SASL 2.1.27 rc5

Ken Murchison murch at fastmail.com
Mon Nov 27 08:03:16 EST 2017


Alexy and I had a Google hangout conversation last week and we are 
committed to resolving the GSSAPI issue(s) and any other non-invasive 
issues/pull-requests within the next month. Probably one more 
(short-lived) release candidate with the final 2.1.27 released by Christmas.

Please update any existing issues that you feel are critical to the 
2.1.27 release.


On 10/10/2017 07:59 AM, Ken Murchison wrote:
>
> All,
>
> I have built a fourth release candidate of SASL 2.1.27 which can be 
> downloaded from here:
>
> HTTP:
>      http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz  [MD5:
>      0e4ab034e93933ae7e4891b6ff58694f]
>      http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc5.tar.gz.sig
>      [MD5: 5ebb22737aa11810f6c9e5d12b167f16]
>
> FTP:
>      ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz
>      [MD5: 0e4ab034e93933ae7e4891b6ff58694f]
>      ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc5.tar.gz.sig
>      [MD5: 5ebb22737aa11810f6c9e5d12b167f16]
> Note that the distro has been signed by my colleague Partha Susarla at 
> FastMail.
>
>
> The only major change since RC4 has to do with detection of PAM 
> support.  Those using PAM with saslauthd are encouraged to make sure 
> that this release compiles and runs as expected.
>
>
> The (mostly) complete list of changes from 2.1.26 are these:
>
>   * Added support for OpenSSL 1.1
>   * Added support for lmdb (from Howard Chu)
>   * Lots of build fixes (from Ignacio Casal Quinteiro and others)
>   * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
>     selecting client mech
>   * DIGEST-MD5 plugin:
>       o Fixed memory leaks
>       o Fixed a segfault when looking for non-existent reauth cache
>       o Prevent client from going from step 3 back to step 2
>       o Allow cmusaslsecretDIGEST-MD5 property to be disabled
>   * GSSAPI plugin:
>       o Added support for retrieving negotiated SSF
>       o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
>       o Properly compute maxbufsize AFTER security layers have been set
>   * SCRAM plugin:
>       o Added support for SCRAM-SHA-256
>   * LOGIN plugin:
>       o Don’t prompt client for password until requested by server
>   * NTLM plugin:
>       o Fixed crash due to uninitialized HMAC context
>   * saslauthd:
>       o cache.c:
>           + Don’t use cached credentials if timeout has expired
>           + Fixed debug logging output
>       o ipc_doors.c:
>           + Fixed potential DoS attack (from Oracle)
>       o ipc_unix.c:
>           + Prevent premature closing of socket
>       o auth_rimap.c:
>           + Added support LOGOUT command
>           + Added support for unsolicited CAPABILITY responses in
>             LOGIN reply
>           + Properly detect end of responses (don’t needlessly wait)
>           + Properly handle backslash in passwords
>       o auth_httpform:
>           + Fix off-by-one error in string termination
>           + Added support for 204 success response
>       o auth_krb5.c:
>           + Added krb5_conv_krb4_instance option
>           + Added more verbose error logging
>
>
>
> At this point any major changes (e.g. API, wire protocol) will be 
> pushed out to 2.1.28 or 2.2.0.  I believe that this is close to being 
> a final release which I would like to get out by the end of September.
>
> The biggest outstanding issues are those around recent GSSAPI 
> changes.  I'm inclined to defer to Alexey's judgement on these unless 
> someone can convince us that the SASL code is wrong per the specs.  
> The fact that it broke a particular piece of code doesn't necessarily 
> mean that the application code is correct and the SASL change was wrong.
>
> If there are any other last minute show stoppers, please open an issue 
> on GitHub (preferably with a patch), or better yet create a pull request.
> -- 
> Kenneth Murchison
> Cyrus Development Team
> FastMail Pty Ltd

-- 
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20171127/ef6994fb/attachment.html>


More information about the Cyrus-sasl mailing list