From 242b37bf2686eb2a4e2e5ebc11e3ab45b6b31cddda10d7e2c6d0a6bc35ae1daf Mon Sep 17 00:00:00 2001
From: Howard Guo <null@suse.de>
Date: Wed, 30 Sep 2015 13:29:05 +0000
Subject: [PATCH 1/2] Accepting request 334998 from
 home:stroeder:branches:network:ldap

update to 1.13.1, successfully tested on openSUSE 13.2 with sssd-ldap

OBS-URL: https://build.opensuse.org/request/show/334998
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=160
---
 sssd-1.13.0.tar.gz     |   3 -
 sssd-1.13.0.tar.gz.asc |   7 --
 sssd-1.13.1.tar.gz     |   3 +
 sssd-1.13.1.tar.gz.asc |   7 ++
 sssd.changes           | 196 +++++++++++++++++++++++++++++++++++++++++
 sssd.spec              |   4 +-
 6 files changed, 208 insertions(+), 12 deletions(-)
 delete mode 100644 sssd-1.13.0.tar.gz
 delete mode 100644 sssd-1.13.0.tar.gz.asc
 create mode 100644 sssd-1.13.1.tar.gz
 create mode 100644 sssd-1.13.1.tar.gz.asc

diff --git a/sssd-1.13.0.tar.gz b/sssd-1.13.0.tar.gz
deleted file mode 100644
index b1b9e61..0000000
--- a/sssd-1.13.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bd1dd95165bca02a08fbd0ea8ac6aa296bc339798d6c6566aee823c536718a5a
-size 4417697
diff --git a/sssd-1.13.0.tar.gz.asc b/sssd-1.13.0.tar.gz.asc
deleted file mode 100644
index 141d253..0000000
--- a/sssd-1.13.0.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlWa1YEACgkQHsardTLnvCXJQACgtx+37IBGO6/nBGqBCx5Y/Eye
-Su4AoIqcfMtZZnEPC/0D0TMwAGDBhv4i
-=N/oh
------END PGP SIGNATURE-----
diff --git a/sssd-1.13.1.tar.gz b/sssd-1.13.1.tar.gz
new file mode 100644
index 0000000..74803ec
--- /dev/null
+++ b/sssd-1.13.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ff6425d455a5cae2359e32c8627832e67b5cc0bbec4081a16d926b6e1b431ae7
+size 4517171
diff --git a/sssd-1.13.1.tar.gz.asc b/sssd-1.13.1.tar.gz.asc
new file mode 100644
index 0000000..8be2d3d
--- /dev/null
+++ b/sssd-1.13.1.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlYLta0ACgkQHsardTLnvCX0lwCgzMl3DT9BbTgcXGcM0Q2AGLUf
++8QAoK5LZJdWZ+HcXC7ZIOTJ0vv9a9FB
+=z5ez
+-----END PGP SIGNATURE-----
diff --git a/sssd.changes b/sssd.changes
index a49b998..bedd0c3 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -1,3 +1,199 @@
+-------------------------------------------------------------------
+Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com
+
+- Update to new upstream release 1.13.1
+- libsss_ad_common.so not installed anymore
+
+== Highlights ==
+  * Initial support for Smart Card authentication was added. The feature
+    can be activated with the new pam_cert_auth option
+  * The PAM prompting was enhanced so that when Two-Factor Authentication
+    is used, both factors (password and token) can be entered separately
+    on separate prompts. At the same time, only the long-term password is
+    cached, so offline access would still work using the long term password
+  * A new command line tool sss_override is present in this release. The
+    tools allows to override attributes on the SSSD side. It's helpful in
+    environment where e.g. some hosts need to have a different view of POSIX
+    attributes than others. Please note that the overrides are stored in
+    the cache as well, so removing the cache will also remove the overrides
+  * New methods were added to the SSSD D-Bus interface. Notably support
+    for looking up a user by certificate and looking up multiple users
+    using a wildcard was added. Please see the interface introspection or
+    the design pages for full details
+  * Several enhancements to the dynamic DNS update code. Notably, clients
+    that update multiple interfaces work better with this release
+  * This release supports authenticating againt a KDC proxy
+  * The fail over code was enhanced so that if a trusted domain is not
+    reachable, only that domain will be marked as inactive but the backed
+    would stay in online mode
+  * Several fixes to the GPO access control code are present 
+
+== Packaging Changes ==
+  * The Smart Card authentication feature requires a helper process
+    p11_child that needs to be marked as setgid if SSSD needs to be able
+    to. Please note the p11_child requires the NSS crypto library at the moment
+  * The sss_override tool was added along with its own manpage
+  * The upstream RPM can now build on RHEL/CentOS 6.7 
+
+== Documentation Changes ==
+  * The config_file_version configuration option now defaults to 2. As
+    an effect, this option doesn't have to be set anymore unless the config
+    file format is changed again by SSSD upstream
+  * It is now possible to specify a comma-separated list of interfaces in
+    the dyndns_iface option
+  * The InfoPipe responder and the LDAP provider gained a new option
+    wildcard_lookup that specifies an upper limit on the number of entries
+    that can be returned with a wildcard lookup
+  * A new option dyndns_server was added. This option allows to attempt
+    a fallback DNS update against a specific DNS server. Please note this
+    option only works as a fallback, the first attempt will always be
+    performed against autodiscovered servers.
