Ken Murchison
2017-09-11 13:58:55 UTC
All,
I have built a fourth release candidate of SASL 2.1.27 which can be
downloaded from here:
https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz
https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz.sig
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz.sig
Note that the distro has been signed by my colleague Partha Susarla at
FastMail.
The (mostly) complete list of changes from 2.1.26 are these:
* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
client mech
* DIGEST-MD5 plugin:
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
o Added support for SCRAM-SHA-256
* LOGIN plugin:
o Donât prompt client for password until requested by server
* NTLM plugin:
o Fixed crash due to uninitialized HMAC context
* saslauthd:
o cache.c:
+ Donât use cached credentials if timeout has expired
+ Fixed debug logging output
o ipc_doors.c:
+ Fixed potential DoS attack (from Oracle)
o ipc_unix.c:
+ Prevent premature closing of socket
o auth_rimap.c:
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in LOGIN
reply
+ Properly detect end of responses (donât needlessly wait)
+ Properly handle backslash in passwords
o auth_httpform:
+ Fix off-by-one error in string termination
+ Added support for 204 success response
o auth_krb5.c:
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be pushed
out to 2.1.28 or 2.2.0. I believe that this is close to being a final
release which I would like to get out by the end of September.
The biggest outstanding issues are those around recent GSSAPI changes.
I'm inclined to defer to Alexey's judgement on these unless someone can
convince us that the SASL code is wrong per the specs. The fact that it
broke a particular piece of code doesn't necessarily mean that the
application code is correct and the SASL change was wrong.
If there are any other last minute show stoppers, please open an issue
on GitHub (preferably with a patch), or better yet create a pull request.
I have built a fourth release candidate of SASL 2.1.27 which can be
downloaded from here:
https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz
https://www.cyrusimap.org/releases/cyrus-sasl-2.1.27-rc4.tar.gz.sig
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.27-rc4.tar.gz.sig
Note that the distro has been signed by my colleague Partha Susarla at
FastMail.
The (mostly) complete list of changes from 2.1.26 are these:
* Added support for OpenSSL 1.1
* Added support for lmdb (from Howard Chu)
* Lots of build fixes (from Ignacio Casal Quinteiro and others)
* Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting
client mech
* DIGEST-MD5 plugin:
o Fixed memory leaks
o Fixed a segfault when looking for non-existent reauth cache
o Prevent client from going from step 3 back to step 2
o Allow cmusaslsecretDIGEST-MD5 property to be disabled
* GSSAPI plugin:
o Added support for retrieving negotiated SSF
o Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
o Properly compute maxbufsize AFTER security layers have been set
* SCRAM plugin:
o Added support for SCRAM-SHA-256
* LOGIN plugin:
o Donât prompt client for password until requested by server
* NTLM plugin:
o Fixed crash due to uninitialized HMAC context
* saslauthd:
o cache.c:
+ Donât use cached credentials if timeout has expired
+ Fixed debug logging output
o ipc_doors.c:
+ Fixed potential DoS attack (from Oracle)
o ipc_unix.c:
+ Prevent premature closing of socket
o auth_rimap.c:
+ Added support LOGOUT command
+ Added support for unsolicited CAPABILITY responses in LOGIN
reply
+ Properly detect end of responses (donât needlessly wait)
+ Properly handle backslash in passwords
o auth_httpform:
+ Fix off-by-one error in string termination
+ Added support for 204 success response
o auth_krb5.c:
+ Added krb5_conv_krb4_instance option
+ Added more verbose error logging
At this point any major changes (e.g. API, wire protocol) will be pushed
out to 2.1.28 or 2.2.0. I believe that this is close to being a final
release which I would like to get out by the end of September.
The biggest outstanding issues are those around recent GSSAPI changes.
I'm inclined to defer to Alexey's judgement on these unless someone can
convince us that the SASL code is wrong per the specs. The fact that it
broke a particular piece of code doesn't necessarily mean that the
application code is correct and the SASL change was wrong.
If there are any other last minute show stoppers, please open an issue
on GitHub (preferably with a patch), or better yet create a pull request.
--
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd
Kenneth Murchison
Cyrus Development Team
FastMail Pty Ltd