<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>We haven't had much, if any, feedback on this release candidate.</p>
<p>Do the GSSAPI/LDAP folks have any further comments on
<a class="moz-txt-link-freetext" href="https://github.com/cyrusimap/cyrus-sasl/issues/419">https://github.com/cyrusimap/cyrus-sasl/issues/419</a></p>
<p>I'd really like to make a final release by Christmas as promised,
but I also don't want to make a release that folks will have to
patch immediately.<br>
</p>
<br>
<div class="moz-cite-prefix">On 12/11/2017 08:01 AM, Ken Murchison
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ff3130ff-f9a5-2d59-c6f7-c89a843f231c@fastmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p>All,</p>
<p>I have built a sixth (and hopefully last) release candidate of
SASL 2.1.27 which can be downloaded from here:</p>
<pre wrap="">HTTP:
<a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz" moz-do-not-send="true">http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz</a>
<a class="moz-txt-link-freetext" href="http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig" moz-do-not-send="true">http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig</a>
FTP:
<a class="moz-txt-link-freetext" href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz" moz-do-not-send="true">ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz</a>
<a class="moz-txt-link-freetext" href="ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig" moz-do-not-send="true">ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig</a>
MD5 Sum:
cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
</pre>
<br>
Note that the distro has been signed by my colleague Partha
Susarla at FastMail.<br>
<br>
<br>
We didn't receive much feedback to Alexey's post on the
GSSAPI/LDAP issue, so hopefully this release candidate will
provoke some discussion leading to a resolution. As stated
previously, we would like to make a final release before
Christmas. If we have some last minute activity on the GSSAPI
issue or any other showstoppers, we could push the release back to
the end of the year as a last resort.<br>
<p><br>
</p>
<p>The (mostly) complete list of changes from 2.1.26 are these:</p>
<ul class="simple">
<li>Added support for OpenSSL 1.1</li>
<li>Added support for lmdb (from Howard Chu)</li>
<li>Lots of build fixes (from Ignacio Casal Quinteiro and
others)</li>
<li>Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
selecting client mech</li>
<li>DIGEST-MD5 plugin:
<ul>
<li>Fixed memory leaks</li>
<li>Fixed a segfault when looking for non-existent reauth
cache</li>
<li>Prevent client from going from step 3 back to step 2</li>
<li>Allow cmusaslsecretDIGEST-MD5 property to be disabled</li>
</ul>
</li>
<li>GSSAPI plugin:
<ul>
<li>Added support for retrieving negotiated SSF</li>
<li>Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for
SSF</li>
<li>Properly compute maxbufsize AFTER security layers have
been set</li>
</ul>
</li>
<li>SCRAM plugin:
<ul>
<li>Added support for SCRAM-SHA-256</li>
<li>Allow SCRAM-* to be used by HTTP<br>
</li>
</ul>
</li>
<li>LOGIN plugin:
<ul>
<li>Don’t prompt client for password until requested by
server</li>
</ul>
</li>
<li>NTLM plugin:
<ul>
<li>Fixed crash due to uninitialized HMAC context</li>
</ul>
</li>
<li>saslauthd:
<ul>
<li>cache.c:
<ul>
<li>Don’t use cached credentials if timeout has expired</li>
<li>Fixed debug logging output</li>
</ul>
</li>
<li>ipc_doors.c:
<ul>
<li>Fixed potential DoS attack (from Oracle)</li>
</ul>
</li>
<li>ipc_unix.c:
<ul>
<li>Prevent premature closing of socket</li>
</ul>
</li>
<li>auth_rimap.c:
<ul>
<li>Added support LOGOUT command</li>
<li>Added support for unsolicited CAPABILITY responses
in LOGIN reply</li>
<li>Properly detect end of responses (don’t needlessly
wait)</li>
<li>Properly handle backslash in passwords</li>
</ul>
</li>
<li>auth_httpform:
<ul>
<li>Fix off-by-one error in string termination</li>
<li>Added support for 204 success response</li>
</ul>
</li>
<li>auth_krb5.c:
<ul>
<li>Added krb5_conv_krb4_instance option</li>
<li>Added more verbose error logging</li>
</ul>
</li>
</ul>
</li>
</ul>
<p> </p>
<br>
<br>
At this point any major changes (e.g. API, wire protocol) will be
pushed out to 2.1.28 or 2.2.0. I believe that this is close to
being a final release which I would like to get out by the end of
December.<br>
<br>
<pre class="moz-signature" cols="72">--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
</pre>
</body>
</html>