+  * The PAM responder gained a new option ca_db that allows the storage
+    of trusted CA certificates to be specified
+  * The time the p11_child is allowed to operate can be specified using
+    a new option p11_child_timeout
+
+== Tickets Fixed ==
+
+https://fedorahosted.org/sssd/ticket/546
+    [RFE] Support for smart cards
+https://fedorahosted.org/sssd/ticket/1697
+    sssd: incorrect checks on length values during packet decoding
+https://fedorahosted.org/sssd/ticket/1926
+    [RFE] Start the dynamic DNS update after the SSSD has been setup for
+    the first time
+https://fedorahosted.org/sssd/ticket/1994
+    Complain loudly if backend doesn't start due to missing or invalid keytab
+https://fedorahosted.org/sssd/ticket/2275
+    nested netgroups do not work in IPA provider
+https://fedorahosted.org/sssd/ticket/2283
+    test dyndns failed.
+https://fedorahosted.org/sssd/ticket/2335
+    Investigate using the krb5 responder for driving the PAM conversation
+    with OTPs
+https://fedorahosted.org/sssd/ticket/2463
+    Pass error messages via the extdom plugin
+https://fedorahosted.org/sssd/ticket/2495
+    [RFE]Allow sssd to add a new option that would specify which server
+    to update DNS with
+https://fedorahosted.org/sssd/ticket/2549
+    RFE: Support multiple interfaces with the dyndns_iface option
+https://fedorahosted.org/sssd/ticket/2553
+    RFE: Add support for wildcard-based cache updates
+https://fedorahosted.org/sssd/ticket/2558
+    Add dualstack and multihomed support
+https://fedorahosted.org/sssd/ticket/2561
+    Too much logging
+https://fedorahosted.org/sssd/ticket/2579
+    TRACKER: Support one-way trusts for IPA
+https://fedorahosted.org/sssd/ticket/2581
+    Re-check memcache after acquiring the lock in the client code
+https://fedorahosted.org/sssd/ticket/2584
+    RFE: Support client-side overrides
+https://fedorahosted.org/sssd/ticket/2597
+    Add index for 'objectSIDString' and maybe to other cache attributes
+https://fedorahosted.org/sssd/ticket/2637
+    RFE: Don't mark the main domain as offline if SSSD can't connect to
+    a subdomain
+https://fedorahosted.org/sssd/ticket/2639
+    RFE: Detect re-established trusts in the IPA subdomain code
+https://fedorahosted.org/sssd/ticket/2652
+    KDC proxy not working with SSSD krb5_use_kdcinfo enabled
+https://fedorahosted.org/sssd/ticket/2676
+    Group members are not turned into ghost entries when the user is purged
+    from the SSSD cache
+https://fedorahosted.org/sssd/ticket/2682
+    sudoOrder not honored as expected
+https://fedorahosted.org/sssd/ticket/2688
+    Default to config_file_version=2
+https://fedorahosted.org/sssd/ticket/2691
+    GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
+https://fedorahosted.org/sssd/ticket/2692
+    GPO: Access denied due to using wrong sam_account_name
+https://fedorahosted.org/sssd/ticket/2694
+    CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
+    test_ipa_subdom_server)
+https://fedorahosted.org/sssd/ticket/2699
+    SSSDConfig: wrong return type returned on python3
+https://fedorahosted.org/sssd/ticket/2700
+    krb5_child should always consider online state to allow use of
+    MS-KKDC proxy
+https://fedorahosted.org/sssd/ticket/2708
+    Logging messages from user point of view
+https://fedorahosted.org/sssd/ticket/2711
+    [RFE] Provide interface for SSH to fetch user certificate
