This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1 (commit) via 0553af486522277811d2e6cb4b3125f53bef5f3f (commit) from d63e0994e5b6afaeb826f3a9191f9dba136bda5b (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 3cf4b6275e3c396f3b0bce23b873fe99fc603cd1 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Sep 20 22:44:19 2023 +0200
sssd: Update to version 2.9.2-1
- IPFire-3.x - Update from version 2.8.2-2 to 2.9.2-1 - version 2.8.2-2 was failing to build. - Initially version 2.9.2-1 failed with the same error messages. /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER] There was also the following two messages in the log "/usr/lib/sssd/sss_analyze: Found command python ((null)) /usr/lib/sssd/sss_analyze: Could not find path for command python" Based on the above error I checked sss_analyze and found the following first line "#!/usr/bin/env python" but the python program in IPFire is called python3 Added the sed line to change python to python3 and the build then was successful. - Changelog 2.9.2 Highlights SSSD 2.9 branch is now in long-term maintenance (LTM) phase. General information libkrb5-1.21 can now be used to build PAC plugin. sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user. Important fixes SSSD does no longer crash if PIN is introduced but the tactile trigger isn’t pressed during passkey authentication. SSSD can now recover if memory-cache files under /var/lib/sss/mc where truncated while SSSD is running. Chaining of identical D-Bus requests that run in parallel to avoid multiple backend queries works again. Configuration changes New option local_auth_policy is added to control which offline authentication methods will be enabled by SSSD. This option is relevant for authentication methods which have online, and offline capability such as passkey, and smartcard authentication. The default value match sets the offline methods to their corresponding online value. This enables offline authentication when online kerberos pre-authentication such as PKINIT, or passkey is supported by the backend, note that online methods will still be attempted first. Option value only can be used to disable online authentication entirely, or the value enable:method to explicitly enable specific authentication methods, e.g. enable:passkey. Tickets Fixed #5198 - monatomically should have been monotonically #6733 - New covscan errors in ‘passkey’ code #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux #6803 - [sssd] SSSD enters failed state after heavy load in the system #6889 - Crash in pam_passkey_auth_done #6911 - SBUS chaining is broken for getAccountInfo and other internal D-Bus calls 2.9.1 New features Passkey: added option to write key mapping data to file. Important fixes A regression was fixed that prevented autofs lookups to function correctly when cache_first is set to True. Since this was set as a new default value in sssd-2.9.0, it is considered as a regression. A regression where SSSD failed to properly watch for changes in ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path, was fixed. Tickets Fixed #6442 - PAC errors when no PAC configured #6652 - IPA: previously cached netgroup member is not remove correctly after it is removed from ipa #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] #6718 - file_watch-tests fail in v2.9.0 on Arch Linux #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist request failed’ #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0 #6744 - sssd-be tends to run out of system resources, hitting the maximum number of open files #6766 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy #6768 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure 2.9.0 General information sss_simpleifp library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-libsifp ./configure option. “Files provider” (i.e. id_provider = files) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-files-provider ./configure option. Or consider using “Proxy provider” with proxy_lib_name = files instead. Previously deprecated --enable-files-domain configure option, which was used to manage default value of the enable_files_domain config option, is now removed. Long time unused ‘–enable-all-experimental-features’ configure option was removed. SSSD will no longer warn about changed defaults when using ldap_schema = rfc2307 and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values. New features New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11. Add support for ldapi:// URLs to allow connections to local LDAP servers NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions. Packaging changes for passkey Include passkey subpackage and dependency for libfido2. Configuration changes for passkey New options to enable and tune passkey behavior: pam_passkey_auth, ldap_user_passkey, passkey_verification, passkey_child_timeout, interactive, interactive_prompt, touch and touch_prompt. --with-passkey is a new configuration option to enable building passkey authentication. Important fixes A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed. Configuration changes Default value of cache_first option was changed to true in case SSSD is built without files provider. ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information. Tickets Fixed #5390 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search #6383 - sssd is not waiting for network-online.target #6403 - Add new Active Directory related certificate mapping templates #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD #6451 - UPN check cannot be disabled explicitly but requires krb5_validate = false’ as a work-around #6479 - Smart Card auth does not work with p11_uri (with-smartcard-required) #5080 - [RFE] - Show password expiration warning when IdM users login with SSH keys #5390 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search #6228 - Enable passkey authentication in a centralized environment #6324 - coredump occurs when I restart sssd-ifp.service with sssd.service is inactive #6357 - KCM erroneously changes primary cache when renewing credentials #6360 - [D-Bus] ListByName() returns several times the same entry #6361 - [D-Bus] ListByName() fails when not using wildcards #6383 - sssd is not waiting for network-online.target #6387 - Fatal errors in log during Anaconda installation: “CRIT sss_cache:No domains configured, fatal error!” #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName() not working #6403 - Add new Active Directory related certificate mapping templates #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD #6451 - UPN check cannot be disabled explicitly but requires krb5_validate = false’ as a work-around #6465 - SBUS:A core dump occurs when dbus_server_get_address() #6477 - changing password with ldap_password_policy = shadow does not take effect immediately #6479 - Smart Card auth does not work with p11_uri (with-smartcard-required) #6487 - implicit declaration of function fgetpwent in test_negcache_2.c #6505 - SSS_CLIENT: general library destructor should cancel thread-at-exit destructors #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to exist (can be a bogus keytab) #6544 - AD: Nested group processing can fail or return invalid members (security issue) #6548 - sssd-ipa #6551 - passkey_child cannot be used to register passkey due to too strict permissions #6558 - enabling passkey authentication breaks idp support #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and ‘getsidbygroupname()’ and corresponding python bindings #6588 - Integration Tests:The sssd_hosts module is missing in release tarball #6592 - pid wrapping caused sss_cli_check_socket to close the file descriptor opened by the process #6600 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) #6610 - BUILD: Clear compilation alarms. #6612 - MIT Kerberos confusion over password expiry #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD + ‘ldap_id_mapping = True’ corner case #6626 - Unable to lookup AD user from child domain (or “make filtering of the domains more configurable”) #6635 - sss allows extraneous @ characters prefixed to username
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0553af486522277811d2e6cb4b3125f53bef5f3f Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Sep 20 19:58:37 2023 +0200
shadow-utils: Update to version 4.14.0-1
- IPFire-3.x - Update from version 4.13-2 to 4.14.0-1 - The build now has --with-libbsd as default yes so --without-libbsd has been added so that it uses its own readpassphrase code as previously. - Changelog 4.14.0 This release includes some steps toward preparing for the Y2038 (e.g. removing lastlog conditionally), a great deal of removal of obsolete function checks (like rmdir), and overhaul of some string manipulation functions, of which there is more to come. And a great deal more. The abbreviated git log follows: Serge Hallyn: configure.ac: check for strlcpy Michael Vetter: Remove intree website Serge Hallyn: 4.14.0-rc4 pre-release Serge Hallyn: Releases: add etc/shadow-maint to distfiles Serge Hallyn: 4.14.0-rc3 Iker Pedrosa: libmisc: include freezero Iker Pedrosa: libmisc: add freezero source code Iker Pedrosa: libmisc: add readpassphrase source code Iker Pedrosa: configure: add with-libbsd option Iker Pedrosa: man: include shadow-man.xsl in tarball Iker Pedrosa: man: include its.rules in tarball Iker Pedrosa: autogen: enable lastlog build Christian Göttsche: Add wrapper for write(2) Serge Hallyn: tag 4.14.0-rc2 Michael Vetter: Add new files to libmisc_la_SOURCES Serge Hallyn: Add a make dist CI test Serge Hallyn: 4.14.0-rc1 Serge Hallyn: remove xmalloc.c from POTFILES.in Iker Pedrosa: logoutd: add missing <utmp.h> include Iker Pedrosa: CI: compile old utmp interface in Fedora Iker Pedrosa: src: add SELINUX library Iker Pedrosa: libmisc: conditionally