SASL 2.1.27 rc7

Mon, 05 Feb 2018 15:18:45 -0800 

All,
I have built a seventh (and hopefully last) release candidate of SASL 2.1.27 which can be downloaded from here: 

HTTP:
 https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc7.tar.gz
 https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc7.tar.gz.sig

FTP:
 ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc7.tar.gz
 ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc7.tar.gz.sig



The primary reason for this candidate is to test the latest GSSAPI 
changes.  I'd like to roll out the final release in about a week. If not 
done by Feb 14, it will wait until Feb 21 when I return from vacation.



The (mostly) complete list of changes from 2.1.26 are these:

 * Added support for OpenSSL 1.1
 * Added support for lmdb (from Howard Chu)
 * Lots of build fixes (from Ignacio Casal Quinteiro and others)
 * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
   client mech
 * DIGEST-MD5 plugin:
     o Fixed memory leaks
     o Fixed a segfault when looking for non-existent reauth cache
     o Prevent client from going from step 3 back to step 2
     o Allow cmusaslsecretDIGEST-MD5 property to be disabled
 * GSSAPI plugin:
     o Added support for retrieving negotiated SSF
     o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
     o Properly compute maxbufsize AFTER security layers have been set
 * SCRAM plugin:
     o Added support for SCRAM-SHA-256
     o Allow SCRAM-* to be used by HTTP
 * LOGIN plugin:
     o Don’t prompt client for password until requested by server
 * NTLM plugin:
     o Fixed crash due to uninitialized HMAC context
 * saslauthd:
     o cache.c:
         + Don’t use cached credentials if timeout has expired
         + Fixed debug logging output
     o ipc_doors.c:
         + Fixed potential DoS attack (from Oracle)
     o ipc_unix.c:
         + Prevent premature closing of socket
     o auth_rimap.c:
         + Added support LOGOUT command
         + Added support for unsolicited CAPABILITY responses in LOGIN
           reply
         + Properly detect end of responses (don’t needlessly wait)
         + Properly handle backslash in passwords
     o auth_httpform:
         + Fix off-by-one error in string termination
         + Added support for 204 success response
     o auth_krb5.c:
         + Added krb5_conv_krb4_instance option
         + Added more verbose error logging




At this point any major changes (e.g. API, wire protocol) will be pushed 
out to 2.1.28 or 2.2.0.


--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd















    











					Reply via email to