From 98844f48925d5d41712ca6ef7c15782d774626e54d552e13e6543d6dbfa1b2dc Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 08:38:46 +0000 Subject: [PATCH 01/10] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=196 --- sssd-1.16.1.tar.gz | 3 --- sssd-1.16.1.tar.gz.asc | 6 ------ sssd-1.16.2.tar.gz | 3 +++ sssd-1.16.2.tar.gz.asc | 6 ++++++ sssd.spec | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 sssd-1.16.1.tar.gz delete mode 100644 sssd-1.16.1.tar.gz.asc create mode 100644 sssd-1.16.2.tar.gz create mode 100644 sssd-1.16.2.tar.gz.asc diff --git a/sssd-1.16.1.tar.gz b/sssd-1.16.1.tar.gz deleted file mode 100644 index 38f49be..0000000 --- a/sssd-1.16.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2dbf677851afdefcdf57eccaf25d59eb682a2994ad2a2dbf419003930a0b506e -size 5992778 diff --git a/sssd-1.16.1.tar.gz.asc b/sssd-1.16.1.tar.gz.asc deleted file mode 100644 index c85ee70..0000000 --- a/sssd-1.16.1.tar.gz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iEYEABECAAYFAlqidCAACgkQHsardTLnvCUWWQCg5lP0BwQTXT9KWCE/JWZJdXoZ -zJoAn2ekRH33J6/IH+6OpD/UozWH+50y -=Lfb4 ------END PGP SIGNATURE----- diff --git a/sssd-1.16.2.tar.gz b/sssd-1.16.2.tar.gz new file mode 100644 index 0000000..b93018f --- /dev/null +++ b/sssd-1.16.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c +size 6174144 diff --git a/sssd-1.16.2.tar.gz.asc b/sssd-1.16.2.tar.gz.asc new file mode 100644 index 0000000..7440ddd --- /dev/null +++ b/sssd-1.16.2.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh +fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8 +=U4k5 +-----END PGP SIGNATURE----- diff --git a/sssd.spec b/sssd.spec index 0dfac7a..f989bb8 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.16.1 +Version: 1.16.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From 12009674a95e1dce1dc0c3e3f1fbf4d0a98edfa65da6a9b319aa33780024d547 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 08:48:06 +0000 Subject: [PATCH 02/10] =?UTF-8?q?-=20Update=20to=20new=20minor=20upstream?= =?UTF-8?q?=20release=201.16.2=20New=20Features:=20=20=20*=20The=20smart?= =?UTF-8?q?=20card=20authentication,=20or=20in=20more=20general=20certific?= =?UTF-8?q?ate=20=20=20=20=20authentication=20code=20now=20supports=20Open?= =?UTF-8?q?SSL=20in=20addition=20to=20previously=20=20=20=20=20supported?= =?UTF-8?q?=20NSS=20(#3489).=20In=20addition,=20the=20SSH=20responder=20ca?= =?UTF-8?q?n=20now=20=20=20=20=20return=20public=20SSH=20keys=20derived=20?= =?UTF-8?q?from=20the=20public=20keys=20stored=20in=20a=20=20=20=20=20X.50?= =?UTF-8?q?9=20certificate.=20Please=20refer=20to=20the=20ssh=5Fuse=5Fcert?= =?UTF-8?q?ificate=5Fkeys=20=20=20=20=20option=20in=20the=20man=20pages.?= =?UTF-8?q?=20=20=20*=20The=20files=20provider=20now=20supports=20mirrorin?= =?UTF-8?q?g=20multiple=20passwd=20or=20=20=20=20=20group=20files.=20This?= =?UTF-8?q?=20enhancement=20can=20be=20used=20to=20use=20the=20SSSD=20file?= =?UTF-8?q?s=20=20=20=20=20provider=20instead=20of=20the=20nss=5Faltfiles?= =?UTF-8?q?=20module=20Bugfixes:=20=20=20*=20A=20memory=20handling=20issue?= =?UTF-8?q?=20in=20the=20nss=5Fex=20interface=20was=20fixed.=20This=20=20?= =?UTF-8?q?=20=20=20bug=20would=20manifest=20in=20IPA=20environments=20wit?= =?UTF-8?q?h=20a=20trusted=20AD=20domain=20=20=20=20=20as=20a=20crash=20of?= =?UTF-8?q?=20the=20ns-slapd=20process,=20because=20a=20ns-slapd=20plugin?= =?UTF-8?q?=20=20=20=20=20loads=20the=20nss=5Fex=20interface=20(#3715)=20?= =?UTF-8?q?=20=20*=20Several=20fixes=20for=20the=20KCM=20deamon=20were=20m?= =?UTF-8?q?erged=20(see=20#3687,=20#3671,=20#3633)=20=20=20*=20The=20ad=5F?= =?UTF-8?q?site=20override=20is=20now=20honored=20in=20GPO=20code=20as=20w?= =?UTF-8?q?ell=20(#3646)=20=20=20*=20Several=20potential=20crashes=20in=20?= =?UTF-8?q?the=20NSS=20responder=E2=80=99s=20netgroup=20code=20=20=20=20?= =?UTF-8?q?=20were=20fixed=20(#3679,=20#3731)=20=20=20*=20A=20potential=20?= =?UTF-8?q?crash=20in=20the=20autofs=20responder=E2=80=99s=20code=20was=20?= =?UTF-8?q?fixed=20(#3752)=20=20=20*=20The=20LDAP=20provider=20now=20suppo?= =?UTF-8?q?rts=20group=20renaming=20(#2653)=20=20=20*=20The=20GPO=20access?= =?UTF-8?q?=20control=20code=20no=20longer=20returns=20an=20error=20if=20o?= =?UTF-8?q?ne=20=20=20=20=20of=20the=20relevant=20GPO=20rules=20contained?= =?UTF-8?q?=20no=20SIDs=20at=20all=20(#3680)=20=20=20*=20A=20memory=20leak?= =?UTF-8?q?=20in=20the=20IPA=20provider=20related=20to=20resolving=20exter?= =?UTF-8?q?nal=20=20=20=20=20AD=20groups=20was=20fixed=20(#3719)=20=20=20*?= =?UTF-8?q?=20Setups=20that=20used=20multiple=20domains=20where=20one=20of?= =?UTF-8?q?=20the=20domains=20had=20=20=20=20=20its=20ID=20space=20limited?= =?UTF-8?q?=20using=20the=20min=5Fid/max=5Fid=20options=20did=20not=20=20?= =?UTF-8?q?=20=20=20resolve=20requests=20by=20ID=20properly=20(#3728)=20?= =?UTF-8?q?=20=20*=20Overriding=20IDs=20or=20names=20did=20not=20work=20co?= =?UTF-8?q?rrectly=20when=20the=20domain?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=197 --- sssd.changes | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/sssd.changes b/sssd.changes index 35bf822..5432c56 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com + +- Update to new minor upstream release 1.16.2 +New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module +Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. + ------------------------------------------------------------------- Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com From 0ee77493e9b6f46bbab9e3439f32f7788f19bc6b253fb7b53613814d244ec2b3 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 09:36:04 +0000 Subject: [PATCH 03/10] Add missed requirement OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=198 --- sssd.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/sssd.spec b/sssd.spec index f989bb8..98130cd 100644 --- a/sssd.spec +++ b/sssd.spec @@ -80,6 +80,7 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(ndr_krb5pac) +BuildRequires: p11-kit %{?systemd_requires} Requires: sssd-ldap = %version-%release Requires(postun): pam-config From cd01c383bfd92327b6a254cad998c769838eee1f981a0b7f928cdb4c0e32e2e7 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 09:44:16 +0000 Subject: [PATCH 04/10] Fix requirement OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=199 --- sssd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index 98130cd..fc264b1 100644 --- a/sssd.spec +++ b/sssd.spec @@ -80,7 +80,7 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(ndr_krb5pac) -BuildRequires: p11-kit +BuildRequires: p11-kit-devel %{?systemd_requires} Requires: sssd-ldap = %version-%release Requires(postun): pam-config From c906f55d9e7fcae9d9c58f57f4694618676353ad5dd902b52c9350d8e71264f7 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 12:19:07 +0000 Subject: [PATCH 05/10] Remove unnecessary comment. OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=200 --- sssd.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index fc264b1..f0f514c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -477,7 +477,6 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* -#%_mandir/??/man5/sssd.conf.5* %_mandir/??/man8/sssd.8* %_mandir/??/man5/sss-certmap.5.gz %_mandir/??/man5/sssd-ad.5.gz From 4c8b88f4d23bc104462263b83511f78b8235765f7f0d9a5ff5506698da9bdd37 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 12:49:57 +0000 Subject: [PATCH 06/10] Add patch to fix build OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=201 --- fix-build.patch | 13 +++++++++++++ sssd.spec | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 fix-build.patch diff --git a/fix-build.patch b/fix-build.patch new file mode 100644 index 0000000..9903e33 --- /dev/null +++ b/fix-build.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile.am b/Makefile.am +index 9539b3c..8e76a03 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + libsss_crypt.la \ ++ libsss_child.la \ + libsss_debug.la \ + libsss_certmap.la \ + $(NULL) + diff --git a/sssd.spec b/sssd.spec index f0f514c..7188389 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,6 +30,7 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring +Patch1: fix-build.patch BuildRoot: %_tmppath/%name-%version-build %define servicename sssd @@ -364,6 +365,7 @@ Security Services Daemon (sssd). %prep %setup -q +%patch1 -p1 %build %if 0%{?suse_version} < 1210 From ef4bdebab82355b051f094c6002de3fb513cab42d87bd58f4adf1040fab05bc5 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Wed, 20 Jun 2018 13:14:56 +0000 Subject: [PATCH 07/10] Fix spec for new package. OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=202 --- sssd.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sssd.spec b/sssd.spec index 7188389..dca0ea9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -427,6 +427,8 @@ EOF find "$b" -type f -name "*.la" -delete rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" +rm -rf "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" + %find_lang %name --all-name @@ -482,13 +484,14 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/??/man8/sssd.8* %_mandir/??/man5/sss-certmap.5.gz %_mandir/??