=== SSSD 1.9.4 ===

The SSSD team is proud to announce the release of version 1.9.4 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

This is another bug fix only release of the 1.9 series. In addition to
fixing functionality, this release also includes two security patches. With
the release of 1.9.4, all the known regressions that were introduced during
the 1.9 development are fixed. We are still tracking a couple of important
bugs, though, mostly in the 1.9.5 milestone.

Our focus for the next couple of months will change from bug fixing only to
both bug fixing and new feature development. The new features will be developed
in the master branch, which will later become 1.10, and only backported to
1.9 as appropriate.

RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==
* This release focused mainly on fixing regressions compared to the 1.8
  series and bugfixes for features introduced in the 1.9 release cycle
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
  when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in
  autofs and ssh responder 
* A serious memory leak in the NSS responder was fixed
* The sssd_pam responder processes pending requests after reconnect
* Requests that were processing group entries with DNs pointing out of any
  configured search bases were not terminated correctly, causing long timeouts
* Kerberos tickets are correctly renewed even after SSSD daemon restart
* The autofs LDAP provider correctly updates entries that changed mount
  options on the LDAP server
* Secondary groups are now reported correctly for a user coming from a
  trusted Active Directory server
* Kerberos principal selection was fixed to behave correctly when accessing
  an Active Directory server
* Multiple fixes related to SUDO integration, in particular fixing
  functionality when the sssd back end process was changing its online/offline
  status
* The pwd_exp_warning option was fixed to function as documented in the
  manual page

== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1564
    pam_sss(crond:account): Request to sssd failed. Timer expired
https://fedorahosted.org/sssd/ticket/1592
    always reread the master map from LDAP
https://fedorahosted.org/sssd/ticket/1620
    sss_cache: fqdn not accepted
https://fedorahosted.org/sssd/ticket/1624
    sudoUser group and netgroup specifications don't work
https://fedorahosted.org/sssd/ticket/1626
    sssd caching not working as expected for selinux usermap contexts
https://fedorahosted.org/sssd/ticket/1635
    investigate the behaviour of ldap_sasl_authid in 1.9.x
https://fedorahosted.org/sssd/ticket/1655
    Login fails - sssd_be module polling fd indefinitely and gets killed
https://fedorahosted.org/sssd/ticket/1659
    sss_userdel doesn't remove entries from in-memory cache
https://fedorahosted.org/sssd/ticket/1666
    IPA Trust does not show secondary groups for AD Users for commands
    like id and getent
https://fedorahosted.org/sssd/ticket/1672
    Error in PAC responder
https://fedorahosted.org/sssd/ticket/1677
    memberUid required for primary groups to match sudo rule
https://fedorahosted.org/sssd/ticket/1679
    Primary server status is not always reset after failover to backup
    server happened
https://fedorahosted.org/sssd/ticket/1680
    krb5_kpasswd failover doesn't work
https://fedorahosted.org/sssd/ticket/1682
    Offline sudo denies access with expired entry_cache_timeout
https://fedorahosted.org/sssd/ticket/1685
    Negative cache timeout is not working for proxy provider
https://fedorahosted.org/sssd/ticket/1687
    Disallow root SSH public key authentication
https://fedorahosted.org/sssd/ticket/1689
    sudo: if first full refresh fails, schedule another first full refresh
https://fedorahosted.org/sssd/ticket/1690
    Option ldap_sudo_include_regexp named incorrectly
https://fedorahosted.org/sssd/ticket/1694
    Incorrect synchronization in mmap cache
https://fedorahosted.org/sssd/ticket/1699
    ldap_chpass_uri failover fails on using same hostname
https://fedorahosted.org/sssd/ticket/1701
    sudo denies access with disabled ldap_sudo_use_host_filter
https://fedorahosted.org/sssd/ticket/1702
    sssd_nss crashes during enumeration
https://fedorahosted.org/sssd/ticket/1703
    Wrong variable check in the memberof plugin
https://fedorahosted.org/sssd/ticket/1704
    Wrong error handler in sss_mc_create_file
https://fedorahosted.org/sssd/ticket/1706
    segfault in async_resolv.c
https://fedorahosted.org/sssd/ticket/1708
    sssd components seem to mishandle sighup
https://fedorahosted.org/sssd/ticket/1710
    man sssd-sudo has wrong title
https://fedorahosted.org/sssd/ticket/1714
    user id lookup fails for case sensitive users using proxy provider
https://fedorahosted.org/sssd/ticket/1716
    Make functions manipulating with mmap cache more defensive
https://fedorahosted.org/sssd/ticket/1717
    Limit requests coalescing in time
https://fedorahosted.org/sssd/ticket/1722
    crash in memory cache
https://fedorahosted.org/sssd/ticket/1724
    Explicit null dereferenced
https://fedorahosted.org/sssd/ticket/1727
    AD provider: getgrgid removes nested group memberships
https://fedorahosted.org/sssd/ticket/1728
    Failure in memberof can lead to failed database update
https://fedorahosted.org/sssd/ticket/1730
    MEmory leak in new memcache initgr cleanup function
https://fedorahosted.org/sssd/ticket/1731
    krb5 ticket renewal does not read the renewable tickets from cache
https://fedorahosted.org/sssd/ticket/1732
    clarify the disadvantages of enumeration in sssd.conf
https://fedorahosted.org/sssd/ticket/1735
    Failover to krb5_backup_kpasswd doesn't work
https://fedorahosted.org/sssd/ticket/1736
    Smart refresh doesn't notice "defaults" addition with OpenLDAP
https://fedorahosted.org/sssd/ticket/1740
    Incorrect principal searched for in keytab
https://fedorahosted.org/sssd/ticket/1754
    wrong filter for autofs maps in sss_cache
https://fedorahosted.org/sssd/ticket/1757
    memory cache is not updated after user is deleted from ldb cache
https://fedorahosted.org/sssd/ticket/1758
    sssd fails to update to changes on autofs maps
https://fedorahosted.org/sssd/ticket/1760
    Failover to ldap_chpass_backup_uri doesn't work
https://fedorahosted.org/sssd/ticket/1761
    sssd_be crashes looking up members with groups outside the nesting limit
https://fedorahosted.org/sssd/ticket/1764
    Modifications using sss_usermod tool are not reflected in memory cache
https://fedorahosted.org/sssd/ticket/1770
    ipa-client-automount: autofs failed in s390x and ppc64 platform
https://fedorahosted.org/sssd/ticket/1773
    SSSD should warn when pam_pwd_expiration_warning value is higher than
    passwordWarning LDAP attribute.
https://fedorahosted.org/sssd/ticket/1775
    local provider: All member users are not returned on looking up top
    level parent group.
https://fedorahosted.org/sssd/ticket/1779
    Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
https://fedorahosted.org/sssd/ticket/1781
    sssd: Out-of-bounds read flaws in autofs and ssh services responders
https://fedorahosted.org/sssd/ticket/1782
    TOCTOU race conditions by copying and removing directory trees
https://fedorahosted.org/sssd/ticket/1783
    Group lookup fails and takes ~60s to return to shell if member dn
    is incorrect
https://fedorahosted.org/sssd/ticket/1787
    reset the release in upstream spec before releasing 1.9.4

