SASL 2.1.27 rc7

Ken Murchison <murch@xxxxxxxxxxxx> · Mon, 5 Feb 2018 18:18:14 -0500



    All,
    I have built a seventh (and hopefully last) release candidate of
      SASL 2.1.27 which can be downloaded from here:
    HTTP:
 https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc7.tar.gz
 https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc7.tar.gz.sig

FTP:
 ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc7.tar.gz
 ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc7.tar.gz.sig


    The primary reason for this candidate is to test the latest GSSAPI
    changes.  I'd like to roll out the final release in about a week. 
    If not done by Feb 14, it will wait until Feb 21 when I return from
    vacation.

    
    The (mostly) complete list of changes from 2.1.26 are these:
    
      Added support for OpenSSL 1.1
      Added support for lmdb (from Howard Chu)
      Lots of build fixes (from Ignacio Casal Quinteiro and others)
      Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
        selecting client mech
      DIGEST-MD5 plugin:
        
          Fixed memory leaks
          Fixed a segfault when looking for non-existent reauth
            cache
          Prevent client from going from step 3 back to step 2
          Allow cmusaslsecretDIGEST-MD5 property to be disabled
        
      
      GSSAPI plugin:
        
          Added support for retrieving negotiated SSF
          Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
          Properly compute maxbufsize AFTER security layers have
            been set
        
      
      SCRAM plugin:
        
          Added support for SCRAM-SHA-256
          Allow SCRAM-* to be used by HTTP

          
      LOGIN plugin:
        
          Don’t prompt client for password until requested by server
        
      
      NTLM plugin:
        
          Fixed crash due to uninitialized HMAC context
        
      
      saslauthd:
        
          cache.c:
            
              Don’t use cached credentials if timeout has expired
              Fixed debug logging output
            
          
          ipc_doors.c:
            
              Fixed potential DoS attack (from Oracle)
            
          
          ipc_unix.c:
            
              Prevent premature closing of socket
            
          
          auth_rimap.c:
            
              Added support LOGOUT command
              Added support for unsolicited CAPABILITY responses in
                LOGIN reply
              Properly detect end of responses (don’t needlessly
                wait)
              Properly handle backslash in passwords
            
          
          auth_httpform:
            
              Fix off-by-one error in string termination
              Added support for 204 success response
            
          
          auth_krb5.c:
            
              Added krb5_conv_krb4_instance option
              Added more verbose error logging
            
          
    At this point any major changes (e.g. API, wire protocol) will be
    pushed out to 2.1.28 or 2.2.0.

    
    -- 
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd