACgkQHsardTLnvCU79wCg3b6eA8KEVLV8WECtUpTuFOb4 +WtAAoIQpjJYhg/z0wNqa2wh5v7CLpZdP +=MMlI +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index bb9a6ee..a664be3 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.16.0 + +Security fixes + * This release fixes CVE-2017-12173: Unsanitized input when searching in + local cache database. SSSD stores its cached data in an LDAP like local + database file using libldb. To lookup cached data LDAP search filters + like (objectClass=user)(name=user_name) are used. However, in + sysdb_search_user_by_upn_res(), the input was not sanitized and + allowed to manipulate the search filter for cache lookups. This would + allow a logged in user to discover the password hash of a different user. + +New Features + * SSSD now supports session recording configuration through tlog. This + feature enables recording of everything specific users see or type + during their sessions on a text terminal. For more information, see + the sssd-session-recording(5) manual page. + * SSSD can act as a client agent to deliver + Fleet Commander + policies defined on an IPA server. Fleet Commander provides a + configuration management interface that is controlled centrally and + that covers desktop, applications and network configuration. + * Several new systemtap probes + were added into various locations in SSSD code to assist in + troubleshooting and analyzing performance related issues. Please see the + sssd-systemtap(5) manual page for more information. + * A new LDAP provide access control mechanism that allows to restrict + access based on PAM's rhost data field was added. For more details, + please consult the sssd-ldap(5) manual page, in particular the + options ldap_user_authorized_rhost and the rhost value of + ldap_access_filter. + +------------------------------------------------------------------- +Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.3 (KCM disabled) + +New Features + * In a setup where an IPA domain trusts an Active Directory domain, + it is now possible to define the domain resolution order + (see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names). + * Design page - Shortnames in trusted domains + * SSSD ships with a new service called KCM. This service acts as a + storage for Kerberos tickets when "libkrb5" is configured to use + "KCM:" in "krb5.conf". + * Design page - KCM server for SSSD + * NOTE: There are several known issues in the "KCM" responder that + will be handled in the next release. + * Support for user and group resolution through the D-Bus interface and + authentication and/or authorization through the PAM interface even + for setups without UIDs or Windows SIDs present on the LDAP directory + side. This enhancement allows SSSD to be used together with apache + modules to provide + identities for applications + * Design page - Support for non-POSIX users and groups + * SSSD ships a new public library called "libsss_certmap" that allows + a flexible and configurable way of mapping a certificate to a user + identity. + * Design page - Matching and Mapping Certificates + * The Kerberos locator plugin can be disabled using an environment variable + "SSSD_KRB5_LOCATOR_DISABLE". Please refer to the + "sssd_krb5_locator_plugin" manual page for mode details. + * The "sssctl" command line tool supports a new command "user-checks" + that enables the administrator to check whether a certain user should be + allowed or denied access to a certain PAM service. + * The "secrets" responder now forwards requests to a proxy Custodia + back end over a secure channel. + ------------------------------------------------------------------- Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com diff --git a/sssd.spec b/sssd.spec index 0131435..ffc9710 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.15.2 +Version: 1.16.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -30,7 +30,7 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring -BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRoot: %_tmppath/%name-%version-build %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -214,6 +214,23 @@ Group: System/Libraries The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs and SIDs. +%package -n libsss_certmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libsss_certmap0 +A utility library for FreeIPA to map certs. + +%package -n libsss_certmap-devel +Summary: Development files for the FreeIPA certmap library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libsss_certmap0 = %version + +%description -n libsss_certmap-devel +A utility library for FreeIPA to map certs. + %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library License: LGPL-3.0+ @@ -409,6 +426,7 @@ export LDFLAGS="-pie" --with-os=suse \ --with-semanage=no \ --disable-ldb-version-check \ + --without-kcm \ --without-secrets make %{?_smp_mflags} all @@ -487,14 +505,25 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* -%_mandir/??/man5/sssd.conf.5* +#%_mandir/??/man5/sssd.conf.5* %_mandir/??/man8/sssd.8* +%_mandir/??/man5/sss-certmap.5.gz +%_mandir/??/man5/sssd-ad.5.gz +%_mandir/??/man5/sssd-files.5.gz +%_mandir/??/man5/sssd-secrets.5.gz +%_mandir/??/man5/sssd.conf.5.gz +%_mandir/??/man8/idmap_sss.8.gz +%_mandir/??/man8/sssctl.8.gz +%_mandir/??/man8/sssd-kcm.8.gz +%_mandir/??/man5/sssd-simple.5* %_mandir/man1/sss_ssh_* %_mandir/man8/sssctl.8* %_mandir/man5/sssd-files.5* %_mandir/man5/sssd-simple.5* %_mandir/man5/sssd-sudo.5* %_mandir/man5/sssd.conf.5* +%_mandir/man5/sss-certmap.5.gz +%_mandir/man5/sssd-session-recording.5.gz %_mandir/man8/sssd.8* %dir %_libdir/%name/ %_libdir/%name/conf/ @@ -643,7 +672,6 @@ rm -f /var/lib/sss/db/*.ldb %_sbindir/sss_useradd %_sbindir/sss_userdel %_sbindir/sss_usermod -%_sbindir/sss_override %dir %_mandir/??/man8/ %_mandir/??/man8/sss_*.8* %_mandir/man8/sss_*.8* @@ -678,6 +706,17 @@ rm -f /var/lib/sss/db/*.ldb %_libdir/libipa_hbac.so %_libdir/pkgconfig/ipa_hbac.pc +%files -n libsss_certmap0 +%defattr(-,root,root) +%_libdir/libsss_certmap.so +%_libdir/libsss_certmap.so.0* + +%files -n libsss_certmap-devel +%defattr(-,root,root) +%_includedir/sss_certmap.h +%_libdir/libsss_certmap.so +%_libdir/pkgconfig/sss_certmap.pc + %files -n libnfsidmap-sss %defattr(-,root,root) %_libdir/libnfsidmap/