This is to announce gsasl-2.2.3, a stable release. GNU SASL is a modern C library that implement the network security protocol Simple Authentication and Security Layer (SASL). The framework itself and a couple of common SASL mechanisms are implemented. GNU SASL can be used by network applications for IMAP, SMTP, XMPP and other protocols to provide authentication services. Supported mechanisms include CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), GS2-KRB5, SAML20, OPENID20, LOGIN, and NTLM.
There have been 23 commits by 4 people in the 58 weeks since 2.2.2. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Noah Meyerhans (1) Richard Biener (2) Simon Josefsson (19) zhangph (1) Happy Hacking, Simon [on behalf of the gsasl maintainers] ================================================================== Here is the GNU gsasl home page: https://www.gnu.org/software/gsasl/ Manual: https://www.gnu.org/software/gsasl/manual/ https://www.gnu.org/software/gsasl/manual/gsasl.html - HTML format https://www.gnu.org/software/gsasl/manual/gsasl.pdf - PDF format API Reference manual: https://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML Doxygen documentation: https://www.gnu.org/software/gsasl/doxygen/ - HTML format https://www.gnu.org/software/gsasl/doxygen/gsasl.pdf - PDF format For development snapshot QA analysis see: https://gsasl.gitlab.io/gsasl/coverage/ https://gsasl.gitlab.io/gsasl/cyclo/ https://gsasl.gitlab.io/gsasl/clang-analyzer/ If you need help to use GNU SASL, or want to help others, you are invited to join our help-gsasl mailing list, see: https://lists.gnu.org/mailman/listinfo/help-gsasl Here are the compressed sources and a GPG detached signature: https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.3.tar.gz https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.3.tar.gz.sig Here is minimal source-only "git archive" sources: https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.3-src.tar.gz https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.3-src.tar.gz.sig Here are Sigsum Proofs: https://ftp.gnu.org/gnu/gsasl/gsasl-2.2.3.tar.gz.proof https://ftp.gnu.org/gnu/gsasl/gsasl-v2.2.3-src.tar.gz.proof Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA256 and SHA3-256 checksums: SHA256 (gsasl-2.2.3.tar.gz) = /uNsZqwS0y078pp7Na2PREt5lv42m52l02/WrmScaOs= SHA3-256 (gsasl-2.2.3.tar.gz) = KwZ75xrgg346VStrlZlLKFVdIMDxmH8f4ulhYOfovNA= SHA256 (gsasl-v2.2.3-src.tar.gz) = UZ1rp6doeclbvVGAw5v54CeEHVqimGcUPqGTYK2e8HY= SHA3-256 (gsasl-v2.2.3-src.tar.gz) = wszDHNgEvAzjzSP7KRZW+P0O2WuZTDnp9mM7xw3muE0= Verify the base64 SHA256 checksum with 'cksum -a sha256 --check' from coreutils-9.2 or OpenBSD's cksum since 2007. Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check' from coreutils-9.8. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify gsasl-2.2.3.tar.gz.sig If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --recv-keys 51722B08FE4745A2 wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | gpg --import - As a last resort to find the key, you can try the official GNU keyring: wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify gsasl-2.2.3.tar.gz.sig Use the .proof files to verify the Sigsum proof. These files are like signatures but with extra transparency: you can cryptographically verify that every signature is logged in a public append-only log, so you can say with confidence what signatures exists. This makes hidden releases no longer deniable for the same public key. Releases are Sigsum-signed with the following public key: cat <<EOF > gsasl-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF Run a command like this to verify downloaded artifacts: sigsum-verify -k gsasl-sigsum-key.pub -P sigsum-generic-2025-1 \ gsasl-2.2.3.tar.gz.proof < gsasl-2.2.3.tar.gz You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/ This release is based on the gsasl git repository, available as git clone https://https.git.savannah.gnu.org/git/gsasl.git with commit 727eb89e5b779ce831c38b805a7710df65298325 tagged as v2.2.3. For a summary of changes and contributors, see: https://gitweb.git.savannah.gnu.org/gitweb/?p=gsasl.git;a=shortlog;h=v2.2.3 or run this command from a git-cloned gsasl directory: git shortlog v2.2.2..v2.2.3 This release was bootstrapped with the following tools: Gnulib 2026-04-29 aa527567a732fbb36d21d576fcd1a2c8486c812d Autoconf 2.72 Automake 1.17 Libtoolize 2.4.7 Make 4.4.1 Makeinfo 7.1.1 Help2man 1.49.2 Gperf 3.3 Gengetopt 2.23 Gtkdocize 1.34.0 Tar 1.35 Gzip 1.14 Guix 1.5.0rc1 NEWS * Noteworthy changes in release 2.2.3 (2026-05-13) [stable] ** DIGEST-MD5: Fix NULL pointer dereference in parser. The code can be reached without authentication, in both client and server. Report and fix by zhangph <[email protected]> in <https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html>. ** Support Dovecot 2.3 and 2.4 in tests/gsasl-dovecot-gssapi.sh. ** Update gnulib files and various minor fixes.
signature.asc
Description: PGP signature