/man5/sssd-ad.5.gz -%_mandir/??/man5/sssd-files.5.gz %_mandir/??/man5/sssd-secrets.5.gz %_mandir/??/man5/sssd.conf.5.gz %_mandir/??/man8/idmap_sss.8.gz %_mandir/??/man8/sssctl.8.gz %_mandir/??/man8/sssd-kcm.8.gz %_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-session-recording.5.gz +%_mandir/??/man5/sssd-systemtap.5.gz %_mandir/man1/sss_ssh_* %_mandir/man8/sssctl.8* %_mandir/man5/sssd-files.5* @@ -514,6 +517,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ +%_libexecdir/%name/p11_child %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss @@ -540,6 +544,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-local.conf %_datadir/%name/sssd.api.d/sssd-simple.conf +%_datadir/%name/sssd.api.d/sssd-files.conf # # sssd-client # From 969bc75c7f65f4e747bfb2f8ef84fcb190b8699eca9359c92cc84e926e3604ba Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 27 Jun 2018 23:04:40 +0000 Subject: [PATCH 08/10] Accepting request 619100 from home:ckowalczyk:branches:network:ldap:bsc1098163-cve201810852 - Introduce patches: * Create sockets with right permissions: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch (bsc#1098377, CVE-2018-10852) * Fix for sssd upstream integration tests 0002-intg-Do-not-hardcode-nsslibdir.patch (bsc#1098163) OBS-URL: https://build.opensuse.org/request/show/619100 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=203 --- ...the-socket-with-stricter-permissions.patch | 45 +++++++++++++++++++ 0002-intg-Do-not-hardcode-nsslibdir.patch | 44 ++++++++++++++++++ sssd.changes | 14 ++++++ sssd.spec | 6 ++- 4 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 0001-SUDO-Create-the-socket-with-stricter-permissions.patch create mode 100644 0002-intg-Do-not-hardcode-nsslibdir.patch diff --git a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch new file mode 100644 index 0000000..17aa40f --- /dev/null +++ b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch @@ -0,0 +1,45 @@ +From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 15 Jun 2018 22:29:34 +0200 +Subject: [PATCH] SUDO: Create the socket with stricter permissions + +This patch switches the sudo responder from being created as a public +responder where the permissions are open and not checked by the sssd +deaamon to a private socket. In this case, sssd creates the pipes with +strict permissions (see the umask in the call to create_pipe_fd() in +set_unix_socket()) and additionaly checks the permissions with every read +via the tevent integrations (see accept_fd_handler()). +--- + src/responder/sudo/sudosrv.c | 3 ++- + src/sysv/systemd/sssd-sudo.socket.in | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + sudo_cmds = get_sudo_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + sudo_cmds, +- SSS_SUDO_SOCKET_NAME, -1, NULL, -1, ++ NULL, -1, /* No public socket */ ++ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ + CONFDB_SUDO_CONF_ENTRY, + SSS_SUDO_SBUS_SERVICE_NAME, + SSS_SUDO_SBUS_SERVICE_VERSION, +diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in +index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 +--- a/src/sysv/systemd/sssd-sudo.socket.in ++++ b/src/sysv/systemd/sssd-sudo.socket.in +@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo + ListenStream=@pipepath@/sudo + SocketUser=@SSSD_USER@ + SocketGroup=@SSSD_USER@ ++SocketMode=0600 + + [Install] + WantedBy=sssd.service +-- +2.14.3 + diff --git a/0002-intg-Do-not-hardcode-nsslibdir.patch b/0002-intg-Do-not-hardcode-nsslibdir.patch new file mode 100644 index 0000000..08f8543 --- /dev/null +++ b/0002-intg-Do-not-hardcode-nsslibdir.patch @@ -0,0 +1,44 @@ +From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 12 Jun 2018 19:07:52 +0200 +Subject: [PATCH] intg: Do not hardcode nsslibdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change is needed in order to have make intgcheck-run properly +running on opensuse systems. