SASL 2.1.27 rc6
Ken Murchison
murch at fastmail.com
Mon Jan 8 09:50:41 EST 2018
Waiting on some last minute GSSAPI testing to be done.
On 01/08/2018 09:48 AM, Jakub Jelen wrote:
> Hello,
> I took this snapshot shrough our testing and I did not notice any
> significant problem.
>
> Is there anything more needed for this to get released?
>
> Regards,
> Jakub
>
> On Mon, 2017-12-11 at 08:01 -0500, Ken Murchison wrote:
>> All,
>>
>> I have built a sixth (and hopefully last) release candidate of SASL
>> 2.1.27 which can be downloaded from here:
>>
>> HTTP:
>> http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
>> http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig
>>
>> FTP:
>> ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
>> ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig
>>
>> MD5 Sum:
>> cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
>> cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
>>
>>
>> Note that the distro has been signed by my colleague Partha Susarla
>> at
>> FastMail.
>>
>>
>> We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
>> issue, so hopefully this release candidate will provoke some
>> discussion
>> leading to a resolution. As stated previously, we would like to make
>> a
>> final release before Christmas. If we have some last minute activity
>> on
>> the GSSAPI issue or any other showstoppers, we could push the
>> release
>> back to the end of the year as a last resort.
>>
>>
>> The (mostly) complete list of changes from 2.1.26 are these:
>>
>> * Added support for OpenSSL 1.1
>> * Added support for lmdb (from Howard Chu)
>> * Lots of build fixes (from Ignacio Casal Quinteiro and others)
>> * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
>> selecting
>> client mech
>> * DIGEST-MD5 plugin:
>> o Fixed memory leaks
>> o Fixed a segfault when looking for non-existent reauth cache
>> o Prevent client from going from step 3 back to step 2
>> o Allow cmusaslsecretDIGEST-MD5 property to be disabled
>> * GSSAPI plugin:
>> o Added support for retrieving negotiated SSF
>> o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
>> o Properly compute maxbufsize AFTER security layers have been
>> set
>> * SCRAM plugin:
>> o Added support for SCRAM-SHA-256
>> o Allow SCRAM-* to be used by HTTP
>> * LOGIN plugin:
>> o Don’t prompt client for password until requested by server
>> * NTLM plugin:
>> o Fixed crash due to uninitialized HMAC context
>> * saslauthd:
>> o cache.c:
>> + Don’t use cached credentials if timeout has expired
>> + Fixed debug logging output
>> o ipc_doors.c:
>> + Fixed potential DoS attack (from Oracle)
>> o ipc_unix.c:
>> + Prevent premature closing of socket
>> o auth_rimap.c:
>> + Added support LOGOUT command
>> + Added support for unsolicited CAPABILITY responses in
>> LOGIN
>> reply
>> + Properly detect end of responses (don’t needlessly wait)
>> + Properly handle backslash in passwords
>> o auth_httpform:
>> + Fix off-by-one error in string termination
>> + Added support for 204 success response
>> o auth_krb5.c:
>> + Added krb5_conv_krb4_instance option
>> + Added more verbose error logging
>>
>>
>>
>> At this point any major changes (e.g. API, wire protocol) will be
>> pushed
>> out to 2.1.28 or 2.2.0. I believe that this is close to being a
>> final
>> release which I would like to get out by the end of December.
>>
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
More information about the Cyrus-sasl
mailing list