=== SSSD 1.9.4 ===

The SSSD team is proud to announce the release of version 1.9.4 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

This is another bug fix only release of the 1.9 series. In addition to
fixing functionality, this release also includes two security patches. With
the release of 1.9.4, all the known regressions that were introduced during
the 1.9 development are fixed. We are still tracking a couple of important
bugs, though, mostly in the 1.9.5 milestone.

Our focus for the next couple of months will change from bug fixing only to
both bug fixing and new feature development. The new features will be developed
in the master branch, which will later become 1.10, and only backported to
1.9 as appropriate.

RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:

== Highlights ==
* This release focused mainly on fixing regressions compared to the 1.8
  series and bugfixes for features introduced in the 1.9 release cycle
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
  when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in
  autofs and ssh responder 
* A serious memory leak in the NSS responder was fixed
* The sssd_pam responder processes pending requests after reconnect
* Requests that were processing group entries with DNs pointing out of any
  configured search bases were not terminated correctly, causing long timeouts
* Kerberos tickets are correctly renewed even after SSSD daemon restart
* The autofs LDAP provider correctly updates entries that changed mount
  options on the LDAP server
* Secondary groups are now reported correctly for a user coming from a
  trusted Active Directory server
* Kerberos principal selection was fixed to behave correctly when accessing
  an Active Directory server
* Multiple fixes related to SUDO integration, in particular fixing
  functionality when the sssd back end process was changing its online/offline
* The pwd_exp_warning option was fixed to function as documented in the
  manual page

== Tickets Fixed ==
    pam_sss(crond:account): Request to sssd failed. Timer expired
    always reread the master map from LDAP
    sss_cache: fqdn not accepted
    sudoUser group and netgroup specifications don't work
    sssd caching not working as expected for selinux usermap contexts
    investigate the behaviour of ldap_sasl_authid in 1.9.x
    Login fails - sssd_be module polling fd indefinitely and gets killed
    sss_userdel doesn't remove entries from in-memory cache
    IPA Trust does not show secondary groups for AD Users for commands
    like id and getent
    Error in PAC responder
    memberUid required for primary groups to match sudo rule
    Primary server status is not always reset after failover to backup
    server happened
    krb5_kpasswd failover doesn't work
    Offline sudo denies access with expired entry_cache_timeout
    Negative cache timeout is not working for proxy provider
    Disallow root SSH public key authentication
    sudo: if first full refresh fails, schedule another first full refresh
    Option ldap_sudo_include_regexp named incorrectly
    Incorrect synchronization in mmap cache
    ldap_chpass_uri failover fails on using same hostname
    sudo denies access with disabled ldap_sudo_use_host_filter
    sssd_nss crashes during enumeration
    Wrong variable check in the memberof plugin
    Wrong error handler in sss_mc_create_file
    segfault in async_resolv.c
    sssd components seem to mishandle sighup
    man sssd-sudo has wrong title
    user id lookup fails for case sensitive users using proxy provider
    Make functions manipulating with mmap cache more defensive
    Limit requests coalescing in time
    crash in memory cache
    Explicit null dereferenced
    AD provider: getgrgid removes nested group memberships
    Failure in memberof can lead to failed database update
    MEmory leak in new memcache initgr cleanup function
    krb5 ticket renewal does not read the renewable tickets from cache
    clarify the disadvantages of enumeration in sssd.conf
    Failover to krb5_backup_kpasswd doesn't work
    Smart refresh doesn't notice "defaults" addition with OpenLDAP
    Incorrect principal searched for in keytab
    wrong filter for autofs maps in sss_cache
    memory cache is not updated after user is deleted from ldb cache
    sssd fails to update to changes on autofs maps
    Failover to ldap_chpass_backup_uri doesn't work
    sssd_be crashes looking up members with groups outside the nesting limit
    Modifications using sss_usermod tool are not reflected in memory cache
    ipa-client-automount: autofs failed in s390x and ppc64 platform
    SSSD should warn when pam_pwd_expiration_warning value is higher than
    passwordWarning LDAP attribute.
    local provider: All member users are not returned on looking up top
    level parent group.
    Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
    sssd: Out-of-bounds read flaws in autofs and ssh services responders
    TOCTOU race conditions by copying and removing directory trees
    Group lookup fails and takes ~60s to return to shell if member dn
    is incorrect
    reset the release in upstream spec before releasing 1.9.4

