SASL 2.1.27 rc6

Ken Murchison murch at fastmail.com
Mon Jan 8 09:50:41 EST 2018


Waiting on some last minute GSSAPI testing to be done.



On 01/08/2018 09:48 AM, Jakub Jelen wrote:
> Hello,
> I took this snapshot shrough our testing and I did not notice any
> significant problem.
>
> Is there anything more needed for this to get released?
>
> Regards,
> Jakub
>
> On Mon, 2017-12-11 at 08:01 -0500, Ken Murchison wrote:
>> All,
>>
>> I have built a sixth (and hopefully last) release candidate of SASL
>> 2.1.27 which can be downloaded from here:
>>
>> HTTP:
>>    http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz
>>    http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig
>>
>> FTP:
>>    ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz
>>    ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig
>>
>> MD5 Sum:
>> cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff
>> cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b
>>
>>
>> Note that the distro has been signed by my colleague Partha Susarla
>> at
>> FastMail.
>>
>>
>> We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP
>> issue, so hopefully this release candidate will provoke some
>> discussion
>> leading to a resolution.  As stated previously, we would like to make
>> a
>> final release before Christmas.  If we have some last minute activity
>> on
>> the GSSAPI issue or any other showstoppers, we could push the
>> release
>> back to the end of the year as a last resort.
>>
>>
>> The (mostly) complete list of changes from 2.1.26 are these:
>>
>>    * Added support for OpenSSL 1.1
>>    * Added support for lmdb (from Howard Chu)
>>    * Lots of build fixes (from Ignacio Casal Quinteiro and others)
>>    * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
>> selecting
>>      client mech
>>    * DIGEST-MD5 plugin:
>>        o Fixed memory leaks
>>        o Fixed a segfault when looking for non-existent reauth cache
>>        o Prevent client from going from step 3 back to step 2
>>        o Allow cmusaslsecretDIGEST-MD5 property to be disabled
>>    * GSSAPI plugin:
>>        o Added support for retrieving negotiated SSF
>>        o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
>>        o Properly compute maxbufsize AFTER security layers have been
>> set
>>    * SCRAM plugin:
>>        o Added support for SCRAM-SHA-256
>>        o Allow SCRAM-* to be used by HTTP
>>    * LOGIN plugin:
>>        o Don’t prompt client for password until requested by server
>>    * NTLM plugin:
>>        o Fixed crash due to uninitialized HMAC context
>>    * saslauthd:
>>        o cache.c:
>>            + Don’t use cached credentials if timeout has expired
>>            + Fixed debug logging output
>>        o ipc_doors.c:
>>            + Fixed potential DoS attack (from Oracle)
>>        o ipc_unix.c:
>>            + Prevent premature closing of socket
>>        o auth_rimap.c:
>>            + Added support LOGOUT command
>>            + Added support for unsolicited CAPABILITY responses in
>> LOGIN
>>              reply
>>            + Properly detect end of responses (don’t needlessly wait)
>>            + Properly handle backslash in passwords
>>        o auth_httpform:
>>            + Fix off-by-one error in string termination
>>            + Added support for 204 success response
>>        o auth_krb5.c:
>>            + Added krb5_conv_krb4_instance option
>>            + Added more verbose error logging
>>
>>
>>
>> At this point any major changes (e.g. API, wire protocol) will be
>> pushed
>> out to 2.1.28 or 2.2.0.  I believe that this is close to being a
>> final
>> release which I would like to get out by the end of December.
>>

-- 
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd



More information about the Cyrus-sasl mailing list