Hey Ken,
would be great to get this patch in as well:https://github.com/cyrusimap/cyrus-sasl/pull/503
On Tue, Feb 6, 2018 at 12:18 AM, Ken Murchison <murch@xxxxxxxxxxxx> wrote:
All,
I have built a seventh (and hopefully last) release candidate of SASL 2.1.27 which can be downloaded from here:
HTTP: https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27- https://www.cyrusimap.org/rc7.tar.gz releases/cyrus-sasl-2.1.27- FTP: ftp://ftp.cyrusimap.org/cyrus-rc7.tar.gz.sig sasl/cyrus-sasl-2.1.27-rc7. ftp://ftp.cyrusimap.org/cyrus-tar.gz sasl/cyrus-sasl-2.1.27-rc7. tar.gz.sig
The primary reason for this candidate is to test the latest GSSAPI changes. I'd like to roll out the final release in about a week. If not done by Feb 14, it will wait until Feb 21 when I return from vacation.
The (mostly) complete list of changes from 2.1.26 are these:
- Added support for OpenSSL 1.1
- Added support for lmdb (from Howard Chu)
- Lots of build fixes (from Ignacio Casal Quinteiro and others)
- Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
- DIGEST-MD5 plugin:
- Fixed memory leaks
- Fixed a segfault when looking for non-existent reauth cache
- Prevent client from going from step 3 back to step 2
- Allow cmusaslsecretDIGEST-MD5 property to be disabled
- GSSAPI plugin:
- Added support for retrieving negotiated SSF
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
- Properly compute maxbufsize AFTER security layers have been set
- SCRAM plugin:
- Added support for SCRAM-SHA-256
- Allow SCRAM-* to be used by HTTP
- LOGIN plugin:
- Don’t prompt client for password until requested by server
- NTLM plugin:
- Fixed crash due to uninitialized HMAC context
- saslauthd:
- cache.c:
- Don’t use cached credentials if timeout has expired
- Fixed debug logging output
- ipc_doors.c:
- Fixed potential DoS attack (from Oracle)
- ipc_unix.c:
- Prevent premature closing of socket
- auth_rimap.c:
- Added support LOGOUT command
- Added support for unsolicited CAPABILITY responses in LOGIN reply
- Properly detect end of responses (don’t needlessly wait)
- Properly handle backslash in passwords
- auth_httpform:
- Fix off-by-one error in string termination
- Added support for 204 success response
- auth_krb5.c:
- Added krb5_conv_krb4_instance option
- Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be pushed out to 2.1.28 or 2.2.0.
-- Kenneth Murchison Cyrus Development Team FastMail Pty Ltd
--
Ignacio Casal Quinteiro