== Detailed Changelog ==
Jakub Hrozek (47):
    *  Updating the version for the 1.9.4 release
    *  SUDO: strdup the input variable
    *  PAC: check the return value of diff_git_lists
    *  SYSDB: Move misplaced assignment
    *  LDAP: remove dead assignment
    *  MEMBEROF: Fix copy-n-paste error
    *  NSS: Fix the error handler in sss_mc_create_file
    *  SYSDB: More debugging during the conversion to ghost users
    *  MAN: Fix the title of sssd-sudo
    *  MEMBEROF: silence compilation warnings
    *  Set cloexec flag for log files
    *  RESOLV: Do not steal the resulting hostent on error
    *  SYSDB: fix copy-n-paste error
    *  SYSDB: Add API to invalidate all map objects
    *  DP: invalidate all cached maps if a request for auto.master comes in
    *  AUTOFS: allow removing entries from hash table
    *  AUTOFS: remove all maps from hash if request for auto.master comes in
    *  RESPONDERS: Create a common file with service names and versions
    *  AUTOFS: Clear enum cache if a request comes in from the sss_cache
    *  Add responder_sbus.h to noinst_HEADERS
    *  Free resources if fileno failed
    *  Search for SHORTNAME$@REALM instead of fqdn$@REALM by default
    *  Potential resource leak in sss_nss_mc_get_record
    *  SYSDB: Remove duplicate selinux defines
    *  SYSDB: Split a function to read all SELinux maps
    *  SELINUX: Process maps even when offline
    *  AD: replace GID/UID, do not add another one
    *  AD: Add user as a direct member of his primary group
    *  TOOLS: move memcache related functions to tools_mc_utils.c
    *  TOOLS: Split querying nss responder into a separate function
    *  TOOLS: Provide a convenience function to refresh a list of groups
    *  TOOLS: Refresh memcache after changes to local users and groups
    *  LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships
    *  autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32
    *  NSS: invalidate memcache user entry on initgr, too
    *  Invalidate user entry even if there are no groups
    *  LDAP: Compare lists of DNs when saving autofs entries
    *  TOOLS: invalidate parent groups in memory cache, too
    *  Convert the value of pwd_exp_warning to seconds
    *  TOOLS: Use openat/unlinkat when removing the homedir
    *  TOOLS: Use file descriptor to avoid races when creating a home directory
    *  SYSDB: make the sss_ldb_modify_permissive function public
    *  SYSDB: Expire group if adding ghost users fails with EEXIST
    *  MAN: Clarify that saving users after enumerating large domain might
       be CPU intensive
    *  TOOLS: Compile on old platforms such as RHEL5
    *  Updating the translations for the 1.9.4 release

Jan Cholasta (2):
    *  SSH: Reject requests for authorized keys of root
    *  Check that strings do not go beyond the end of the packet body in
       autofs and SSH requests.

Michal Zidek (4):
    *  sssd_nss: Remove entries from memory cache if not found in sysdb
    *  tools: sss_userdel and groupdel remove entries from memory cache
    *  sss_cache: fqdn not accepted
    *  sss_userdel and sss_groupdel with use_fully_qualified_names

Ondrej Kos (4):
    *  PROXY: fix negative cache
    *  PROXY: fix groups caching
    *  LDAP: initialize refresh function handler
    *  SYSDB: Modify ghosts in permissive mode

Pavel Březina (22):
    *  sudo manpage: clarify that sudoHost may contain wildcards and not
       regular expression
    *  let krb5_kpasswd failover work
    *  sudo: don't get stuck in rules and smart refresh when offline
    *  sysdb_get_sudo_user_info() initialize attrs on declaration
    *  sudo: include primary group in user group list
    *  sudo: support generalized time format
    *  let ldap_chpass_uri failover work when using same hostname
    *  try primary server after retry_timeout + 1 seconds when switching
       to backup
    *  add sdap_sudo_schedule_refresh()
    *  check dp error in sdap_sudo_full_refresh_done()
    *  sudo: schedule another full refresh in short interval if the first fails
    *  sudo: do full refresh when data provider is back online
    *  let krb5_backup_kpasswd failover work
    *  memcache: add macro that validates record length
    *  explicit null dereferenced in sss_nss_mc_get_record()
    *  memcache: make MC_PTR_TO_SLOT() more readable
    *  sudo smart refresh: do not include usn in filter if no valid usn
       is known
    *  sudo smart refresh: fix debug message
    *  let ldap_backup_chpass_uri work
    *  fix backend callbacks: remove callback properly from dlist
    *  sudo responder: change num_rules type from size_t to uint32_t
    *  nested groups: fix group lookup hangs if member dn is incorrect

Simo Sorce (12):
    *  Add a macro to copy with barriers
    *  Allow mmap calls to gracefully return absent ctx
    *  sssd_pam: Cleanup requests cache on sbus reconect
    *  responder_dp: Add timeout to side requets
    *  memberof: Prevent unneded failure case
    *  sssd_nss: Plug memory leaks
    *  nss_mc: Add extra checks when dereferencing records
    *  Update free table when records are invalidated.
    *  Carefully check records when forcibly invalidating
    *  mmap cache: invalidate cache on fatal error
    *  Remove unused header
    *  Fix invalidating autofs maps

Sumit Bose (18):
    *  select_principal_from_keytab() look for plain input as well
    *  select_principal_from_keytab() do wildcard lookups after specific ones
    *  Fix a 'shadows a global declaration' warning
    *  Add default section to switch statement
    *  krb5 tgt renewal: fix usage of ldb_dn_get_component_val()
    *  Use struct pac_grp instead of gid_t for groups from PAC
    *  Add find_domain_by_id()
    *  IDMAP: add sss_idmap_smb_sid_to_unix()
    *  Update domain ID for local domain as well
    *  Always get user data from PAC
    *  Save domain and GID for groups from the configured domain
    *  Remote groups do not have an original DN attribute
    *  Read remote groups from PAC
    *  Use hash table to collect GIDs from PAC to avoid dups
    *  Add tests for get_gids_from_pac()
    *  PAC responder: check if existing user differs
    *  Refactor gid handling in the PAC responder

Freeipa-interest mailing list

Reply via email to