forked from jengelh/sssd
Compact overly long changelog, wrap to 66 cols as demanded
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=207
This commit is contained in:
parent
77a4f94e77
commit
c5d8619327
92
sssd.changes
92
sssd.changes
@ -2,67 +2,37 @@
|
|||||||
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
||||||
|
|
||||||
- Update to upstream release 1.16.3
|
- Update to upstream release 1.16.3
|
||||||
|
* New Features:
|
||||||
New Features
|
* kdcinfo files for informing krb5 about discovered KDCs are
|
||||||
|
now also generated for trusted domains in setups that use
|
||||||
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
|
id_provider=ad and IPA masters in a trust relationship with
|
||||||
discovered for a Kerberos realm used to be only generated for the joined
|
an AD domain.
|
||||||
domain, not the trusted domains. Starting with this release, the kdcinfo files
|
* The Kerberlos locator plugin can now process multiple
|
||||||
are generated automatically also for trusted domains in setups that use
|
address if SSSD generates more than one. A
|
||||||
id_provider=ad and IPA masters in a trust relationship with an AD domain.
|
* Bug fixes:
|
||||||
|
* Fixed information leak due to incorrect permissions on
|
||||||
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
|
/var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
|
||||||
actually tells libkrb5 about the available KDCs can now process multiple
|
* Cached password are now stored with a salt. Old ones will be
|
||||||
address if SSSD generates more than one. At the moment, this feature is only
|
regenerated on next authentication, and the auth server needs
|
||||||
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
|
to be reachable for that.
|
||||||
manual page for more information about the Kerberos locator plugin.
|
* The sss_ssh proces leaked file descriptors when converting
|
||||||
|
more than one X.509 certificate to an SSH public key.
|
||||||
- On IPA clients, the AD DCs or the AD site which should be used to
|
* The PAC responder is now able to process Domain Local in case
|
||||||
authenticate users can now be listed in a subdomain section. Please see the
|
the PAC uses SID compression (Windows Server 2012+).
|
||||||
feature design page or the section “trusted domains configuration” for more
|
* Address the issue that some versions of OpenSSH would close
|
||||||
details.
|
the pipe towards sss_ssh_authorizedkeys when the matching key
|
||||||
|
is found before the rest of the output is read.
|
||||||
Notable bug fixes
|
* User lookups no longer fail if user's e-mail address
|
||||||
|
conflicts with another user's fully qualified name.
|
||||||
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
|
* The override_shell and override_homedir options are no longer
|
||||||
anyone else’s sudo rules. This was considered an information leak and
|
applied to entries from the files domain.
|
||||||
assigned CVE-2018-10852 (bsc#1098377)
|
* The grace logins with an expired password when authenticating
|
||||||
- The 1.16.2 release was storing the cached passwords without a salt prefix
|
against certain newer versions of the 389DS/RHDS LDAP server
|
||||||
string. This bug was fixed in this release, but any password hashes generated
|
did not work.
|
||||||
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
|
- Removed patches that are included upstream now:
|
||||||
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
|
0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
|
||||||
server is reachable so that the first authentication after the upgrade fix the
|
0002-intg-Do-not-hardcode-nsslibdir.patch,
|
||||||
cached password.
|
0003-Fix-build-for-1-16-2-version.patch
|
||||||
- The sss_ssh proces leaked file descriptors when converting more than one x509
|
|
||||||
certificate to SSH public key
|
|
||||||
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
|
|
||||||
to find out whether the required POSIX attributes were replicated to the
|
|
||||||
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
|
|
||||||
is much more effective
|
|
||||||
- The PAC responder is now able to process Domain Local in case the PAC uses
|
|
||||||
SID compression. Typicaly this is the case with Windows Server 2012 and newer
|
|
||||||
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
|
|
||||||
when the matching key is found before the rest of the output is read. The
|
|
||||||
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
|
|
||||||
exit with SIGPIPE, which also meant the public key authentication failed
|
|
||||||
- User lookups no longer fail if user’s e-mail address conflicts with another
|
|
||||||
user’s fully qualified name
|
|
||||||
- The override_shell and override_homedir options are no longer applied to
|
|
||||||
entries from the files domain.
|
|
||||||
- Several bugs related to the FleetCommander integration were fixed
|
|
||||||
- The grace logins with an expired password when authenticating against certain
|
|
||||||
newer versions of the 389DS/RHDS LDAP server did not work
|
|
||||||
- Whitespace around netgroup triple separator is now stripped
|
|
||||||
- The sss_ssh_knownhostproxy utility can now print the host key without
|
|
||||||
proxying the connection.
|
|
||||||
- Due to an overly restrictive check, the fast in-memory cache was sometimes
|
|
||||||
skipped, which caused a high load on the sssd_nss process
|
|
||||||
|
|
||||||
Removed patches that are included upstream now:
|
|
||||||
|
|
||||||
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
|
||||||
- 0002-intg-Do-not-hardcode-nsslibdir.patch
|
|
||||||
- 0003-Fix-build-for-1-16-2-version.patch
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
||||||
|
Loading…
Reference in New Issue
Block a user