+https://fedorahosted.org/sssd/ticket/2712
+    Initgroups memory cache does not work with fq names
+https://fedorahosted.org/sssd/ticket/2716
+    Initgroups mmap cache needs update after db changes
+https://fedorahosted.org/sssd/ticket/2717
+    well-known SID check is broken for NetBIOS prefixes
+https://fedorahosted.org/sssd/ticket/2718
+    SSSD keytab validation check expects root ownership
+https://fedorahosted.org/sssd/ticket/2719
+    IPA: returned unknown dp error code with disabled migration mode
+https://fedorahosted.org/sssd/ticket/2722
+    Missing config options in gentoo init script
+https://fedorahosted.org/sssd/ticket/2723
+    Could not resolve AD user from root domain
+https://fedorahosted.org/sssd/ticket/2724
+    getgrgid for user's UID on a trust client prevents getpw*
+https://fedorahosted.org/sssd/ticket/2725
+    If AD site detection fails, not even ad_site override skipped
+https://fedorahosted.org/sssd/ticket/2729
+    Do not send SSS_OTP if both factors were entered separately
+https://fedorahosted.org/sssd/ticket/2731
+    searching SID by ID always checks all domains
+https://fedorahosted.org/sssd/ticket/2733
+    Don't use deprecated libraries (libsystemd-*)
+https://fedorahosted.org/sssd/ticket/2737
+    sss_override: add import and export commands
+https://fedorahosted.org/sssd/ticket/2738
+    Cannot build rpms from upstream spec file on rawhide
+https://fedorahosted.org/sssd/ticket/2742
+    When certificate is added via user-add-cert, it cannot be looked up
+    via org.freedesktop.sssd.infopipe.Users.FindByCertificate
+https://fedorahosted.org/sssd/ticket/2743
+    memory cache can work intermittently
+https://fedorahosted.org/sssd/ticket/2744
+    cleanup_groups should sanitize dn of groups
+https://fedorahosted.org/sssd/ticket/2746
+    the PAM srv test often fails on RHEL-7
+https://fedorahosted.org/sssd/ticket/2748
+    test_memory_cache failed in invalidation cache before stop
+https://fedorahosted.org/sssd/ticket/2749
+    Fix crash in nss responder
+https://fedorahosted.org/sssd/ticket/2754
+    Clear environment and set restrictive umask in p11_child
+https://fedorahosted.org/sssd/ticket/2757
+    sss_override does not work correctly when 'use_fully_qualified_names
+    = True'
+https://fedorahosted.org/sssd/ticket/2758
+    sss_override contains an extra parameter --debug but is not listed in
+    the man page or in the arguments help
+https://fedorahosted.org/sssd/ticket/2762
+    [RFE] sssd: better feedback form constraint password change
+https://fedorahosted.org/sssd/ticket/2768
+    Test 'test_id_cleanup_exp_group' failed
+https://fedorahosted.org/sssd/ticket/2772
+    sssd cannot resolve user names containing backslash with ldap provider
+https://fedorahosted.org/sssd/ticket/2773
+    Make p11_child timeout configurable
+https://fedorahosted.org/sssd/ticket/2777
+    Fix memory leak in GPO
+https://fedorahosted.org/sssd/ticket/2782
+    sss_override : The local override user is not found
+https://fedorahosted.org/sssd/ticket/2783
+    REGRESSION: Dyndns soes not update reverse DNS records
+https://fedorahosted.org/sssd/ticket/2790
+    sss_override --name doesn't work with RFC2307 and ghost users
+https://fedorahosted.org/sssd/ticket/2799
+    unit tests do not link correctly on Debian
+https://fedorahosted.org/sssd/ticket/2803
+    Memory leak / possible DoS with krb auth.
+https://fedorahosted.org/sssd/ticket/2805
+    AD: Conditional jump or move depends on uninitialised value
+
 -------------------------------------------------------------------
 Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de
 
diff --git a/sssd.spec b/sssd.spec
index 4b3b5af..98dfc99 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        1.13.0
+Version:        1.13.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@@ -531,7 +531,6 @@ rm -f /var/lib/sss/db/*.ldb
 %defattr(-,root,root)
 %dir %_libdir/%name/
 %_libdir/%name/libsss_ad.so
-%_libdir/%name/libsss_ad_common.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/gpo_child
 %dir %_datadir/%name/
@@ -620,6 +619,7 @@ rm -f /var/lib/sss/db/*.ldb
 %_sbindir/sss_useradd
 %_sbindir/sss_userdel
 %_sbindir/sss_usermod
+%_sbindir/sss_override
 %dir %_mandir/??/man8/
 %_mandir/??/man8/sss_*.8*
 %_mandir/man8/sss_*.8*

From d60438c424796be9b2754039a5313a24a935643e98647a3bd9e9e522a48dd1c9 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 30 Sep 2015 17:16:14 +0000
Subject: [PATCH 2/2] Trim changelog. The attention span of users is a
 exponentially decreasing curve.

OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=161
---
 sssd.changes | 211 +++++----------------------------------------------
 1 file changed, 20 insertions(+), 191 deletions(-)

diff --git a/sssd.changes b/sssd.changes
index bedd0c3..64369e0 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -2,197 +2,26 @@
 Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com
 
 - Update to new upstream release 1.13.1
-- libsss_ad_common.so not installed anymore
-
-== Highlights ==
-  * Initial support for Smart Card authentication was added. The feature
-    can be activated with the new pam_cert_auth option
-  * The PAM prompting was enhanced so that when Two-Factor Authentication
-    is used, both factors (password and token) can be entered separately
-    on separate prompts. At the same time, only the long-term password is
-    cached, so offline access would still work using the long term password
-  * A new command line tool sss_override is present in this release. The
-    tools allows to override attributes on the SSSD side. It's helpful in
-    environment where e.g. some hosts need to have a different view of POSIX
-    attributes than others. Please note that the overrides are stored in
-    the cache as well, so removing the cache will also remove the overrides
-  * New methods were added to the SSSD D-Bus interface. Notably support
-    for looking up a user by certificate and looking up multiple users
-    using a wildcard was added. Please see the interface introspection or
-    the design pages for full details
-  * Several enhancements to the dynamic DNS update code. Notably, clients
-    that update multiple interfaces work better with this release
-  * This release supports authenticating againt a KDC proxy
-  * The fail over code was enhanced so that if a trusted domain is not
-    reachable, only that domain will be marked as inactive but the backed
-    would stay in online mode
-  * Several fixes to the GPO access control code are present 
-
-== Packaging Changes ==
-  * The Smart Card authentication feature requires a helper process
-    p11_child that needs to be marked as setgid if SSSD needs to be able
-    to. Please note the p11_child requires the NSS crypto library at the moment
-  * The sss_override tool was added along with its own manpage
-  * The upstream RPM can now build on RHEL/CentOS 6.7 
-
-== Documentation Changes ==
-  * The config_file_version configuration option now defaults to 2. As
-    an effect, this option doesn't have to be set anymore unless the config
-    file format is changed again by SSSD upstream
-  * It is now possible to specify a comma-separated list of interfaces in
-    the dyndns_iface option
-  * The InfoPipe responder and the LDAP provider gained a new option
-    wildcard_lookup that specifies an upper limit on the number of entries
-    that can be returned with a wildcard lookup
-  * A new option dyndns_server was added. This option allows to attempt
-    a fallback DNS update against a specific DNS server. Please note this
-    option only works as a fallback, the first attempt will always be
-    performed against autodiscovered servers.
-  * The PAM responder gained a new option ca_db that allows the storage
-    of trusted CA certificates to be specified
-  * The time the p11_child is allowed to operate can be specified using
-    a new option p11_child_timeout
-
-== Tickets Fixed ==
-
-https://fedorahosted.org/sssd/ticket/546
-    [RFE] Support for smart cards
-https://fedorahosted.org/sssd/ticket/1697
-    sssd: incorrect checks on length values during packet decoding
-https://fedorahosted.org/sssd/ticket/1926
-    [RFE] Start the dynamic DNS update after the SSSD has been setup for
-    the first time
-https://fedorahosted.org/sssd/ticket/1994
-    Complain loudly if backend doesn't start due to missing or invalid keytab
-https://fedorahosted.org/sssd/ticket/2275
-    nested netgroups do not work in IPA provider
-https://fedorahosted.org/sssd/ticket/2283
-    test dyndns failed.
-https://fedorahosted.org/sssd/ticket/2335
-    Investigate using the krb5 responder for driving the PAM conversation
-    with OTPs
-https://fedorahosted.org/sssd/ticket/2463
-    Pass error messages via the extdom plugin
-https://fedorahosted.org/sssd/ticket/2495
-    [RFE]Allow sssd to add a new option that would specify which server
-    to update DNS with
-https://fedorahosted.org/sssd/ticket/2549
-    RFE: Support multiple interfaces with the dyndns_iface option
-https://fedorahosted.org/sssd/ticket/2553
-    RFE: Add support for wildcard-based cache updates
-https://fedorahosted.org/sssd/ticket/2558
-    Add dualstack and multihomed support
-https://fedorahosted.org/sssd/ticket/2561
-    Too much logging
-https://fedorahosted.org/sssd/ticket/2579
-    TRACKER: Support one-way trusts for IPA
-https://fedorahosted.org/sssd/ticket/2581
-    Re-check memcache after acquiring the lock in the client code
-https://fedorahosted.org/sssd/ticket/2584
-    RFE: Support client-side overrides
-https://fedorahosted.org/sssd/ticket/2597
-    Add index for 'objectSIDString' and maybe to other cache attributes
-https://fedorahosted.org/sssd/ticket/2637
-    RFE: Don't mark the main domain as offline if SSSD can't connect to
-    a subdomain
-https://fedorahosted.org/sssd/ticket/2639
-    RFE: Detect re-established trusts in the IPA subdomain code
-https://fedorahosted.org/sssd/ticket/2652
-    KDC proxy not working with SSSD krb5_use_kdcinfo enabled
-https://fedorahosted.org/sssd/ticket/2676
-    Group members are not turned into ghost entries when the user is purged
-    from the SSSD cache
-https://fedorahosted.org/sssd/ticket/2682
-    sudoOrder not honored as expected
-https://fedorahosted.org/sssd/ticket/2688
-    Default to config_file_version=2
-https://fedorahosted.org/sssd/ticket/2691
-    GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
-https://fedorahosted.org/sssd/ticket/2692
-    GPO: Access denied due to using wrong sam_account_name
-https://fedorahosted.org/sssd/ticket/2694
-    CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
-    test_ipa_subdom_server)
-https://fedorahosted.org/sssd/ticket/2699
-    SSSDConfig: wrong return type returned on python3
-https://fedorahosted.org/sssd/ticket/2700
-    krb5_child should always consider online state to allow use of
-    MS-KKDC proxy
-https://fedorahosted.org/sssd/ticket/2708
-    Logging messages from user point of view
-https://fedorahosted.org/sssd/ticket/2711
-    [RFE] Provide interface for SSH to fetch user certificate
-https://fedorahosted.org/sssd/ticket/2712
-    Initgroups memory cache does not work with fq names
-https://fedorahosted.org/sssd/ticket/2716
-    Initgroups mmap cache needs update after db changes
-https://fedorahosted.org/sssd/ticket/2717
-    well-known SID check is broken for NetBIOS prefixes
-https://fedorahosted.org/sssd/ticket/2718
-    SSSD keytab validation check expects root ownership
-https://fedorahosted.org/sssd/ticket/2719
-    IPA: returned unknown dp error code with disabled migration mode
-https://fedorahosted.org/sssd/ticket/2722
-    Missing config options in gentoo init script
-https://fedorahosted.org/sssd/ticket/2723
-    Could not resolve AD user from root domain
-https://fedorahosted.org/sssd/ticket/2724
-    getgrgid for user's UID on a trust client prevents getpw*
-https://fedorahosted.org/sssd/ticket/2725
-    If AD site detection fails, not even ad_site override skipped
-https://fedorahosted.org/sssd/ticket/2729
-    Do not send SSS_OTP if both factors were entered separately
-https://fedorahosted.org/sssd/ticket/2731
-    searching SID by ID always checks all domains
-https://fedorahosted.org/sssd/ticket/2733
-    Don't use deprecated libraries (libsystemd-*)
-https://fedorahosted.org/sssd/ticket/2737
-    sss_override: add import and export commands
-https://fedorahosted.org/sssd/ticket/2738
-    Cannot build rpms from upstream spec file on rawhide
-https://fedorahosted.org/sssd/ticket/2742
-    When certificate is added via user-add-cert, it cannot be looked up
-    via org.freedesktop.sssd.infopipe.Users.FindByCertificate
-https://fedorahosted.org/sssd/ticket/2743
-    memory cache can work intermittently
-https://fedorahosted.org/sssd/ticket/2744
-    cleanup_groups should sanitize dn of groups
-https://fedorahosted.org/sssd/ticket/2746
-    the PAM srv test often fails on RHEL-7
-https://fedorahosted.org/sssd/ticket/2748
-    test_memory_cache failed in invalidation cache before stop
-https://fedorahosted.org/sssd/ticket/2749
-    Fix crash in nss responder
-https://fedorahosted.org/sssd/ticket/2754
-    Clear environment and set restrictive umask in p11_child
-https://fedorahosted.org/sssd/ticket/2757
-    sss_override does not work correctly when 'use_fully_qualified_names
-    = True'
-https://fedorahosted.org/sssd/ticket/2758
-    sss_override contains an extra parameter --debug but is not listed in
-    the man page or in the arguments help
-https://fedorahosted.org/sssd/ticket/2762
-    [RFE] sssd: better feedback form constraint password change
-https://fedorahosted.org/sssd/ticket/2768
-    Test 'test_id_cleanup_exp_group' failed
-https://fedorahosted.org/sssd/ticket/2772
-    sssd cannot resolve user names containing backslash with ldap provider
-https://fedorahosted.org/sssd/ticket/2773
-    Make p11_child timeout configurable
-https://fedorahosted.org/sssd/ticket/2777
-    Fix memory leak in GPO
-https://fedorahosted.org/sssd/ticket/2782
-    sss_override : The local override user is not found
-https://fedorahosted.org/sssd/ticket/2783
-    REGRESSION: Dyndns soes not update reverse DNS records
-https://fedorahosted.org/sssd/ticket/2790
-    sss_override --name doesn't work with RFC2307 and ghost users
-https://fedorahosted.org/sssd/ticket/2799
-    unit tests do not link correctly on Debian
-https://fedorahosted.org/sssd/ticket/2803
-    Memory leak / possible DoS with krb auth.
-https://fedorahosted.org/sssd/ticket/2805
-    AD: Conditional jump or move depends on uninitialised value
+* Initial support for Smart Card authentication was added. The
+  feature can be activated with the new pam_cert_auth option.
+* The PAM prompting was enhanced so that when Two-Factor
+  Authentication is used, both factors (password and token) can
+  be entered separately on separate prompts. At the same time,
+  only the long-term password is cached, so offline access would
+  still work using the long term password.
+* A new command line tool sss_override is present in this
+  release. The tools allows to override attributes on the SSSD
+  side. It's helpful in environment where e.g. some hosts need to
+  have a different view of POSIX attributes than others. Please
+  note that the overrides are stored in the cache as well, so
+  removing the cache will also remove the overrides.
+* Several enhancements to the dynamic DNS update code. Notably,
+  clients that update multiple interfaces work better with this
+  release.
+* This release supports authenticating againt a KDC proxy
+* The fail over code was enhanced so that if a trusted domain is
+  not reachable, only that domain will be marked as inactive but
+  the backed would stay in online mode.
 
 -------------------------------------------------------------------
 Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de