Hello, I took this snapshot shrough our testing and I did not notice any significant problem. Is there anything more needed for this to get released? Regards, Jakub On Mon, 2017-12-11 at 08:01 -0500, Ken Murchison wrote: > All, > > I have built a sixth (and hopefully last) release candidate of SASL > 2.1.27 which can be downloaded from here: > > HTTP: > http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz > http://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc6.tar.gz.sig > > FTP: > ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz > ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc6.tar.gz.sig > > MD5 Sum: > cyrus-sasl-2.1.27-rc6.tar.gz : de083cc2e5c1cc3a1b88f7d85332a3ff > cyrus-sasl-2.1.27-rc6.tar.gz.sig: 868cc9f5feee63ca2bd91279f5ac043b > > > Note that the distro has been signed by my colleague Partha Susarla > at > FastMail. > > > We didn't receive much feedback to Alexey's post on the GSSAPI/LDAP > issue, so hopefully this release candidate will provoke some > discussion > leading to a resolution. As stated previously, we would like to make > a > final release before Christmas. If we have some last minute activity > on > the GSSAPI issue or any other showstoppers, we could push the > release > back to the end of the year as a last resort. > > > The (mostly) complete list of changes from 2.1.26 are these: > > * Added support for OpenSSL 1.1 > * Added support for lmdb (from Howard Chu) > * Lots of build fixes (from Ignacio Casal Quinteiro and others) > * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when > selecting > client mech > * DIGEST-MD5 plugin: > o Fixed memory leaks > o Fixed a segfault when looking for non-existent reauth cache > o Prevent client from going from step 3 back to step 2 > o Allow cmusaslsecretDIGEST-MD5 property to be disabled > * GSSAPI plugin: > o Added support for retrieving negotiated SSF > o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF > o Properly compute maxbufsize AFTER security layers have been > set > * SCRAM plugin: > o Added support for SCRAM-SHA-256 > o Allow SCRAM-* to be used by HTTP > * LOGIN plugin: > o Don’t prompt client for password until requested by server > * NTLM plugin: > o Fixed crash due to uninitialized HMAC context > * saslauthd: > o cache.c: > + Don’t use cached credentials if timeout has expired > + Fixed debug logging output > o ipc_doors.c: > + Fixed potential DoS attack (from Oracle) > o ipc_unix.c: > + Prevent premature closing of socket > o auth_rimap.c: > + Added support LOGOUT command > + Added support for unsolicited CAPABILITY responses in > LOGIN > reply > + Properly detect end of responses (don’t needlessly wait) > + Properly handle backslash in passwords > o auth_httpform: > + Fix off-by-one error in string termination > + Added support for 204 success response > o auth_krb5.c: > + Added krb5_conv_krb4_instance option > + Added more verbose error logging > > > > At this point any major changes (e.g. API, wire protocol) will be > pushed > out to 2.1.28 or 2.2.0. I believe that this is close to being a > final > release which I would like to get out by the end of December. > -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
