Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2026-01-17 21:42:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd" Sat Jan 17 21:42:16 2026 rev:146 rq:1327459 version:2.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2025-11-20 14:46:17.516012447 +0100 +++ /work/SRC/openSUSE:Factory/.sssd.new.1928/sssd.changes 2026-01-17 21:42:37.917631840 +0100 @@ -1,0 +2,22 @@ +Thu Jan 15 16:47:44 UTC 2026 - Jan Engelhardt <[email protected]> + +- Update to release 2.12.0 + * Fixed CVE-2025-11561 by disabling an2ln in the default + implicitly created Kerberos configuration snippet, typically in + /var/lib/sss/pubconf/krb5.include.d/localauth_plugin. + * SSSD now allows using machine credentials from a trusted AD + domain or Kerberos realm if no suitable domain-local + credentials are available. + * SSSD now supports authentication mechanism selection through + PAM using a JSON-based protocol. This feature enables + passwordless authentication mechanisms in GUI login + environments that support the protocol (e.g. GNOME 50). + * The generic SSSD LDAP provider (id_provider = ldap) now + supports fetching subid ranges, a feature previously supported + only by the IPA provider. + * The default value of the `session_provider` option was changed + to `none` (i.e. disabled) no matter what id_provider is used. +- Delete 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch + (merged) + +------------------------------------------------------------------- Old: ---- 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch sssd-2.11.1.tar.gz sssd-2.11.1.tar.gz.asc New: ---- sssd-2.12.0.tar.gz sssd-2.12.0.tar.gz.asc ----------(Old B)---------- Old: to `none` (i.e. disabled) no matter what id_provider is used. - Delete 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch (merged) ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.P3Yylg/_old 2026-01-17 21:42:38.893671822 +0100 +++ /var/tmp/diff_new_pack.P3Yylg/_new 2026-01-17 21:42:38.897671986 +0100 @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,20 +17,20 @@ Name: sssd -Version: 2.11.1 +Version: 2.12.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: System/Daemons URL: https://github.com/SSSD/sssd #Git-Clone: https://github.com/SSSD/sssd +#Changelog: https://sssd.io/release-notes/sssd-2.12.0.html Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring Source6: %name-rpmlintrc Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch -Patch2: 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch @@ -48,17 +48,17 @@ %if 0%{?suse_version} >= 1600 BuildRequires: libsubid-devel %endif +BuildRequires: libopenssl-3-devel BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: libxml2-tools BuildRequires: libxslt-tools -BuildRequires: libopenssl-3-devel BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 -BuildRequires: python3-wheel BuildRequires: python3-setuptools +BuildRequires: python3-wheel BuildRequires: systemd-rpm-macros BuildRequires: sysuser-tools BuildRequires: uid_wrapper @@ -126,7 +126,6 @@ %define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) - %if 0%{?suse_version} >= 1600 %define permissions_path %_datadir/permissions/permissions.d/ %else @@ -409,17 +408,17 @@ --with-pid-path="%_rundir/sssd" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ - --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ - --with-subid + --with-subid \ %else - --with-selinux=no + --with-selinux=no \ %endif + --with-os=suse %make_build all %install @@ -530,7 +529,6 @@ # del_postun includes a try-restart %service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket - %ldconfig_scriptlets -n libsss_certmap0 %ldconfig_scriptlets -n libipa_hbac0 %ldconfig_scriptlets -n libsss_idmap0 @@ -663,6 +661,7 @@ %_mandir/man5/sssd-ldap-attributes.5* %_mandir/man5/sssd-session-recording.5* %_mandir/man5/sssd-simple.5* +%_mandir/*/man5/sssd-simple.5* %_mandir/man5/sssd-sudo.5* %_mandir/man5/sssd.conf.5* %_mandir/man8/sssd.8* @@ -752,6 +751,7 @@ %exclude %_libdir/sssd/libsss_idp.so %exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so %exclude %_mandir/man5/sssd-idp* +%exclude %_mandir/*/man5/sssd-idp* %files ad %dir %_libdir/%name/ ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.P3Yylg/_old 2026-01-17 21:42:38.961674607 +0100 +++ /var/tmp/diff_new_pack.P3Yylg/_new 2026-01-17 21:42:38.961674607 +0100 @@ -1,5 +1,5 @@ -mtime: 1763475864 -commit: d21340366b65700bc9cdadb21987a6747f3f200d1f21e6cc91ddf3d047b1d5c3 +mtime: 1768506555 +commit: 5a8a322537158c501d97e2ee418e9b167bac72a9ff11394ccd462c47b154969a url: https://src.opensuse.org/jengelh/sssd revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-01-15 20:49:33.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ sssd-2.11.1.tar.gz -> sssd-2.12.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/sssd/sssd-2.11.1.tar.gz /work/SRC/openSUSE:Factory/.sssd.new.1928/sssd-2.12.0.tar.gz differ: char 12, line 1 ++++++ symvers.patch ++++++ --- /var/tmp/diff_new_pack.P3Yylg/_old 2026-01-17 21:42:39.205684603 +0100 +++ /var/tmp/diff_new_pack.P3Yylg/_new 2026-01-17 21:42:39.209684767 +0100 @@ -15,11 +15,11 @@ Makefile.am | 44 ++++++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 14 deletions(-) -Index: sssd-2.10.1/Makefile.am +Index: sssd-2.12.0/Makefile.am =================================================================== ---- sssd-2.10.1.orig/Makefile.am -+++ sssd-2.10.1/Makefile.am -@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \ +--- sssd-2.12.0.orig/Makefile.am ++++ sssd-2.12.0/Makefile.am +@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -31,9 +31,9 @@ + echo "V_${PACKAGE_VERSION} { global: *; };" >$@ pkglib_LTLIBRARIES += libsss_child.la - libsss_child_la_SOURCES = src/util/child_common.c -@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \ - $(DHASH_LIBS) \ + libsss_child_la_SOURCES = src/util/child_handlers.c src/util/child_io.c +@@ -973,7 +977,8 @@ libsss_child_la_LIBADD = \ + $(TEVENT_LIBS) \ libsss_debug.la \ $(NULL) -libsss_child_la_LDFLAGS = -avoid-version @@ -42,7 +42,7 @@ pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1013,7 +1018,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ pkglib_LTLIBRARIES += libsss_cert.la -@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \ +@@ -1032,8 +1038,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1134,8 +1141,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1170,8 +1178,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1200,8 +1209,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1228,8 +1238,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,17 +107,17 @@ pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1338,7 +1349,8 @@ endif - if BUILD_PASSKEY - libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c - endif # BUILD_PASSKEY +@@ -1323,7 +1334,8 @@ endif + if BUILD_SYSTEMTAP + libsss_util_la_LIBADD += stap_generated_probes.lo + endif -libsss_util_la_LDFLAGS = -avoid-version +libsss_util_la_LDFLAGS = -avoid-version ${symv} +EXTRA_libsss_util_la_DEPENDENCIES = x.sym SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1339,7 +1351,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -126,7 +126,7 @@ libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1636,8 +1648,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -137,7 +137,7 @@ pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1662,8 +1675,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -148,7 +148,7 @@ sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4303,8 +4317,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -159,7 +159,7 @@ if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4360,7 +4375,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \
