SASL 2.1.27 rc4

Ken Murchison <murch@xxxxxxxxxxxx> · Mon, 11 Sep 2017 09:58:55 -0400



    All,
    I have built a fourth release candidate of SASL 2.1.27 which can
      be downloaded from here:
    https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz
https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz.sig

ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz.sig

    Note that the distro has been signed by my colleague Partha
      Susarla at FastMail.
    

    The (mostly) complete list of changes from 2.1.26 are these:
    
      Added support for OpenSSL 1.1
      Added support for lmdb (from Howard Chu)
      Lots of build fixes (from Ignacio Casal Quinteiro and others)
      Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when
        selecting client mech
      DIGEST-MD5 plugin:
        
          Fixed memory leaks
          Fixed a segfault when looking for non-existent reauth
            cache
          Prevent client from going from step 3 back to step 2
          Allow cmusaslsecretDIGEST-MD5 property to be disabled
        
      
      GSSAPI plugin:
        
          Added support for retrieving negotiated SSF
          Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
          Properly compute maxbufsize AFTER security layers have
            been set
        
      
      SCRAM plugin:
        
          Added support for SCRAM-SHA-256
        
      
      LOGIN plugin:
        
          Don’t prompt client for password until requested by server
        
      
      NTLM plugin:
        
          Fixed crash due to uninitialized HMAC context
        
      
      saslauthd:
        
          cache.c:
            
              Don’t use cached credentials if timeout has expired
              Fixed debug logging output
            
          
          ipc_doors.c:
            
              Fixed potential DoS attack (from Oracle)
            
          
          ipc_unix.c:
            
              Prevent premature closing of socket
            
          
          auth_rimap.c:
            
              Added support LOGOUT command
              Added support for unsolicited CAPABILITY responses in
                LOGIN reply
              Properly detect end of responses (don’t needlessly
                wait)
              Properly handle backslash in passwords
            
          
          auth_httpform:
            
              Fix off-by-one error in string termination
              Added support for 204 success response
            
          
          auth_krb5.c:
            
              Added krb5_conv_krb4_instance option
              Added more verbose error logging
            
          
    At this point any major changes (e.g. API, wire protocol) will be
    pushed out to 2.1.28 or 2.2.0.  I believe that this is close to
    being a final release which I would like to get out by the end of
    September.  

    
    The biggest outstanding issues are those around recent GSSAPI
    changes.  I'm inclined to defer to Alexey's judgement on these
    unless someone can convince us that the SASL code is wrong per the
    specs.  The fact that it broke a particular piece of code doesn't
    necessarily mean that the application code is correct and the SASL
    change was wrong.

    
    If there are any other last minute show stoppers, please open an
    issue on GitHub (preferably with a patch), or better yet create a
    pull request.

    -- 
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
  

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus