dirkmueller/sssd
SHA256
1
0
Fork 0
forked from pool/sssd
Code Pull Requests Activity

Compact overly long changelog, wrap to 66 cols as demanded

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=207
This commit is contained in:
Jan Engelhardt 2018-08-31 11:20:00 +00:00 committed by Git OBS Bridge
parent 77a4f94e77
commit c5d8619327
1 changed files with 31 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
sssd.changes
View File

@ -2,67 +2,37 @@
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
- Update to upstream release 1.16.3 - Update to upstream release 1.16.3
* New Features:
New Features * kdcinfo files for informing krb5 about discovered KDCs are
now also generated for trusted domains in setups that use
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were id_provider=ad and IPA masters in a trust relationship with
discovered for a Kerberos realm used to be only generated for the joined an AD domain.
domain, not the trusted domains. Starting with this release, the kdcinfo files * The Kerberlos locator plugin can now process multiple
are generated automatically also for trusted domains in setups that use address if SSSD generates more than one. A
id_provider=ad and IPA masters in a trust relationship with an AD domain. * Bug fixes:
* Fixed information leak due to incorrect permissions on
- The SSSD Kerberos locator plugin which processes the kdcinfo files and /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
actually tells libkrb5 about the available KDCs can now process multiple * Cached password are now stored with a salt. Old ones will be
address if SSSD generates more than one. At the moment, this feature is only regenerated on next authentication, and the auth server needs
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) to be reachable for that.
manual page for more information about the Kerberos locator plugin. * The sss_ssh proces leaked file descriptors when converting
more than one X.509 certificate to an SSH public key.
- On IPA clients, the AD DCs or the AD site which should be used to * The PAC responder is now able to process Domain Local in case
authenticate users can now be listed in a subdomain section. Please see the the PAC uses SID compression (Windows Server 2012+).
feature design page or the section “trusted domains configuration” for more * Address the issue that some versions of OpenSSH would close
details. the pipe towards sss_ssh_authorizedkeys when the matching key
is found before the rest of the output is read.
Notable bug fixes * User lookups no longer fail if user's e-mail address
conflicts with another user's fully qualified name.
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read * The override_shell and override_homedir options are no longer
anyone elses sudo rules. This was considered an information leak and applied to entries from the files domain.
assigned CVE-2018-10852 (bsc#1098377) * The grace logins with an expired password when authenticating
- The 1.16.2 release was storing the cached passwords without a salt prefix against certain newer versions of the 389DS/RHDS LDAP server
string. This bug was fixed in this release, but any password hashes generated did not work.
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is - Removed patches that are included upstream now:
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication 0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
server is reachable so that the first authentication after the upgrade fix the 0002-intg-Do-not-hardcode-nsslibdir.patch,
cached password. 0003-Fix-build-for-1-16-2-version.patch
- The sss_ssh proces leaked file descriptors when converting more than one x509
certificate to SSH public key
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
to find out whether the required POSIX attributes were replicated to the
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
is much more effective
- The PAC responder is now able to process Domain Local in case the PAC uses
SID compression. Typicaly this is the case with Windows Server 2012 and newer
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
when the matching key is found before the rest of the output is read. The
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
exit with SIGPIPE, which also meant the public key authentication failed
- User lookups no longer fail if users e-mail address conflicts with another
users fully qualified name
- The override_shell and override_homedir options are no longer applied to
entries from the files domain.
- Several bugs related to the FleetCommander integration were fixed
- The grace logins with an expired password when authenticating against certain
newer versions of the 389DS/RHDS LDAP server did not work
- Whitespace around netgroup triple separator is now stripped
- The sss_ssh_knownhostproxy utility can now print the host key without
proxying the connection.
- Due to an overly restrictive check, the fast in-memory cache was sometimes
skipped, which caused a high load on the sssd_nss process
Removed patches that are included upstream now:
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
- 0002-intg-Do-not-hardcode-nsslibdir.patch
- 0003-Fix-build-for-1-16-2-version.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com