RE: SASL 2.1.27 rc5

2017-10-10 Thread andy.shields 


Please unsubscribe this email.Thank you.


Sent from my Verizon Wireless 4G LTE smartphone

 Original message 
From: Ken Murchison <mu...@fastmail.com> 
Date: 10/10/2017  4:59 AM  (GMT-08:00) 
To: cyrus-s...@lists.andrew.cmu.edu, cyrus-annou...@lists.andrew.cmu.edu, 
info-cy...@andrew.cmu.edu, "cyrus-de...@lists.andrew.cmu.edu cyrus-devel" 
<cyrus-de...@lists.andrew.cmu.edu> 
Subject: SASL 2.1.27 rc5 


All,
I have built a fourth release candidate of SASL 2.1.27 which can
  be downloaded from here:
HTTP:
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz [MD5:
0e4ab034e93933ae7e4891b6ff58694f]
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz.sig
[MD5: 5ebb22737aa11810f6c9e5d12b167f16]

FTP:
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz
[MD5: 0e4ab034e93933ae7e4891b6ff58694f]
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz.sig
[MD5: 5ebb22737aa11810f6c9e5d12b167f16]
Note that the distro has been signed by my colleague Partha Susarla
at FastMail.





The only major change since RC4 has to do with detection of PAM
support.  Those using PAM with saslauthd are encouraged to make sure
that this release compiles and runs as expected.




The (mostly) complete list of changes from 2.1.26 are these:

  Added support for OpenSSL 1.1
  Added support for lmdb (from Howard Chu)
  Lots of build fixes (from Ignacio Casal Quinteiro and others)
  Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
selecting client mech
  DIGEST-MD5 plugin:

  Fixed memory leaks
  Fixed a segfault when looking for non-existent reauth
cache
  Prevent client from going from step 3 back to step 2
  Allow cmusaslsecretDIGEST-MD5 property to be disabled

  
  GSSAPI plugin:

  Added support for retrieving negotiated SSF
  Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
  Properly compute maxbufsize AFTER security layers have
been set

  
  SCRAM plugin:

  Added support for SCRAM-SHA-256

  
  LOGIN plugin:

  Don’t prompt client for password until requested by server

  
  NTLM plugin:

  Fixed crash due to uninitialized HMAC context

  
  saslauthd:

  cache.c:

  Don’t use cached credentials if timeout has expired
  Fixed debug logging output

  
  ipc_doors.c:

  Fixed potential DoS attack (from Oracle)

  
  ipc_unix.c:

  Prevent premature closing of socket

  
  auth_rimap.c:

  Added support LOGOUT command
  Added support for unsolicited CAPABILITY responses in
LOGIN reply
  Properly detect end of responses (don’t needlessly
wait)
  Properly handle backslash in passwords

  
  auth_httpform:

  Fix off-by-one error in string termination
  Added support for 204 success response

  
  auth_krb5.c:

  Added krb5_conv_krb4_instance option
  Added more verbose error logging

  

  

 




At this point any major changes (e.g. API, wire protocol) will be
pushed out to 2.1.28 or 2.2.0.  I believe that this is close to
being a final release which I would like to get out by the end of
September.  



The biggest outstanding issues are those around recent GSSAPI
changes.  I'm inclined to defer to Alexey's judgement on these
unless someone can convince us that the SASL code is wrong per the
specs.  The fact that it broke a particular piece of code doesn't
necessarily mean that the application code is correct and the SASL
change was wrong.



If there are any other last minute show stoppers, please open an
issue on GitHub (preferably with a patch), or better yet create a
pull request.

-- 
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
  
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

SASL 2.1.27 rc5

2017-10-10 Thread Ken Murchison 

All,

I have built a fourth release candidate of SASL 2.1.27 which can be 
downloaded from here:


HTTP:
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz  [MD5:
0e4ab034e93933ae7e4891b6ff58694f]
http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz.sig
[MD5: 5ebb22737aa11810f6c9e5d12b167f16]

FTP:
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz
[MD5: 0e4ab034e93933ae7e4891b6ff58694f]
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz.sig
[MD5: 5ebb22737aa11810f6c9e5d12b167f16]

Note that the distro has been signed by my colleague Partha Susarla at 
FastMail.



The only major change since RC4 has to do with detection of PAM 
support.  Those using PAM with saslauthd are encouraged to make sure 
that this release compiles and runs as expected.



The (mostly) complete list of changes from 2.1.26 are these:

 * Added support for OpenSSL 1.1
 * Added support for lmdb (from Howard Chu)
 * Lots of build fixes (from Ignacio Casal Quinteiro and others)
 * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
   client mech
 * DIGEST-MD5 plugin:
 o Fixed memory leaks
 o Fixed a segfault when looking for non-existent reauth cache
 o Prevent client from going from step 3 back to step 2
 o Allow cmusaslsecretDIGEST-MD5 property to be disabled
 * GSSAPI plugin:
 o Added support for retrieving negotiated SSF
 o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
 o Properly compute maxbufsize AFTER security layers have been set
 * SCRAM plugin:
 o Added support for SCRAM-SHA-256
 * LOGIN plugin:
 o Don’t prompt client for password until requested by server
 * NTLM plugin:
 o Fixed crash due to uninitialized HMAC context
 * saslauthd:
 o cache.c:
 + Don’t use cached credentials if timeout has expired
 + Fixed debug logging output
 o ipc_doors.c:
 + Fixed potential DoS attack (from Oracle)
 o ipc_unix.c:
 + Prevent premature closing of socket
 o auth_rimap.c:
 + Added support LOGOUT command
 + Added support for unsolicited CAPABILITY responses in LOGIN
   reply
 + Properly detect end of responses (don’t needlessly wait)
 + Properly handle backslash in passwords
 o auth_httpform:
 + Fix off-by-one error in string termination
 + Added support for 204 success response
 o auth_krb5.c:
 + Added krb5_conv_krb4_instance option
 + Added more verbose error logging



At this point any major changes (e.g. API, wire protocol) will be pushed 
out to 2.1.28 or 2.2.0.  I believe that this is close to being a final 
release which I would like to get out by the end of September.


The biggest outstanding issues are those around recent GSSAPI changes.  
I'm inclined to defer to Alexey's judgement on these unless someone can 
convince us that the SASL code is wrong per the specs.  The fact that it 
broke a particular piece of code doesn't necessarily mean that the 
application code is correct and the SASL change was wrong.


If there are any other last minute show stoppers, please open an issue 
on GitHub (preferably with a patch), or better yet create a pull request.


--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus