Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2017-10-27 13:47:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sssd" Fri Oct 27 13:47:11 2017 rev:84 rq:536521 version:1.16.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2017-03-18 20:49:30.170783904 +0100 +++ /work/SRC/openSUSE:Factory/.sssd.new/sssd.changes 2017-10-27 13:47:14.827769244 +0200 @@ -1,0 +2,70 @@ +Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.16.0 + +Security fixes + * This release fixes CVE-2017-12173: Unsanitized input when searching in + local cache database. SSSD stores its cached data in an LDAP like local + database file using libldb. To lookup cached data LDAP search filters + like (objectClass=user)(name=user_name) are used. However, in + sysdb_search_user_by_upn_res(), the input was not sanitized and + allowed to manipulate the search filter for cache lookups. This would + allow a logged in user to discover the password hash of a different user. + +New Features + * SSSD now supports session recording configuration through tlog. This + feature enables recording of everything specific users see or type + during their sessions on a text terminal. For more information, see + the sssd-session-recording(5) manual page. + * SSSD can act as a client agent to deliver + Fleet Commander https://wiki.gnome.org/Projects/FleetCommander + policies defined on an IPA server. Fleet Commander provides a + configuration management interface that is controlled centrally and + that covers desktop, applications and network configuration. + * Several new systemtap https://sourceware.org/systemtap/ probes + were added into various locations in SSSD code to assist in + troubleshooting and analyzing performance related issues. Please see the + sssd-systemtap(5) manual page for more information. + * A new LDAP provide access control mechanism that allows to restrict + access based on PAM's rhost data field was added. For more details, + please consult the sssd-ldap(5) manual page, in particular the + options ldap_user_authorized_rhost and the rhost value of + ldap_access_filter. + +------------------------------------------------------------------- +Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.3 (KCM disabled) + +New Features + * In a setup where an IPA domain trusts an Active Directory domain, + it is now possible to define the domain resolution order + (see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names). + * Design page - Shortnames in trusted domains https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html + * SSSD ships with a new service called KCM. This service acts as a + storage for Kerberos tickets when "libkrb5" is configured to use + "KCM:" in "krb5.conf". + * Design page - KCM server for SSSD https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html + * NOTE: There are several known issues in the "KCM" responder that + will be handled in the next release. + * Support for user and group resolution through the D-Bus interface and + authentication and/or authorization through the PAM interface even + for setups without UIDs or Windows SIDs present on the LDAP directory + side. This enhancement allows SSSD to be used together with apache + modules https://github.com/adelton/mod_lookup_identity to provide + identities for applications + * Design page - Support for non-POSIX users and groups https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html + * SSSD ships a new public library called "libsss_certmap" that allows + a flexible and configurable way of mapping a certificate to a user + identity. + * Design page - Matching and Mapping Certificates https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certific... + * The Kerberos locator plugin can be disabled using an environment variable + "SSSD_KRB5_LOCATOR_DISABLE". Please refer to the + "sssd_krb5_locator_plugin" manual page for mode details. + * The "sssctl" command line tool supports a new command "user-checks" + that enables the administrator to check whether a certain user should be + allowed or denied access to a certain PAM service. + * The "secrets" responder now forwards requests to a proxy Custodia + back end over a secure channel. + +------------------------------------------------------------------- Old: ---- sssd-1.15.2.tar.gz sssd-1.15.2.tar.gz.asc New: ---- sssd-1.16.0.tar.gz sssd-1.16.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.VOwF7k/_old 2017-10-27 13:47:16.063711480 +0200 +++ /var/tmp/diff_new_pack.VOwF7k/_new 2017-10-27 13:47:16.063711480 +0200 @@ -17,7 +17,7 @@ Name: sssd -Version: 1.15.2 +Version: 1.16.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -30,7 +30,7 @@ Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring -BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRoot: %_tmppath/%name-%version-build %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -214,6 +214,23 @@ The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs and SIDs. +%package -n libsss_certmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0+ +Group: System/Libraries + +%description -n libsss_certmap0 +A utility library for FreeIPA to map certs. + +%package -n libsss_certmap-devel +Summary: Development files for the FreeIPA certmap library +License: LGPL-3.0+ +Group: Development/Libraries/C and C++ +Requires: libsss_certmap0 = %version + +%description -n libsss_certmap-devel +A utility library for FreeIPA to map certs. + %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library License: LGPL-3.0+ @@ -409,6 +426,7 @@ --with-os=suse \ --with-semanage=no \ --disable-ldb-version-check \ + --without-kcm \ --without-secrets make %{?_smp_mflags} all @@ -487,14 +505,25 @@ %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* -%_mandir/??/man5/sssd.conf.5* +#%_mandir/??/man5/sssd.conf.5* %_mandir/??/man8/sssd.8* +%_mandir/??/man5/sss-certmap.5.gz +%_mandir/??/man5/sssd-ad.5.gz +%_mandir/??/man5/sssd-files.5.gz +%_mandir/??/man5/sssd-secrets.5.gz +%_mandir/??/man5/sssd.conf.5.gz +%_mandir/??/man8/idmap_sss.8.gz +%_mandir/??/man8/sssctl.8.gz +%_mandir/??/man8/sssd-kcm.8.gz +%_mandir/??/man5/sssd-simple.5* %_mandir/man1/sss_ssh_* %_mandir/man8/sssctl.8* %_mandir/man5/sssd-files.5* %_mandir/man5/sssd-simple.5* %_mandir/man5/sssd-sudo.5* %_mandir/man5/sssd.conf.5* +%_mandir/man5/sss-certmap.5.gz +%_mandir/man5/sssd-session-recording.5.gz %_mandir/man8/sssd.8* %dir %_libdir/%name/ %_libdir/%name/conf/ @@ -643,7 +672,6 @@ %_sbindir/sss_useradd %_sbindir/sss_userdel %_sbindir/sss_usermod -%_sbindir/sss_override %dir %_mandir/??/man8/ %_mandir/??/man8/sss_*.8* %_mandir/man8/sss_*.8* @@ -678,6 +706,17 @@ %_libdir/libipa_hbac.so %_libdir/pkgconfig/ipa_hbac.pc +%files -n libsss_certmap0 +%defattr(-,root,root) +%_libdir/libsss_certmap.so +%_libdir/libsss_certmap.so.0* + +%files -n libsss_certmap-devel +%defattr(-,root,root) +%_includedir/sss_certmap.h +%_libdir/libsss_certmap.so +%_libdir/pkgconfig/sss_certmap.pc + %files -n libnfsidmap-sss %defattr(-,root,root) %_libdir/libnfsidmap/ ++++++ sssd-1.15.2.tar.gz -> sssd-1.16.0.tar.gz ++++++ ++++ 456525 lines of diff (skipped)