SHA256
1
0
forked from jengelh/sssd

Accepting request 536521 from network:ldap

- Update to new upstream release 1.16.0

OBS-URL: https://build.opensuse.org/request/show/536521
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=84
This commit is contained in:
Dominique Leuenberger 2017-10-27 11:47:11 +00:00 committed by Git OBS Bridge
commit 348391ee50
6 changed files with 122 additions and 13 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4cd5fcb314d77a58029a216b7e6001c6cb41c5b784cf570c5761c97d1c12d264
size 5248134

View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAljJcscACgkQHsardTLnvCVCdwCgj0g3CSbz/gIS37W553d0QI7i
waoAnRN8+lQjwHQS+76q5nz2eSdRLnIG
=4tQo
-----END PGP SIGNATURE-----

3
sssd-1.16.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f
size 5899127

6
sssd-1.16.0.tar.gz.asc Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAlnqDFQACgkQHsardTLnvCU79wCg3b6eA8KEVLV8WECtUpTuFOb4
WtAAoIQpjJYhg/z0wNqa2wh5v7CLpZdP
=MMlI
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,73 @@
-------------------------------------------------------------------
Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com
- Update to new upstream release 1.16.0
Security fixes
* This release fixes CVE-2017-12173: Unsanitized input when searching in
local cache database. SSSD stores its cached data in an LDAP like local
database file using libldb. To lookup cached data LDAP search filters
like (objectClass=user)(name=user_name) are used. However, in
sysdb_search_user_by_upn_res(), the input was not sanitized and
allowed to manipulate the search filter for cache lookups. This would
allow a logged in user to discover the password hash of a different user.
New Features
* SSSD now supports session recording configuration through tlog. This
feature enables recording of everything specific users see or type
during their sessions on a text terminal. For more information, see
the sssd-session-recording(5) manual page.
* SSSD can act as a client agent to deliver
Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
policies defined on an IPA server. Fleet Commander provides a
configuration management interface that is controlled centrally and
that covers desktop, applications and network configuration.
* Several new systemtap <https://sourceware.org/systemtap/> probes
were added into various locations in SSSD code to assist in
troubleshooting and analyzing performance related issues. Please see the
sssd-systemtap(5) manual page for more information.
* A new LDAP provide access control mechanism that allows to restrict
access based on PAM's rhost data field was added. For more details,
please consult the sssd-ldap(5) manual page, in particular the
options ldap_user_authorized_rhost and the rhost value of
ldap_access_filter.
-------------------------------------------------------------------
Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com
- Update to new upstream release 1.15.3 (KCM disabled)
New Features
* In a setup where an IPA domain trusts an Active Directory domain,
it is now possible to define the domain resolution order
(see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names).
* Design page - Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>
* SSSD ships with a new service called KCM. This service acts as a
storage for Kerberos tickets when "libkrb5" is configured to use
"KCM:" in "krb5.conf".
* Design page - KCM server for SSSD <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>
* NOTE: There are several known issues in the "KCM" responder that
will be handled in the next release.
* Support for user and group resolution through the D-Bus interface and
authentication and/or authorization through the PAM interface even
for setups without UIDs or Windows SIDs present on the LDAP directory
side. This enhancement allows SSSD to be used together with apache
modules <https://github.com/adelton/mod_lookup_identity> to provide
identities for applications
* Design page - Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>
* SSSD ships a new public library called "libsss_certmap" that allows
a flexible and configurable way of mapping a certificate to a user
identity.
* Design page - Matching and Mapping Certificates <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>
* The Kerberos locator plugin can be disabled using an environment variable
"SSSD_KRB5_LOCATOR_DISABLE". Please refer to the
"sssd_krb5_locator_plugin" manual page for mode details.
* The "sssctl" command line tool supports a new command "user-checks"
that enables the administrator to check whether a certain user should be
allowed or denied access to a certain PAM service.
* The "secrets" responder now forwards requests to a proxy Custodia
back end over a secure channel.
-------------------------------------------------------------------
Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com

View File

@ -17,7 +17,7 @@
Name: sssd
Version: 1.15.2
Version: 1.16.0
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0+ and LGPL-3.0+
@ -30,7 +30,7 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc
Source3: baselibs.conf
Source4: sssd.service
Source5: %name.keyring
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRoot: %_tmppath/%name-%version-build
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
@ -214,6 +214,23 @@ Group: System/Libraries
The idmap_sss module provides a way for Winbind to call SSSD to map
UIDs/GIDs and SIDs.
%package -n libsss_certmap0
Summary: FreeIPA ID mapping library
License: LGPL-3.0+
Group: System/Libraries
%description -n libsss_certmap0
A utility library for FreeIPA to map certs.
%package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library
License: LGPL-3.0+
Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel
A utility library for FreeIPA to map certs.
%package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library
License: LGPL-3.0+
@ -409,6 +426,7 @@ export LDFLAGS="-pie"
--with-os=suse \
--with-semanage=no \
--disable-ldb-version-check \
--without-kcm \
--without-secrets
make %{?_smp_mflags} all
@ -487,14 +505,25 @@ rm -f /var/lib/sss/db/*.ldb
%_mandir/??/man1/sss_ssh_*
%_mandir/??/man5/sssd-simple.5*
%_mandir/??/man5/sssd-sudo.5*
%_mandir/??/man5/sssd.conf.5*
#%_mandir/??/man5/sssd.conf.5*
%_mandir/??/man8/sssd.8*
%_mandir/??/man5/sss-certmap.5.gz
%_mandir/??/man5/sssd-ad.5.gz
%_mandir/??/man5/sssd-files.5.gz
%_mandir/??/man5/sssd-secrets.5.gz
%_mandir/??/man5/sssd.conf.5.gz
%_mandir/??/man8/idmap_sss.8.gz
%_mandir/??/man8/sssctl.8.gz
%_mandir/??/man8/sssd-kcm.8.gz
%_mandir/??/man5/sssd-simple.5*
%_mandir/man1/sss_ssh_*
%_mandir/man8/sssctl.8*
%_mandir/man5/sssd-files.5*
%_mandir/man5/sssd-simple.5*
%_mandir/man5/sssd-sudo.5*
%_mandir/man5/sssd.conf.5*
%_mandir/man5/sss-certmap.5.gz
%_mandir/man5/sssd-session-recording.5.gz
%_mandir/man8/sssd.8*
%dir %_libdir/%name/
%_libdir/%name/conf/
@ -643,7 +672,6 @@ rm -f /var/lib/sss/db/*.ldb
%_sbindir/sss_useradd
%_sbindir/sss_userdel
%_sbindir/sss_usermod
%_sbindir/sss_override
%dir %_mandir/??/man8/
%_mandir/??/man8/sss_*.8*
%_mandir/man8/sss_*.8*
@ -678,6 +706,17 @@ rm -f /var/lib/sss/db/*.ldb
%_libdir/libipa_hbac.so
%_libdir/pkgconfig/ipa_hbac.pc
%files -n libsss_certmap0
%defattr(-,root,root)
%_libdir/libsss_certmap.so
%_libdir/libsss_certmap.so.0*
%files -n libsss_certmap-devel
%defattr(-,root,root)
%_includedir/sss_certmap.h
%_libdir/libsss_certmap.so
%_libdir/pkgconfig/sss_certmap.pc
%files -n libnfsidmap-sss
%defattr(-,root,root)
%_libdir/libnfsidmap/