------------------------------------------------------------------- Fri Feb 20 16:31:37 CET 2015 - lchiquitto@suse.de - bsc#918677 libsss_idmap-devel unsolvable dependency on libsss_idmap: require libsss_idmap0 instead. ------------------------------------------------------------------- Tue Jan 6 07:52:28 UTC 2015 - varkoly@suse.com - bnc#902731 sssd_be[3734]: segfault at 8 ip 0000000000410656 sp 00007fff486952a0 error 4 in sssd_be[400000+87000] - bnc#903830 - SSSD inconsistent results - bnc#890242 After installing sssd-tools the sss_obfuscate command does not work. ------------------------------------------------------------------- Wed Mar 20 09:51:09 UTC 2013 - rhafer@suse.com - Fixed security issue: CVE-2013-0287 (bnc#809153): When SSSD is configured as an Active Directory client by using the new Active Directory provider or equivalent configuration of the LDAP provider, the Simple Access Provider does not handle access control correctly. If any groups are specified with the simple_deny_groups option, the group members are permitted access. New patches: 0002-Provide-a-be_get_account_info_send-function.patch 0003-Add-unit-tests-for-simple-access-test-by-groups.patch 0004-Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch 0005-Resolve-GIDs-in-the-simple-access-provider.patch ------------------------------------------------------------------- Tue Jan 29 15:18:18 UTC 2013 - rhafer@suse.com - update to 1.9.4 (bnc#801036): - A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain - A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder - The sssd_pam responder processes pending requests after reconnect - A serious memory leak in the NSS responder was fixed - Requests that were processing group entries with DNs pointing out of any configured search bases were not terminated correctly, causing long timeouts - Kerberos tickets are correctly renewed even after SSSD daemon restart - Multiple fixes related to SUDO integration, in particular fixing functionality when the sssd back end process was changing its online/offline status - The pwd_exp_warning option was fixed to function as documented in the manual page ------------------------------------------------------------------- Thu Dec 6 12:17:22 UTC 2012 - rhafer@suse.com - pam-config is required for %postun not %post (bnc#788328) ------------------------------------------------------------------- Wed Dec 5 15:41:55 UTC 2012 - rhafer@suse.com - Using libcrypto instead of mozilla-nss (bnc#792952) - cleanup PAM configuration after uninstalling sssd (bnc#788328) ------------------------------------------------------------------- Tue Nov 20 15:16:08 UTC 2012 - rhafer@suse.com - Update to 1.9.2: * Add a new fast in-memory cache to speed up lookups of cached data on repeated requests * Add support for the Kerberos DIR cache for storing multiple TGTs automatically * SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules * The SSSD supports the concept of a Primary Server and a Back Up Server. If the SSSD switches to a back up server because a primary server is not available, it would later try to re-establish a connection to the primary server. Add native support for autofs to the IPA provider * A new command-line tool sss_seed is available. This tool is able to prime the internal cache with a user record and a cached password to support the scenario when a user needs to log in to the client before the network connection to the centralized identity source is established, such as the first log in to a new machine. * A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Enabled sudo support (fate#314543) - Change default for ldap_deref_threshold to 0, so the use of the LDAP Derefencing Control is disable by default. The upstream default cause trouble with many OpenLDAP installations (Patch: 0001-Set-ldap_deref_threshold-to-0-by-default.dif, bnc#789001, See also: https://fedorahosted.org/sssd/ticket/1660) ------------------------------------------------------------------- Fri Aug 5 08:07:31 UTC 2011 - rhafer@suse.de - Aligned password policy fixes with recent upstream changes (bnc#705768) - Reset the LDAP socket's O_NONBLOCK flags before passing it to libldap (bnc#709237) ------------------------------------------------------------------- Tue Aug 2 09:23:24 UTC 2011 - rhafer@suse.de - Fixed typos in configure args - Cherry-picked password policy fixes from 1.5 branch (bnc#705768) - Plugged descriptor leak in sssd_pam (bnc#709748) - Add /usr/sbin to the search path to make configure find nscd (bnc#709747) ------------------------------------------------------------------- Tue Jul 12 13:52:31 UTC 2011 - rhafer@suse.de - Update to 1.5.11 * Fix a serious regression that prevented SSSD from working with ldaps:// URIs * IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 address being saved to the AAAA record. - Important changes in 1.5.10 * Fixed a regression introduced in 1.5.9 that could result in blocking calls to LDAP - Important changes in 1.5.9 * fixed possible crash when OpenLDAP with ppolicy is used on the server side (bnc#705172) * Properly escape IPv6 addresses in the failover code * Do not crash if inotify fails (e.g. resource exhaustion) * Don't add multiple TGT renewal callbacks (too many log messages) * Use name based URI instead of IP address based URIs * Use ldap_init_fd() instead of ldap_initialize() if available ------------------------------------------------------------------- Fri Jun 17 11:23:55 UTC 2011 - rhafer@suse.de - initial submission for SLE-11-SP2 (fate#310820, fate#308902) ------------------------------------------------------------------- Thu Jun 16 17:04:10 UTC 2011 - rhafer@suse.de - Update to 1.5.8: * Support for the LDAP paging control * Support for multiple DNS servers for name resolution * Fixes for several group membership bugs * Fixes for rare crash bugs - don't install systemd related files ------------------------------------------------------------------- Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de - Update to 1.5.7 * A flaw was found in the handling of cached passwords when kerberos renewal tickets is enabled. Due to a bug, the cached password was overwritten with a (moderately) predictable filename, which could allow a user to authenticate as someone else if they knew the name of the cache file (bnc#691135, CVE-2011-1758) - Changes in 1.5.6: * Fixed a serious memory leak in the memberOf plugin * Fixed a regression with the negative cache that caused it to be essentially nonfunctional * Fixed an issue where the user's full name would sometimes be removed from the cache * Fixed an issue with password changes in the kerberos provider not working with kpasswd ------------------------------------------------------------------- Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de - Update to 1.5.5 * Fixes for several crash bugs * LDAP group lookups will no longer abort if there is a zero-length member attribute * Add automatic fallback to 'cn' if the 'gecos' attribute does not exist ------------------------------------------------------------------- Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de - Should build in SLE-11-SP1 now ------------------------------------------------------------------- Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de - Updated to 1.5.4 * Fixes for Active Directory when not all users and groups have POSIX attributes * Fixes for handling users and groups that have name aliases (aliases are ignored) * Fix group memberships after initgroups in the IPA provider ------------------------------------------------------------------- Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de - Updated to 1.5.3 * Support for libldb >= 1.0.0 * Proper detection of manpage translations * Changes between 1.5.1 and 1.5.2 * Fixes for support of FreeIPA v2 * Fixes for failover if DNS entries change * Improved sss_obfuscate tool with better interactive mode * Fix several crash bugs * Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this * Delete users from the local cache if initgroups calls return 'no such user' (previously only worked for getpwnam/getpwuid) * Use new Transifex.net translations * Better support for automatic TGT renewal (now survives restart) * Netgroup fixes ------------------------------------------------------------------- Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de - Updated to 1.5.1 * Vast performance improvements when enumerate = true * All PAM actions will now perform a forced initgroups lookup instead of just a user information lookup This guarantees that all group information is available to other providers, such as the simple provider. * For backwards-compatibility, DNS lookups will also fall back to trying the SSSD domain name as a DNS discovery domain. * Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory * Support for ldap_tls_{cert,key,cipher_suite} config options * Assorted bugfixes ------------------------------------------------------------------- Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de - /var/lib/sss/pubconf was missing (bnc#665442) ------------------------------------------------------------------- Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de - It was possible to make sssd hang forever inside a loop in the PAM responder by sending a carefully crafted packet to sssd. This could be exploited by a local attacker to crash sssd and prevent other legitimate users from logging into the system. (bnc#660481, CVE-2010-4341) ------------------------------------------------------------------- Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de - Own /etc/systemd directories to fix build. ------------------------------------------------------------------- Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com - install systemd service file ------------------------------------------------------------------- Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com - Updated to 1.4.1 * Add support for netgroups to the LDAP and proxy providers * Fixes a minor bug with UIDs/GIDs >= 2^31 * Fixes a segfault in the kerberos provider * Fixes a segfault in the NSS responder if a data provider crashes * Correctly use sdap_netgroup_search_base * the utility libraries libpath_utils1, libpath_utils-devel, libref_array1 and libref_array-devel moved to their own separate upstream project (ding-libs) * Performance improvements made to group processing of RFC2307 LDAP servers * Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin * Manpage reviewed and updated ------------------------------------------------------------------- Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com - remove hard coded python version ------------------------------------------------------------------- Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com - No dependencies on %{release} ------------------------------------------------------------------- Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com - Updated to 1.3.1 * Fixes to the HBAC backend for obsolete or removed HBAC entries * Improvements to log messages around TLS and GSSAPI for LDAP * Support for building in environments using --as-needed LDFLAGS * Vast performance improvement for initgroups on RFC2307 LDAP servers * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the daemon if SSSD is restarted * Rewrote the internal LDB cache API. As a synchronous API it is now faster to access and easier to work with * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider - We now handle failover situations much more reliably than we did previously - We also will now monitor the GSSAPI kerberos ticket and automatically renew it when appropriate, instead of waiting for a connection to fail * Support for netlink now allows us to more quickly detect situations where we may have come online * New option "dns_discovery_domain" allows better configuration for using SRV records for failover - New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 and libref_array-devel ------------------------------------------------------------------- Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com - Package pam- and nss-Modules as baselibs - cleaned up file list and dependencies - fixed init script dependencies ------------------------------------------------------------------- Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com - Updated to 1.1.0 * Support for IPv6 * Support for LDAP referrals * Offline failed login counter * Fix for the long-standing cache cleanup performance issues * libini_config, libcollection, libdhash, libref_array and libpath_utils are now built as shared libraries for general consumption (libref_array and libpath_utils are currently not packaged, as no component in sssd links against them) * Users get feedback from PAM if they authenticated offline * Native local backend now has a utility to show nested memberships (sss_groupshow) * New "simple" access provider for easy restriction of users - Backported libcrypto support from master to avoid Mozilla NSS dependency - Backported password policy improvments for LDAP provider from master ------------------------------------------------------------------- Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com - use logfiles for debug messages by default ------------------------------------------------------------------- Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com - subpackages for commandline tools, ipa-provider plugin and python API ------------------------------------------------------------------- Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com - Updated to 1.0.5. Highlights: * Removed some dead code (libreplace * Clarify licenses throughout the code ------------------------------------------------------------------- Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com - Updated to 1.0.4 ------------------------------------------------------------------- Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com - Update to 0.6.0 ------------------------------------------------------------------- Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com - fix LDAP filter for initgroups() with rfc2307bis setups ------------------------------------------------------------------- Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com - initial package submission