Release 0.87.0:
core:
* Fix leak in broken files
* Internal code improvements
qt5:
* Add option to get form choice for export value
* ArthurOutputDev: Avoid division by zero in updateLineDash. Issue #695
glib:
* Internal code improvements
utils:
* pdftohtml: Fix memory leak in HtmlOutputDev::getLinkDest
3.0.7:
Include OpenSSL libs and binary for Windows 1.1.0j
Remove RANDFILE environment variable
Workaround for bug in win32 mktemp
Handle IP address in SAN and renewals
Workaround for ash and no set -o echo
Shore up windows testing framework
Provide upgrade mechanism for older versions of EasyRSA
Add support for KDC certificates
Add support for Edward Curves
Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars
Add support for RID to SAN
3.6.5:
Back port some of the changes in decompile3 here which mostly helps 3.7 and 3.8 decompilation, although this may also help 3.6ish versions too.
Handle nested async for in for... and better async comprehension detection via xdis. Still more work is needed.
include token number in listings when -g and there is a parser error
remove unneeded Makefiles now that remake 4.3+1.5dbg is a thing that has -c
Bug in finding annotations in functions with docstrings
Fix bug found by 2.4 sre_parse.py testing
Fix transform module's ifelseif bugs
Fix bug in 3.0 name module detection
Fix docstring detection
2.9:
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.4 has been removed due to
low usage and maintenance burden.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.0.1 has been removed.
Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.6.x has been removed.
* Removed support for calling
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes`
with no arguments, as per our deprecation policy. You must now pass
``encoding`` and ``format``.
* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
:meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs
as required by :rfc:`4514`.
* Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1f.
* Added support for parsing
:attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
response.
* :class:`~cryptography.x509.NameAttribute` values can now be empty strings.
These are existing binaries, no way to fix them and not all of them are.
ERROR: emul/netbsd/usr/X11R7/lib/libXfontcache.so.2.0: missing RELRO
ERROR: emul/netbsd/usr/X11R7/lib/libfreetype.so.18.0.13: missing RELRO
ERROR: emul/netbsd/usr/lib/libbfd.so.15.0: missing RELRO
ERROR: emul/netbsd/usr/lib/libdes.so.12.0: missing RELRO
ERROR: emul/netbsd/usr/lib/libssl.so.12.0: missing RELRO
Qt 5.14.2:
As usual this second patch release to Qt 5.14 series doesn't bring any new features but provide several bug fixes and other improvements. Compared to Qt 5.14.1 there are more than 200 bug fixes included in this release. For details of the most important changes please check the Changes files for Qt 5.14.2.
Version 0.99.11
~~~~~~~~~~~~~~~
Released: 2019-09-03
New Features:
- Add code of conduct document
- build: Migrate from intltool to gettext
- rules: Split off HID++ udev rules
- Harden systemd service
- Let systemd create /var/lib/upower
- Move D-Bus policy file to /usr/share/dbus-1/system.d/
Bug fixes:
- Fix endless loop burning 100% CPU on keyboard plugout with external
backlight
- linux: Start polling for unknown device batteries too
- linux: Retry to get a battery type if it's unknown
- linux: Don't treat device batteries like laptop batteries
- Replace use of G_TYPE_INSTANCE_GET_PRIVATE and g_type_class_add_private()
Version 0.99.10
~~~~~~~~~~~~~~~
Released: 2019-02-20
Bugfixes:
- Set 'pending-charge' for DisplayDevice if at least one
battery is in the 'pending-charge' state
- Map pending-charge to fully-charged when charge is 100%
Version 0.99.9
~~~~~~~~~~~~~~
Released: 2018-10-25
Bugfixes:
- Fix lack of update after AC status changes, and broken keyboard
backlight, following the daemon lockdown added in 0.99.8
- Multiple API documentation fixes
- Out-of-tree build fixes
Version 0.99.8
~~~~~~~~~~~~~~
Released: 2018-06-18
New Features:
- Lock down systemd service file
- Add support for "Unknown" capacity level, and clarify handling
of devices with coarse battery levels
- Add a new version of up_client_get_devices() which unrefs contents
Bugfixes:
- Fix warnings when D-Bus related properties change
- Prevent crash after attaching an Apple TV, and support newer
versions of iOS
- Lower severity of "unhandled action" messages
- Fix battery status on MacBooks after a plug or unplug event
- Fix double-close on exit
Version 0.99.7
~~~~~~~~~~~~~~
Released: 2017-11-28
New Features:
- Add support for Bluetooth LE device batteries (Bastien Nocera)
- Allow to be replaced via --replace,-r (Christian Kellner)
Bugfixes:
- Fix critical action after resume from hibernate (Miroslav Sustek)
- Fix compilation with libimobiledevice git (Bastien Nocera)
Version 0.99.6
~~~~~~~~~~~~~~
Released: 2017-09-11
New Features:
- Add UP_DEVICE_KIND_GAMING_INPUT for gaming devices (Bastien Nocera)
- Detect joysticks as gaming input devices (Bastien Nocera)
Bugfixes:
- Correctly close inhibitor FD (Benjamin Berg)
- Fix crash when '@' is present in the device name (oleid, Bastien Nocera)
- Fix lid detection on FreeBSD (Alberto Villa)
- Grab the model name from device if unavailable from battery (Bastien Nocera)
Version 0.99.5
~~~~~~~~~~~~~~
Released: 2017-07-24
New Features:
- Add a more complete self test for HID++ devices (Bastien Nocera)
- Add BatteryLevel property for devices with a finite number of power levels (Bastien Nocera)
- Add support for pausing and resuming of the daemon poll (Christian Kellner, Bastien Nocera)
- Get a serial number for device batteries (Bastien Nocera)
- Refresh devices after waking up from sleep (Christian Kellner)
Bugfixes:
- Add proper error and cancellable handling to UpClient constructor (Martin Pitt)
- Do not spin in a loop when /proc/timer_stats cannot be written (Richard Hughes)
- Exit early from up-tool when connecting to upower fails (Martin Pitt)
- Expand the integration-tests to run in more environments (Bastien Nocera, Christian Kellner)
- Fix reading and writing the keyboard brightness level (Hans de Goede, Marco Trevisan)
- Fix -Wformat-y2k compilation errors (Bastien Nocera)
- Lower initial power usage when iDevice isn't accessible (Bastien Nocera)
- Simplify string checks in upower-glib (Bastien Nocera)
samba 4.12.0:
NEW FEATURES/CHANGES
====================
Python 3.5 Required
-------------------
Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.
(Build time support for the file server with Python 2.6 has not
changed)
Removing in-tree cryptography: GnuTLS 3.4.7 required
----------------------------------------------------
Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries. To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.
Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.
Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.
A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.
zlib library is now required to build Samba
-------------------------------------------
Samba no longer includes a local copy of zlib in our source tarball.
By removing this we do not need to ship (even where we did not
build) the old, broken zip encryption code found there.
New Spotlight backend for Elasticsearch
---------------------------------------
Support for the macOS specific Spotlight search protocol has been enhanced
significantly. Starting with 4.12 Samba supports using Elasticsearch as search
backend. Various new parameters have been added to configure this:
spotlight backend = noindex | elasticsearch | tracker
elasticsearch:address = ADDRESS
elasticsearch:port = PORT
elasticsearch:use tls = BOOLEAN
elasticsearch:index = INDEXNAME
elasticsearch:mappings = PATH
elasticsearch:max results = NUMBER
Samba also ships a Spotlight client command "mdfind" which can be used to search
any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
for details.
Note that when upgrading existing installations that are using the previous
default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
tracker" as the new default is "noindex".
'net ads kerberos pac save' and 'net eventlog export'
-----------------------------------------------------
The 'net ads kerberos pac save' and 'net eventlog export' tools will
no longer silently overwrite an existing file during data export. If
the filename given exits, an error will be shown.
Fuzzing
-------
A large number of fuzz targets have been added to Samba, and Samba has
been registered in Google's oss-fuzz cloud fuzzing service. In
particular, we now have good fuzzing coverage of our generated NDR
parsing code.
A large number of issues have been found and fixed thanks to this
effort.
'samba-tool' improvements add contacts as member to groups
----------------------------------------------------------
Previously 'samba-tool group addmemers' can just add users, groups and
computers as members to groups. But also contacts can be members of
groups. Samba 4.12 adds the functionality to add contacts to
groups. Since contacts have no sAMAccountName, it's possible that
there are more than one contact with the same name in different
organizational units. Therefore it's necessary to have an option to
handle group members by their DN.
To get the DN of an object there is now the "--full-dn" option available
for all necessary commands.
The MS Windows UI allows to search for specific types of group members
when searching for new members for a group. This feature is included
here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
option. The different types are selected accordingly to the Windows
UI. The default samba-toole behaviour shouldn't be changed.
Allow filtering by OU or subtree in samba-tool
----------------------------------------------
A new "--base-dn" and "--member-base-dn" option is added to relevant
samba-tool user, group and ou management commands to allow operation
on just one part of the AD tree, such as a single OU.
VFS
===
SMB_VFS_NTIMES
--------------
Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.
'io_uring' vfs module
---------------------
The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).
In order to build the module you need the liburing userspace library
and its developement headers installed, see
https://git.kernel.dk/cgit/liburing/
At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.
MS-DFS changes in the VFS
-------------------------
This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:
SMB_VFS_CREATE_DFS_PATHAT()
SMB_VFS_READ_DFS_PATHAT()
instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this
way.
CTDB changes
============
* The ctdb_mutex_fcntl_helper periodically re-checks the lock file
The re-check period is specified using a 2nd argument to this
helper. The default re-check period is 5s.
If the file no longer exists or the inode number changes then the
helper exits. This triggers an election.
REMOVED FEATURES
================
The smb.conf parameter "write cache size" has been removed.
Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development. The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd
code.
In addition, it complicated the write code, which is a performance
critical code path.
If required for specialist purposes, it can be recreated as a VFS
module.
Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).
Samba-DC: DES keys no longer saved in DB.
-----------------------------------------
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password. If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.
Heimdal-DC: removal of weak-crypto.
-----------------------------------
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
vfs_netatalk: The netatalk VFS module has been removed.
-------------------------------------------------------
The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.
BIND9_FLATFILE deprecated
-------------------------
The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future. This was only practically useful on a single
domain controller or under expert care and supervision.
This release removes the 'rndc command' smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain. Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.
Fix common misspellings in text files. It's designed primarily for
checking misspelled words in source code, but it can be used with
other files as well.