compile utmp.c and logind.c Iker Pedrosa: lib: replace USER_NAME_MAX_LENGTH macro Iker Pedrosa: libmisc: call active_sessions_count() Iker Pedrosa: libmisc: implement active_sessions_count() Iker Pedrosa: utmp: update update_utmp() Iker Pedrosa: utmp: move update_utmp Iker Pedrosa: utmp: move failtmp() Iker Pedrosa: libmisc: implement get_session_host() Iker Pedrosa: configure: new option enable-logind xiongshenglan: shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh Michael Vetter: chsh: warn if root sets a shell not listed in /etc/shells Michael Vetter: doc: mention ci workflow file to learn about deps Serge Hallyn: man/po/Makefile: add a comment to shadow-man-pages.pot Vegard Nossum: newgrp: fix potential string injection Todd Zullinger: lastlog: fix alignment of Latest header Iker Pedrosa: configure: fix lastlog check Alan D. Salewski: subuid.5: reference newusers(8) rather than newusers(1) Iker Pedrosa: CI: build lastlog in Fedora Iker Pedrosa: man: conditionally build lastlog documentation Iker Pedrosa: usermod: conditionally build lastlog functionality Iker Pedrosa: useradd: conditionally build lastlog functionality Iker Pedrosa: login: conditionally build lastlog functionality Iker Pedrosa: lastlog: stop building by default Iker Pedrosa: CI: update debian repos Bernd Kuhls: Fix yescrypt support Jeffrey Bencteux: chgpasswd: fix segfault in command-line options Alejandro Colomar: gpasswd(1): Fix password leak Alejandro Colomar: src/useradd.c: create_mail(): Cosmetic Alejandro Colomar: src/useradd.c: create_home(): Cosmetic Alejandro Colomar: src/useradd.c: create_home(): Cosmetic Alejandro Colomar: src/useradd.c: create_home(): Cosmetic Alejandro Colomar: src/useradd.c: close_group_files(): Cosmetic Alejandro Colomar: src/useradd.c: check_uid_range(): Cosmetic Jaroslav Jindrak: build: link passwd, chpasswd and chage against libdl Jaroslav Jindrak: configure: check whether fgetpwent_r is available before marking xprefix_getpwnam_r as reentrant Jaroslav Jindrak: passwd: fall back to non-PAM code when prefix is used Jaroslav Jindrak: chpasswd: fall back to non-PAM code when prefix is used Jaroslav Jindrak: chpasswd: add --prefix/-P options Jaroslav Jindrak: chage: add --prefix/-P options Jaroslav Jindrak: passwd: Respect --prefix/-P options Michael Vetter: prefix: add prefix support Iker Pedrosa: strtoday: remove unnecessary cast Alejandro Colomar: Use temporary variable Alejandro Colomar: realloc(NULL, ...) is equivalent to malloc(...) Alejandro Colomar: Simplify allocation APIs Christian Göttsche: Drop alloca(3) Christian Göttsche: usermod: fix off-by-one issues Alejandro Colomar: libmisc/csrand.c: Update comments Alejandro Colomar: lib/nss.c: Fix use of invalid p Alejandro Colomar: lib/nss.c: Fix use of uninitialized p Alejandro Colomar: Centralize error handling Alejandro Colomar: Second verse, it gets worse; it gets no better than this Alejandro Colomar: ROFL: Rolling on the floor looping Alejandro Colomar: This ain't no loop Iker Pedrosa: newusers: Improve error message Martin Kletzander: ch(g)passwd: Check selinux permissions upon startup Skyler Ferrante: Check if crypt_method null before dereferencing Alejandro Colomar: xgetXXbyYY: Simplify elifs Alejandro Colomar: xgetXXbyYY: Centralize error handling Alejandro Colomar: xgetXXbyYY: tfix Samanta Navarro: xgetXXbyYY: Avoid duplicated error handling block Samanta Navarro: xgetXXbyYY: Handle DUP_FUNCTION failure Serge Hallyn: sub_[ug]id_{add,remove}: fix return values Martin Kletzander: usermod: Small optimization using memmove for password unlock Alejandro Colomar: Reorder logic to improve comprehensibility Alejandro Colomar: newusers: Fail early Alejandro Colomar: newusers: Add missing error handling Samanta Navarro: libmisc: Use safer chroot/chdir sequence Samanta Navarro: su: Prevent stack overflow in check_perms Samanta Navarro: subsystem: Prevent endless loop Serge Hallyn: def_load: avoid NULL deref Serge Hallyn: def_load: split the econf from non-econf definition Tobias Stoeckmann: Plug econf memory leaks Samanta Navarro: chsh: Verify that login shell path is absolute Samanta Navarro: process_prefix_flag: Drop privileges bubu: Update French translations Samanta Navarro: get_pid.c: Use tighter validation checks Markus Hiereth: replace inadequate German translation of login error message Markus Hiereth: Update German translations Samanta Navarro: Remove some static char arrays Samanta Navarro: commonio: Use do_lock_file again Serge Hallyn: Fix broken docbook translations ed neville: open with O_CREAT when lock path does not exist Samanta Navarro: commonio_open: Remove fcntl call Samanta Navarro: commonio_lock_nowait: Remove deprecated code Samanta Navarro: login_prompt: Simplify login_prompt API Samanta Navarro: login_prompt: Use _exit in signal handler Samanta Navarro: login_prompt: Do not parse environment variables Samanta Navarro: libmisc/yesno.c: Fix regression Alejandro Colomar: libmisc, man: Drop old check and advice for complex character sets in passwords Christian Göttsche: semanage: disconnect to free libsemanage internals Christian Göttsche: commonio: free removed database entries ed neville: run_parts for groupadd and groupdel lilinjie: fix typos Alejandro Colomar: libmisc/yesno.c: Use getline(3) and rpmatch(3) Samanta Navarro: newgrp/useradd: always set SIGCHLD to default Serge Hallyn: Update AUTHORS to add Marek Michałkiewicz Samanta Navarro: Read whole line in yes_or_no Christian Göttsche: useradd/usermod: add --selinux-range argument Alejandro Colomar: CI: Make build logs more readable Iker Pedrosa: ci: remove explicit fedora dependencies Iker Pedrosa: README: add reference to contribution guidelines Iker Pedrosa: doc: add contributions introduction Iker Pedrosa: doc: add license Iker Pedrosa: doc: add releases Iker Pedrosa: doc: add Continuous Integration Iker Pedrosa: doc: add tests Iker Pedrosa: doc: add coding style Iker Pedrosa: doc: add build & install Serge Hallyn: trivial: vipw.8: fix grammar Christian Göttsche: sssd: skip flushing if executable does not exist Christian Göttsche: Overhaul valid_field() Martin Kletzander: semanage: Do not set default SELinux range Michael Vetter: Fix typo in groupadd usage Christian Göttsche: ci: update Differential ShellCheck tomspiderlabs: Added control character check Mike Gilbert: usermod: respect --prefix for --gid option Alejandro Colomar: Fix su(1) silent truncation Alejandro Colomar: Simplify is_my_tty() Alejandro Colomar: Fix is_my_tty() buffer overrun Alejandro Colomar: Add STRLEN(): a constexpr strlen(3) for string literals Alejandro Colomar: Fix crash with large timestamps Paul Eggert: Prefer strcpy(3) to strlcpy(3) when either works Paul Eggert: Fix change_field() buffer underrun Paul Eggert: Omit unneeded test in change_field() Paul Eggert: Simplify change_field() by using strcpy skyler-ferrante: Fix null dereference in basename Iker Pedrosa: CI: script for local container build Iker Pedrosa: CI: build project in containers Iker Pedrosa: container: add fedora Iker Pedrosa: container: add debian Iker Pedrosa: container: add alpine Iker Pedrosa: SECURITY.md: add Iker Pedrosa Christian Göttsche: selinux: use type safe function pointer assignment Christian Göttsche: Use strict prototype in definition Vinícius dos Santos Oliveira: Add .editorconfig Serge Hallyn: run_some: fix shellcheck warning Serge Hallyn: fail on any run_some test failure Serge Hallyn: ignore first test in run_some Serge Hallyn: swap first two tests - does the first one still fail? Serge Hallyn: tests: remove some github runner PATH tweaking Alejandro Colomar: tests: Support git-worktree(1) Serge Hallyn: tests: newuidmap and newgidmap: update expected fail message Serge Hallyn: libsubid: include alloc.h Serge Hallyn: run_some: log stderr Vinícius dos Santos Oliveira: Validate fds created by the user Serge Hallyn: get_pidfd_from_fd: return -1 on error, not 0 Serge Hallyn: g-h-a workflow: workaround Serge Hallyn: Fix regression in some translation strings Iker Pedrosa: lib: bit_ceil_wrapul(): stop recursion Iker Pedrosa: lib: define ULONG_WIDTH if non-existent maqi: Update translation Serge Hallyn: newuidmap and newgidmap: support passing pid as fd Alejandro Colomar: Fix use-after-free of pointer after realloc(3) Alejandro Colomar: Use safer allocation macros Alejandro Colomar: libmisc: Add safer allocation macros Alejandro Colomar: Use xreallocarray() instead of its pattern Alejandro Colomar: Use reallocarrayf() instead of its pattern
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: shadow-utils/shadow-utils.nm | 7 ++++--- sssd/sssd.nm | 7 +++++-- 2 files changed, 9 insertions(+), 5 deletions(-)
Difference in files: diff --git a/shadow-utils/shadow-utils.nm b/shadow-utils/shadow-utils.nm index fcc4fd5fd..a16b88a2c 100644 --- a/shadow-utils/shadow-utils.nm +++ b/shadow-utils/shadow-utils.nm @@ -4,8 +4,8 @@ ###############################################################################
name = shadow-utils -version = 4.13 -release = 2 +version = 4.14.0 +release = 1 thisapp = shadow-%{version}
groups = System/Base @@ -52,7 +52,8 @@ build --without-audit \ --without-selinux \ --without-su \ - --with-fcaps + --with-fcaps \ + --without-libbsd
install_cmds rm -vf \ diff --git a/sssd/sssd.nm b/sssd/sssd.nm index 90d804469..5f3a4ecd4 100644 --- a/sssd/sssd.nm +++ b/sssd/sssd.nm @@ -4,8 +4,8 @@ ###############################################################################
name = sssd -version = 2.8.2 -release = 2 +version = 2.9.2 +release = 1
groups = System/Tools url = https://github.com/SSSD/sssd @@ -95,6 +95,9 @@ build
# Drop /var/run rm -rvf %{BUILDROOT}%{localstatedir}/run + + # Change python to python3 in sss_analyze file + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze end end
hooks/post-receive -- IPFire 3.x development tree