Include security fix for CVE-2008-2380 and requested by PR#41023
(approved by wiz@).
0.62.2
This release corrects a makefile compatibility problem with bash 4.
0.62.1
This release correct a couple of minor compiler warnings and errors.
* cryptpassword.c: Fix compiler warnings
* checkpasswordsha1.c: Fix compiler warnings.
* authldaplib.c (auth_ldap_enumerate): Fix typo.
0.62.0
This release adds support for additional hash functions, and an
update to the Postgres driver that removes potentional SQL injection
vulnerabilities in some circumstances.
* authpgsqllib.c: Use PQescapeStringConn() instead of removing all
apostrophes from query parameters. This fixes a potential SQL injection
vulnerability if the Postgres database uses a non-Latin locale.
* Added support for {SSHA}-encrypted passwords. Based on a patch
by Zou bin <zb@bisp.com>.
* Added support for {SHA512} hash function
finally. While here, fix PLIST and depkglint a bit. Also, fix the horrid
abuse of libtool.
Changes since 0.60.2:
* courier-authlib.spec: Dummy provides: for symlinks, to allow upgrade
with older packages that require <libname>.so.0.
* Makefile.am: Switch to versionless shared libraries.
Install all shared libraries just as <libname>.so. make install manually
removes *.so.0.0 files that were left over from previous versions,
and installs a temporary *.so.0 symlink to *.so, for temporary
binary ABI compatibility with 0.60. The symlinks will be removed in
0.62.
* Cleanup: always compile md5, sha* and hmac stuff, and remove all
conditionally-compiled cruft. Move SASL list to an internal header.
Add client-side support for AUTH EXTERNAL.
* authsasl.c (auth_sasl_ex): auth_sasl_ex() supercedes auth_sasl(),
invokes auth_sasl() for non-EXTERNAL SASL methods, implements EXTERNAL
by going through the motions, then setting up a dummy authentication
request.
* authdaemon.c (auth_generic): Check for the dummy EXTERNAL
authentication request, and handle it by invoking auth_getuserinfo(),
rather than sending it down the pipe. This avoid having to implement
a stub in every authentication module.
* authmysqllib.c: Use mysql_set_character_set() instead of SET NAMES
* authmysqllib.c: Fix domain-less queries.
* Makefile: Drop the unmaintained authvchkpw module.
* authmysqllib.c: Cleanup. Use mysql_real_escape_string instead of
crude filtering.
* Makefile.am: Use _LIBADD properly.
* configure.in: More portability fixes.
+ Create any required directories with the right ownership and permissions
as a "prestart" action in the authdaemond rc.d script.
Bump the PKGREVISION to 1.
include:
* MYSQL_CHARACTER_SET option.
* Allow underscores, colons and plusses, in account names.
* Add {MD5RAW} hash method.
* Fix runtime problems with hardcoded file descriptors in the daemon
code by using OPEN_MAX instead.
include:
* authpipe.c (auth_pipe_pre): Fix leak when authpipe module is
enabled, but the actual authpipe script/external prog is not
installed.
* authmysqlrc: Implement SSL-encrypted MySQL connections
* authldaplib.c (l_simple_bind_s): Fix anon binds.
* authldaplib.c (auth_ldap_enumerate): Fix LDAP account enumeration
* userdb/makeuserdb.in: Added the -f option to makeuserdb
* authldaplib.c: Try to recover when the LDAP server closes the
persistent socket, for inactivity.
INSTALL/DEINSTALL script creation within pkgsrc.
If an INSTALL or DEINSTALL script is found in the package directory,
it is automatically used as a template for the pkginstall-generated
scripts. If instead, they should be used simply as the full scripts,
then the package Makefile should set INSTALL_SRC or DEINSTALL_SRC
explicitly, e.g.:
INSTALL_SRC= ${PKGDIR}/INSTALL
DEINSTALL_SRC= # emtpy
As part of the restructuring of the pkginstall framework internals,
we now *always* generate temporary INSTALL or DEINSTALL scripts. By
comparing these temporary scripts with minimal INSTALL/DEINSTALL
scripts formed from only the base templates, we determine whether or
not the INSTALL/DEINSTALL scripts are actually needed by the package
(see the generate-install-scripts target in bsd.pkginstall.mk).
In addition, more variables in the framework have been made private.
The *_EXTRA_TMPL variables have been renamed to *_TEMPLATE, which are
more sensible names given the very few exported variables in this
framework. The only public variables relating to the templates are:
INSTALL_SRC INSTALL_TEMPLATE
DEINSTALL_SRC DEINSTALL_TEMPLATE
HEADER_TEMPLATE
The packages in pkgsrc have been modified to reflect the changes in
the pkginstall framework.
include:
* authlib: create the authtest and authpasswd manual pages.
* authdaemon.c (auth_generic): Silly bug in auth_generic().
* authldaplib.c (auth_ldap_do3): Fix call of authcryptpasswd().
* authpgsqllib.c (auth_pgsql_setpass): Ditto.
* authmysqllib.c (auth_mysql_setpass): Ditto.
* authmysqllib.c (auth_mysql_setpass): Fix a memory leak.
* authpipe: more fixes to the authpipe module.
* authpipe: various fixes to the authpipe module.
* authpipe.c (auth_pipe_pre): Fix zombies created by the authpipe
module.
* New authpipe authentication module.
* authldap.schema: Add mailhost to the recommended LDAP schema.
* README_authlib.sgml: Document updated authpipe protocol.
* cryptpassword.c (authcryptpasswd): Fix handling of encryption hints.
* checkpassword.c (do_authcheckpassword): Ignore {CRYPT} prefix on
crypted passwords.
* checkpasswordsha1.c (authcheckpasswordsha1): Fix {SHA256} passwords.
* authdaemond.c: Strip full name/gecos field after the first comma.
* authdaemond: Pass LOGGEROPTS option to authdaemond.
* liblog/logger.c: Fix wrong args to setuidgid().
* liblog/logger.c: Added -droproot option to courierlogger.
* liblock/lockdaemon.c: Try to recover if upgraded daemon process runs
under a different uid.
* Changed -uid and -gid options to -user and -group for consistency
with couriertcpd. Change them to affect courierlogger itself,
after it has spawned any child.
* Optional default domain for authentication requests.
* Fix the error code when an empty password is provided.
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
of the example config files through to sub-make processes. Since
courier-authlib uses GNU automake, we need to set AM_MAKEFLAGS to the
correct value. This fixes the installation of the *.dist files into
${PREFIX}/share/examples/courier-authlib.
version 0.54 include:
* authsystem.passwd.in: Explicitly set LC_ALL to en_US
* SASL: Added CRAM-SHA256 authentication method (experimental).
* courierauthdebug.h: Macro dprintf conflicts with new glibc.
support is built into courier-authlib -- -lintl is only needed by the
authpgsql authentication module. This avoids problems when linking
clients with -lcourierauth and the linker thinks -lintl is needed when
it really doesn't. Bump the PKGREVISION to 3.
The Courier authentication library provides authentication services for
other Courier applications. In this context, the term "authentication"
refers to the following functions:
1. Take a userid or a loginid, and a password. Determine whether the
loginid and the password are valid.
2. Given a userid, obtain the following information about the userid:
A. The account's home directory.
B. The numeric system userid and groupid that owns all files
associated with this account.
C. The location of the account's maildir.
D. Any maildir quota defined for this account. See the Courier
documentation for more information on maildir quotas.
E. Other miscellaneous account-specific options.
3. Change the password associated with a loginid.
4. Obtain a complete list of all loginids.
