------------------------------------------------------------------- Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com - update to 1.9.4 (bnc#801036): - A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain - A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder - The sssd_pam responder processes pending requests after reconnect - A serious memory leak in the NSS responder was fixed - Requests that were processing group entries with DNs pointing out of any configured search bases were not terminated correctly, causing long timeouts - Kerberos tickets are correctly renewed even after SSSD daemon restart - Multiple fixes related to SUDO integration, in particular fixing functionality when the sssd back end process was changing its online/offline status - The pwd_exp_warning option was fixed to function as documented in the manual page - refreshed sssd-ldflags.diff to apply cleanly ------------------------------------------------------------------- Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com - Removed left-over "Requires" for no longer existing sssd-client subpackage. - New patch: sssd-ldflags.diff to fix link failures due to erroneous LDFLAGS usage ------------------------------------------------------------------- Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com - Switch back to using libcrypto instead of mozilla-nss as it seems to be supported upstream again, cf. https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html - Cleanup PAM configuration after uninstalling sssd (bnc#788328) ------------------------------------------------------------------- Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de - Update to new upstream release 1.9.3 * Many fixes related to deployments where the SSSD is running as a client of IPA server with trust relation established with an Active Directory server * Multiple fixes related to correct reporting of group memberships, especially in setups that use nested groups * Fixed a bug that prevented upgrade from the 1.8 series if the cache contained nested groups before the upgrade * Restarting the responders is more robust for cases where the machine is under heavy load during back end restart * The default_shell option can now be also set per-domain in addition to global setting. ------------------------------------------------------------------- Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de - Update to new upstream release 1.9.2 * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs ------------------------------------------------------------------- Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de - Update to new upstream release 1.8.93 (1.9.0~beta3) * Add native support for autofs to the IPA provider * Support for id mapping when connecting to Active Directory * Support for handling very large (> 1500 users) groups in Active Directory * Add a new fast in-memory cache to speed up lookups of cached data on repeated requests * Add support for the Kerberos DIR cache for storing multiple TGTs automatically * Add a new PAC responder for dealing with cross-realm Kerberos trusts * Terminate idle connections to the NSS and PAM responders ------------------------------------------------------------------- Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de - Update to new upstream release 1.8.3 * LDAP: Handle situations where the RootDSE is not available anonymously * LDAP: Fix regression for users using non-standard LDAP attributes for user information - Switch from openssl to mozilla-nss, as this is the officially supported crypto integration ------------------------------------------------------------------- Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com - Fix build error on SLES 11 builds ------------------------------------------------------------------- Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com - Add suse_version condition for glib over libunistring for SLES 11 SP2. - Update to new upstream release 1.8.2 * Fix for GSSAPI binds when the keytab contains unrelated principals * Workarounds added for LDAP servers with unreadable RootDSE ------------------------------------------------------------------- Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com - Update to new upstream release 1.8.1 * Resolve issue where we could enter an infinite loop trying to connect to an auth server ------------------------------------------------------------------- Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de - Update to new upstream release 1.8.0 * Support for the service map in NSS * Support for setting default SELinux user context from FreeIPA * Support for retrieving SSH user and host keys from LDAP * Support for caching autofs LDAP requests * Support for caching SUDO rules * Include the IPA AutoFS provider * Fixed several memory-corruption bugs * Fixed a regression in the proxy provider ------------------------------------------------------------------- Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de - Fixed systemd related packaging issues (bnc#724157) - fixed build on older openSUSE releases ------------------------------------------------------------------- Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de - Resolve "have choice for libnl-devel: libnl-1_1-devel libnl3-devel" ------------------------------------------------------------------- Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de - Fixed typos in configure args - Cherry-picked password policy fixes from 1.5 branch (bnc#705768) - switched to fd-leak fix cherry-picked from 1.5 branch - Add /usr/sbin to the search path to make configure find nscd (bnc#709747) ------------------------------------------------------------------- Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de - Add patches to fix an fd leak in sssd_pam ------------------------------------------------------------------- Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de - Update to new upstream release 1.5.11 * Support for overriding home directory, shell and primary GID locally * Properly honor TTL values from SRV record lookups * Support non-POSIX groups in nested group chains (for RFC2307bis LDAP servers) * Properly escape IPv6 addresses in the failover code * Do not crash if inotify fails (e.g. resource exhaustion) - Remove redundant %clean section; delete .la files more efficiently ------------------------------------------------------------------- Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de - Update to 1.5.8: * Support for the LDAP paging control * Support for multiple DNS servers for name resolution * Fixes for several group membership bugs * Fixes for rare crash bugs ------------------------------------------------------------------- Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de - Update to 1.5.7 * A flaw was found in the handling of cached passwords when kerberos renewal tickets is enabled. Due to a bug, the cached password was overwritten with a (moderately) predictable filename, which could allow a user to authenticate as someone else if they knew the name of the cache file (bnc#691135, CVE-2011-1758) - Changes in 1.5.6: * Fixed a serious memory leak in the memberOf plugin * Fixed a regression with the negative cache that caused it to be essentially nonfunctional * Fixed an issue where the user's full name would sometimes be removed from the cache * Fixed an issue with password changes in the kerberos provider not working with kpasswd ------------------------------------------------------------------- Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de - Update to 1.5.5 * Fixes for several crash bugs * LDAP group lookups will no longer abort if there is a zero-length member attribute * Add automatic fallback to 'cn' if the 'gecos' attribute does not exist ------------------------------------------------------------------- Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de - Should build in SLE-11-SP1 now ------------------------------------------------------------------- Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de - Updated to 1.5.4 * Fixes for Active Directory when not all users and groups have POSIX attributes * Fixes for handling users and groups that have name aliases (aliases are ignored) * Fix group memberships after initgroups in the IPA provider ------------------------------------------------------------------- Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de - Updated to 1.5.3 * Support for libldb >= 1.0.0 * Proper detection of manpage translations * Changes between 1.5.1 and 1.5.2 * Fixes for support of FreeIPA v2 * Fixes for failover if DNS entries change * Improved sss_obfuscate tool with better interactive mode * Fix several crash bugs * Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this * Delete users from the local cache if initgroups calls return 'no such user' (previously only worked for getpwnam/getpwuid) * Use new Transifex.net translations * Better support for automatic TGT renewal (now survives restart) * Netgroup fixes ------------------------------------------------------------------- Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de - Updated to 1.5.1 * Vast performance improvements when enumerate = true * All PAM actions will now perform a forced initgroups lookup instead of just a user information lookup This guarantees that all group information is available to other providers, such as the simple provider. * For backwards-compatibility, DNS lookups will also fall back to trying the SSSD domain name as a DNS discovery domain. * Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory * Support for ldap_tls_{cert,key,cipher_suite} config options * Assorted bugfixes ------------------------------------------------------------------- Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de - /var/lib/sss/pubconf was missing (bnc#665442) ------------------------------------------------------------------- Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de - It was possible to make sssd hang forever inside a loop in the PAM responder by sending a carefully crafted packet to sssd. This could be exploited by a local attacker to crash sssd and prevent other legitimate users from logging into the system. (bnc#660481, CVE-2010-4341) ------------------------------------------------------------------- Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de - Own /etc/systemd directories to fix build. ------------------------------------------------------------------- Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com - install systemd service file ------------------------------------------------------------------- Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com - Updated to 1.4.1 * Add support for netgroups to the LDAP and proxy providers * Fixes a minor bug with UIDs/GIDs >= 2^31 * Fixes a segfault in the kerberos provider * Fixes a segfault in the NSS responder if a data provider crashes * Correctly use sdap_netgroup_search_base * the utility libraries libpath_utils1, libpath_utils-devel, libref_array1 and libref_array-devel moved to their own separate upstream project (ding-libs) * Performance improvements made to group processing of RFC2307 LDAP servers * Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin * Manpage reviewed and updated ------------------------------------------------------------------- Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com - remove hard coded python version ------------------------------------------------------------------- Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com - No dependencies on %{release} ------------------------------------------------------------------- Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com - Updated to 1.3.1 * Fixes to the HBAC backend for obsolete or removed HBAC entries * Improvements to log messages around TLS and GSSAPI for LDAP * Support for building in environments using --as-needed LDFLAGS * Vast performance improvement for initgroups on RFC2307 LDAP servers * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the daemon if SSSD is restarted * Rewrote the internal LDB cache API. As a synchronous API it is now faster to access and easier to work with * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider - We now handle failover situations much more reliably than we did previously - We also will now monitor the GSSAPI kerberos ticket and automatically renew it when appropriate, instead of waiting for a connection to fail * Support for netlink now allows us to more quickly detect situations where we may have come online * New option "dns_discovery_domain" allows better configuration for using SRV records for failover - New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 and libref_array-devel ------------------------------------------------------------------- Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com - Package pam- and nss-Modules as baselibs - cleaned up file list and dependencies - fixed init script dependencies ------------------------------------------------------------------- Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com - Updated to 1.1.0 * Support for IPv6 * Support for LDAP referrals * Offline failed login counter * Fix for the long-standing cache cleanup performance issues * libini_config, libcollection, libdhash, libref_array and libpath_utils are now built as shared libraries for general consumption (libref_array and libpath_utils are currently not packaged, as no component in sssd links against them) * Users get feedback from PAM if they authenticated offline * Native local backend now has a utility to show nested memberships (sss_groupshow) * New "simple" access provider for easy restriction of users - Backported libcrypto support from master to avoid Mozilla NSS dependency - Backported password policy improvments for LDAP provider from master ------------------------------------------------------------------- Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com - use logfiles for debug messages by default ------------------------------------------------------------------- Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com - subpackages for commandline tools, ipa-provider plugin and python API ------------------------------------------------------------------- Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com - Updated to 1.0.5. Highlights: * Removed some dead code (libreplace * Clarify licenses throughout the code ------------------------------------------------------------------- Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com - Updated to 1.0.4 ------------------------------------------------------------------- Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com - Update to 0.6.0 ------------------------------------------------------------------- Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com - fix LDAP filter for initgroups() with rfc2307bis setups ------------------------------------------------------------------- Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com - initial package submission