== Detailed Changelog ==
Jakub Hrozek (47):
    *  Updating the version for the 1.9.4 release
    *  SUDO: strdup the input variable
    *  PAC: check the return value of diff_git_lists
    *  SYSDB: Move misplaced assignment
    *  LDAP: remove dead assignment
    *  MEMBEROF: Fix copy-n-paste error
    *  NSS: Fix the error handler in sss_mc_create_file
    *  SYSDB: More debugging during the conversion to ghost users
    *  MAN: Fix the title of sssd-sudo
    *  MEMBEROF: silence compilation warnings
    *  Set cloexec flag for log files
    *  RESOLV: Do not steal the resulting hostent on error
    *  SYSDB: fix copy-n-paste error
    *  SYSDB: Add API to invalidate all map objects
    *  DP: invalidate all cached maps if a request for auto.master comes in
    *  AUTOFS: allow removing entries from hash table
    *  AUTOFS: remove all maps from hash if request for auto.master comes in
    *  RESPONDERS: Create a common file with service names and versions
    *  AUTOFS: Clear enum cache if a request comes in from the sss_cache
    *  Add responder_sbus.h to noinst_HEADERS
    *  Free resources if fileno failed
    *  Search for SHORTNAME$@REALM instead of fqdn$@REALM by default
    *  Potential resource leak in sss_nss_mc_get_record
    *  SYSDB: Remove duplicate selinux defines
    *  SYSDB: Split a function to read all SELinux maps
    *  SELINUX: Process maps even when offline
    *  IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP
    *  AD: replace GID/UID, do not add another one
    *  AD: Add user as a direct member of his primary group
    *  TOOLS: move memcache related functions to tools_mc_utils.c
    *  TOOLS: Split querying nss responder into a separate function
    *  TOOLS: Provide a convenience function to refresh a list of groups
    *  TOOLS: Refresh memcache after changes to local users and groups
    *  LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships
    *  autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32
    *  NSS: invalidate memcache user entry on initgr, too
    *  Invalidate user entry even if there are no groups
    *  LDAP: Compare lists of DNs when saving autofs entries
    *  TOOLS: invalidate parent groups in memory cache, too
    *  Convert the value of pwd_exp_warning to seconds
    *  TOOLS: Use openat/unlinkat when removing the homedir
    *  TOOLS: Use file descriptor to avoid races when creating a home directory
    *  SYSDB: make the sss_ldb_modify_permissive function public
    *  SYSDB: Expire group if adding ghost users fails with EEXIST
    *  MAN: Clarify that saving users after enumerating large domain might
       be CPU intensive
    *  TOOLS: Compile on old platforms such as RHEL5
    *  Updating the translations for the 1.9.4 release