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Chris Kowalczyk +Reviewed-by: Michal Židek +--- + src/tests/intg/Makefile.am | 1 + + src/tests/intg/config.py.m4 | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am +index 9c5338261..4bd427669 100644 +--- a/src/tests/intg/Makefile.am ++++ b/src/tests/intg/Makefile.am +@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + config.py: config.py.m4 + m4 -D "prefix=\`$(prefix)'" \ + -D "sysconfdir=\`$(sysconfdir)'" \ ++ -D "nsslibdir=\`$(nsslibdir)'" \ + -D "dbpath=\`$(dbpath)'" \ + -D "pidpath=\`$(pidpath)'" \ + -D "logpath=\`$(logpath)'" \ +diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 +index 6e011b692..04f78d869 100644 +--- a/src/tests/intg/config.py.m4 ++++ b/src/tests/intg/config.py.m4 +@@ -4,7 +4,7 @@ Build configuration variables. + + PREFIX = "prefix" + SYSCONFDIR = "sysconfdir" +-NSS_MODULE_DIR = PREFIX + "/lib" ++NSS_MODULE_DIR = "nsslibdir" + SSSDCONFDIR = SYSCONFDIR + "/sssd" + CONF_PATH = SSSDCONFDIR + "/sssd.conf" + DB_PATH = "dbpath" diff --git a/sssd.changes b/sssd.changes index 5432c56..286822f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,4 +1,17 @@ ------------------------------------------------------------------- + +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- + Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com - Update to new minor upstream release 1.16.2 @@ -48,6 +61,7 @@ Bugfixes: with version 1.4.0 or newer was fixed. ------------------------------------------------------------------- + Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com - Update to new minor upstream release 1.16.1 (fate#323340): diff --git a/sssd.spec b/sssd.spec index dca0ea9..f56e2a7 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,8 +30,10 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring -Patch1: fix-build.patch BuildRoot: %_tmppath/%name-%version-build +Patch1: fix-build.patch +Patch2: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +Patch3: 0002-intg-Do-not-hardcode-nsslibdir.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -366,6 +368,8 @@ Security Services Daemon (sssd). %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %if 0%{?suse_version} < 1210 From 4fffd4a106452699fb1e2a7d0396a09f9660b6d3f0c7871001d7fc5d9206ec50 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 27 Jun 2018 23:05:06 +0000 Subject: [PATCH 09/10] Restore the default changelog format OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=204 --- sssd.changes | 3 --- 1 file changed, 3 deletions(-) diff --git a/sssd.changes b/sssd.changes index 286822f..ca544be 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,5 +1,4 @@ ------------------------------------------------------------------- - Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com - Introduce patches: @@ -11,7 +10,6 @@ Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com (bsc#1098163) ------------------------------------------------------------------- - Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com - Update to new minor upstream release 1.16.2 @@ -61,7 +59,6 @@ Bugfixes: with version 1.4.0 or newer was fixed. ------------------------------------------------------------------- - Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com - Update to new minor upstream release 1.16.1 (fate#323340): From a03258dbe5795008e1872fd055b153e324f4d8e54240b2f1734fb1b7a9b568d3 Mon Sep 17 00:00:00 2001 From: Chris Kowalczyk Date: Sun, 1 Jul 2018 13:19:46 +0000 Subject: [PATCH 10/10] Accepting request 620030 from home:ckowalczyk:branches:network:ldap:fixchangelog Fixed patch name. OBS-URL: https://build.opensuse.org/request/show/620030 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=205 --- ...uild.patch => 0003-Fix-build-for-1-16-2-version.patch | 0 sssd.changes | 9 +++++++++ sssd.spec | 6 +++--- 3 files changed, 12 insertions(+), 3 deletions(-) rename fix-build.patch => 0003-Fix-build-for-1-16-2-version.patch (100%) diff --git a/fix-build.patch b/0003-Fix-build-for-1-16-2-version.patch similarity index 100% rename from fix-build.patch rename to 0003-Fix-build-for-1-16-2-version.patch diff --git a/sssd.changes b/sssd.changes index ca544be..94e109f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com + +- Fixed patch name. + ------------------------------------------------------------------- Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com @@ -57,6 +62,10 @@ Bugfixes: domain resolution order was used (#3740) * SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed. +Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) ------------------------------------------------------------------- Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com diff --git a/sssd.spec b/sssd.spec index f56e2a7..7adfc7e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -31,9 +31,9 @@ Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring BuildRoot: %_tmppath/%name-%version-build -Patch1: fix-build.patch -Patch2: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch -Patch3: 0002-intg-Do-not-hardcode-nsslibdir.patch +Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch +Patch3: 0003-Fix-build-for-1-16-2-version.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss