diff --git a/sssd.changes b/sssd.changes index 2ddc347..102ddc1 100644 --- a/sssd.changes +++ b/sssd.changes @@ -2,67 +2,37 @@ Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com - Update to upstream release 1.16.3 - -New Features - -- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were - discovered for a Kerberos realm used to be only generated for the joined - domain, not the trusted domains. Starting with this release, the kdcinfo files - are generated automatically also for trusted domains in setups that use - id_provider=ad and IPA masters in a trust relationship with an AD domain. - -- The SSSD Kerberos locator plugin which processes the kdcinfo files and - actually tells libkrb5 about the available KDCs can now process multiple - address if SSSD generates more than one. At the moment, this feature is only - used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) - manual page for more information about the Kerberos locator plugin. - -- On IPA clients, the AD DCs or the AD site which should be used to - authenticate users can now be listed in a subdomain section. Please see the - feature design page or the section “trusted domains configuration” for more - details. - -Notable bug fixes - -- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read - anyone else’s sudo rules. This was considered an information leak and - assigned CVE-2018-10852 (bsc#1098377) -- The 1.16.2 release was storing the cached passwords without a salt prefix - string. This bug was fixed in this release, but any password hashes generated - by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is - that upgrade from 1.16.2 to 1.16.3 should be done when the authentication - server is reachable so that the first authentication after the upgrade fix the - cached password. -- The sss_ssh proces leaked file descriptors when converting more than one x509 - certificate to SSH public key -- SSSD, when configured with id_provider=ad was using too expensive LDAP search - to find out whether the required POSIX attributes were replicated to the - Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which - is much more effective -- The PAC responder is now able to process Domain Local in case the PAC uses - SID compression. Typicaly this is the case with Windows Server 2012 and newer -- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys - when the matching key is found before the rest of the output is read. The - sss_ssh_authorizedkeys helper was not handling this behaviour well and would - exit with SIGPIPE, which also meant the public key authentication failed -- User lookups no longer fail if user’s e-mail address conflicts with another - user’s fully qualified name -- The override_shell and override_homedir options are no longer applied to - entries from the files domain. -- Several bugs related to the FleetCommander integration were fixed -- The grace logins with an expired password when authenticating against certain - newer versions of the 389DS/RHDS LDAP server did not work -- Whitespace around netgroup triple separator is now stripped -- The sss_ssh_knownhostproxy utility can now print the host key without - proxying the connection. -- Due to an overly restrictive check, the fast in-memory cache was sometimes - skipped, which caused a high load on the sssd_nss process - -Removed patches that are included upstream now: - -- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch -- 0002-intg-Do-not-hardcode-nsslibdir.patch -- 0003-Fix-build-for-1-16-2-version.patch + * New Features: + * kdcinfo files for informing krb5 about discovered KDCs are + now also generated for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with + an AD domain. + * The Kerberlos locator plugin can now process multiple + address if SSSD generates more than one. A + * Bug fixes: + * Fixed information leak due to incorrect permissions on + /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] + * Cached password are now stored with a salt. Old ones will be + regenerated on next authentication, and the auth server needs + to be reachable for that. + * The sss_ssh proces leaked file descriptors when converting + more than one X.509 certificate to an SSH public key. + * The PAC responder is now able to process Domain Local in case + the PAC uses SID compression (Windows Server 2012+). + * Address the issue that some versions of OpenSSH would close + the pipe towards sss_ssh_authorizedkeys when the matching key + is found before the rest of the output is read. + * User lookups no longer fail if user's e-mail address + conflicts with another user's fully qualified name. + * The override_shell and override_homedir options are no longer + applied to entries from the files domain. + * The grace logins with an expired password when authenticating + against certain newer versions of the 389DS/RHDS LDAP server + did not work. +- Removed patches that are included upstream now: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, + 0002-intg-Do-not-hardcode-nsslibdir.patch, + 0003-Fix-build-for-1-16-2-version.patch ------------------------------------------------------------------- Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com