Jan Cholasta (2):
    *  SSH: Reject requests for authorized keys of root
    *  Check that strings do not go beyond the end of the packet body in
       autofs and SSH requests.

Michal Zidek (4):
    *  sssd_nss: Remove entries from memory cache if not found in sysdb
    *  tools: sss_userdel and groupdel remove entries from memory cache
    *  sss_cache: fqdn not accepted
    *  sss_userdel and sss_groupdel with use_fully_qualified_names

Ondrej Kos (4):
    *  PROXY: fix negative cache
    *  PROXY: fix groups caching
    *  LDAP: initialize refresh function handler
    *  SYSDB: Modify ghosts in permissive mode

Pavel Březina (22):
    *  sudo manpage: clarify that sudoHost may contain wildcards and not
       regular expression
    *  let krb5_kpasswd failover work
    *  sudo: don't get stuck in rules and smart refresh when offline
    *  sysdb_get_sudo_user_info() initialize attrs on declaration
    *  sudo: include primary group in user group list
    *  sudo: support generalized time format
    *  let ldap_chpass_uri failover work when using same hostname
    *  try primary server after retry_timeout + 1 seconds when switching
       to backup
    *  add sdap_sudo_schedule_refresh()
    *  check dp error in sdap_sudo_full_refresh_done()
    *  sudo: schedule another full refresh in short interval if the first fails
    *  sudo: do full refresh when data provider is back online
    *  let krb5_backup_kpasswd failover work
    *  memcache: add macro that validates record length
    *  explicit null dereferenced in sss_nss_mc_get_record()
    *  memcache: make MC_PTR_TO_SLOT() more readable
    *  sudo smart refresh: do not include usn in filter if no valid usn
       is known
    *  sudo smart refresh: fix debug message
    *  let ldap_backup_chpass_uri work
    *  fix backend callbacks: remove callback properly from dlist
    *  sudo responder: change num_rules type from size_t to uint32_t
    *  nested groups: fix group lookup hangs if member dn is incorrect

Simo Sorce (12):
    *  Add a macro to copy with barriers
    *  Allow mmap calls to gracefully return absent ctx
    *  sssd_pam: Cleanup requests cache on sbus reconect
    *  responder_dp: Add timeout to side requets
    *  memberof: Prevent unneded failure case
    *  sssd_nss: Plug memory leaks
    *  nss_mc: Add extra checks when dereferencing records
    *  Update free table when records are invalidated.
    *  Carefully check records when forcibly invalidating
    *  mmap cache: invalidate cache on fatal error
    *  Remove unused header
    *  Fix invalidating autofs maps

Sumit Bose (18):
    *  select_principal_from_keytab() look for plain input as well
    *  select_principal_from_keytab() do wildcard lookups after specific ones
    *  Fix a 'shadows a global declaration' warning
    *  Add default section to switch statement
    *  krb5 tgt renewal: fix usage of ldb_dn_get_component_val()
    *  Use struct pac_grp instead of gid_t for groups from PAC
    *  Add find_domain_by_id()
    *  IDMAP: add sss_idmap_smb_sid_to_unix()
    *  Update domain ID for local domain as well
    *  Always get user data from PAC
    *  Save domain and GID for groups from the configured domain
    *  Remote groups do not have an original DN attribute
    *  Read remote groups from PAC
    *  Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXIST
    *  Use hash table to collect GIDs from PAC to avoid dups
    *  Add tests for get_gids_from_pac()
    *  PAC responder: check if existing user differs
    *  Refactor gid handling in the PAC responder

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to